Compound Bug Opens Up $162 Million COMP Tokens for Grabs

The first programming rule goes like this: “If it works, don’t dare touch it.”

While improvements are good to prevent system obsolescence or boredom, changes can, no matter the intention, be bad for business if poorly executed without thorough diligence.

Take, for example, the recent events in Compound.

Compound Bug / Exploit

Compound is one of the world’s largest DeFi protocols by TVL. It is also one of the oldest, introducing the idea of yield farming and incentives, which ushered in the era of DeFi excesses.

However, it has been gut-wrenching in the last few days. Following an introduction of a new interest rate feature under Proposal 062, the protocol has been bleeding valuation and, quite literally, COMP tokens because, apparently, the new upgrade had a bug.

Proposal 62 and the new contract were written by a community member, with review from multiple other community members.

This is the greatest opportunity, and greatest risk for a decentralized protocol–that an open development process allows a bug to enter production.

— Robert Leshner (@rleshner) September 30, 2021

The bug rips the dApp and randomly pays off other users as the flaw directly affects reward distribution. While it has been tipping users with an extraordinary number of rewards, there have been (reputational) losses, especially for the developer, Compound Labs.

To understand what error is, we must cycle back to the beginning. Proposal 062 was meant to split COMP distribution to liquidity providers (lenders) and borrowers dynamically based on on-chain governance ratios. Thus, it is away from the 50/50 in the previous share model.

After all, DeFi is dynamic and not the rot of stasis.

But There Was a Problem

After the upgrade, a flaw in the Comptroller Contract allowed some users to claim disproportionate amounts of COMP. Although the contract contains 490k COMP—0.5 COMP being added every 15 seconds, according to the developer– a “relief” that could manage the damage–, Compound Labs would work harder to convince its community in months ahead.

According to Robert Leshner, founder of Compound Labs, there are “no admin controls or community tools to disable the COMP distribution.” Any governance change requires a seven-day wait before making its way into production and execution.

Going forward, I'm optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.

— Robert Leshner (@rleshner) October 3, 2021

Give It Back or Get Doxed

Agents can still choose to return the wrongly awarded COMP. However, as things stand, the Comptroller Contract may as well be drained by those without the moral compass. There are four addresses that can, at their volition, claim the over 490k, effectively emptying the Comptroller Contract.

Going forward, I'm optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.

— Robert Leshner (@rleshner) October 3, 2021

Meanwhile, to save face, Compound Labs are working on a patch to plug the rather painful hole—hopefully by the weekend—as they urge the wrong recipient to return COMP lest they be “doxed” by the IRS.