{"id":1280,"date":"2021-10-04T19:51:41","date_gmt":"2021-10-04T23:51:41","guid":{"rendered":"https:\/\/www.hodlin.com\/blog\/?p=1280"},"modified":"2021-10-04T20:15:02","modified_gmt":"2021-10-05T00:15:02","slug":"compound-bug-opens-up-millions-comp-tokens","status":"publish","type":"post","link":"https:\/\/www.hodlin.com\/blog\/compound-bug-opens-up-millions-comp-tokens","title":{"rendered":"Compound Bug Opens Up $162 Million COMP Tokens for Grabs"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1200\" height=\"675\" src=\"https:\/\/cdn.hodlin.com\/blog\/wp-content\/uploads\/2021\/10\/compound-bug-opens-up-millions-comp-tokens-1200x675.jpg\" alt=\"Compound Bug Opens Up Millions Comp Tokens\" class=\"wp-image-1289\" title=\"\" srcset=\"https:\/\/cdn.hodlin.com\/blog\/wp-content\/uploads\/2021\/10\/compound-bug-opens-up-millions-comp-tokens-1200x675.jpg 1200w, https:\/\/cdn.hodlin.com\/blog\/wp-content\/uploads\/2021\/10\/compound-bug-opens-up-millions-comp-tokens-780x439.jpg 780w, https:\/\/cdn.hodlin.com\/blog\/wp-content\/uploads\/2021\/10\/compound-bug-opens-up-millions-comp-tokens-768x432.jpg 768w, https:\/\/cdn.hodlin.com\/blog\/wp-content\/uploads\/2021\/10\/compound-bug-opens-up-millions-comp-tokens-1536x864.jpg 1536w, https:\/\/cdn.hodlin.com\/blog\/wp-content\/uploads\/2021\/10\/compound-bug-opens-up-millions-comp-tokens-2048x1152.jpg 2048w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption>Compound Bug Opens Up Millions Comp Tokens<\/figcaption><\/figure>\n\n\n\n<p>The first programming rule goes like this: \u201cIf it works, don\u2019t dare touch it.\u201d<\/p>\n\n\n\n<p>While improvements are good to prevent system obsolescence or boredom, changes can, no matter the intention, be bad for business if poorly executed without thorough diligence.<\/p>\n\n\n\n<p>Take, for example, the recent events in Compound.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Compound Bug \/ Exploit<\/h2>\n\n\n\n<p><a href=\"https:\/\/www.hodlin.com\/coins\/compound-governance-token\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Compound<\/a> is one of the world\u2019s largest <a href=\"https:\/\/www.hodlin.com\/blog\/what-is-defi-decentralized-finance\">DeFi<\/a> protocols by TVL. It is also one of the oldest, introducing the idea of yield farming and incentives, which ushered in the era of DeFi excesses.<\/p>\n\n\n\n<p>However, it has been gut-wrenching in the last few days. Following an introduction of a new interest rate feature under Proposal 062, the protocol has been bleeding valuation and, quite literally, COMP tokens because, apparently, the new upgrade had a bug.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Proposal 62 and the new contract were written by a community member, with review from multiple other community members.<br><br>This is the greatest opportunity, and greatest risk for a decentralized protocol&#8211;that an open development process allows a bug to enter production.<\/p>&mdash; Robert Leshner (@rleshner) <a href=\"https:\/\/twitter.com\/rleshner\/status\/1443380524567912448?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">September 30, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p>The bug rips the dApp and randomly pays off other users as the flaw directly affects reward distribution. While it has been tipping users with an extraordinary number of rewards, there have been (reputational) losses, especially for the developer, Compound Labs.<\/p>\n\n\n\n<p>To understand what error is, we must cycle back to the beginning. Proposal 062 was meant to split COMP distribution to liquidity providers (lenders) and borrowers dynamically based on on-chain governance ratios. Thus, it is away from the 50\/50 in the previous share model.<\/p>\n\n\n\n<p>After all, DeFi is dynamic and not the rot of stasis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">But There Was a Problem<\/h2>\n\n\n\n<p>After the upgrade, a flaw in the Comptroller Contract allowed some users to claim disproportionate amounts of COMP. Although the contract contains 490k COMP&#8212;0.5 COMP being added every 15 seconds, according to the developer&#8211; a \u201crelief\u201d that could manage the damage&#8211;, Compound Labs would work harder to convince its community in months ahead.<\/p>\n\n\n\n<p>According to Robert Leshner, founder of Compound Labs, there are \u201cno admin controls or community tools to disable the COMP distribution.\u201d Any governance change requires a seven-day wait before making its way into production and execution.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Going forward, I&#39;m optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.<\/p>&mdash; Robert Leshner (@rleshner) <a href=\"https:\/\/twitter.com\/rleshner\/status\/1444691283793129475?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">October 3, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Give It Back or Get Doxed<\/h2>\n\n\n\n<p>Agents can still choose to return the wrongly awarded COMP. However, as things stand, the Comptroller Contract may as well be drained by those without the moral compass. There are four addresses that can, at their volition, claim the over 490k, effectively emptying the Comptroller Contract.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">Going forward, I&#39;m optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.<\/p>&mdash; Robert Leshner (@rleshner) <a href=\"https:\/\/twitter.com\/rleshner\/status\/1444691283793129475?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">October 3, 2021<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div><\/figure>\n\n\n\n<p><a><\/a>Meanwhile, to save face, Compound Labs are working on a patch to plug the rather painful hole\u2014hopefully by the weekend\u2014as they urge the wrong recipient to return COMP lest they be \u201cdoxed\u201d by the IRS.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The first programming rule goes like this: \u201cIf it works, don\u2019t dare touch it.\u201d While improvements are good to prevent system obsolescence or boredom, changes can, no matter the intention, be bad for business if poorly executed without thorough diligence. Take, for example, the recent events in Compound. Compound Bug&#8230; <a class=\"more-link\" href=\"https:\/\/www.hodlin.com\/blog\/compound-bug-opens-up-millions-comp-tokens\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":1289,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[119,110],"class_list":["post-1280","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-bug","tag-compound"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/posts\/1280","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/comments?post=1280"}],"version-history":[{"count":4,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/posts\/1280\/revisions"}],"predecessor-version":[{"id":1290,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/posts\/1280\/revisions\/1290"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/media\/1289"}],"wp:attachment":[{"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/media?parent=1280"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/categories?post=1280"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hodlin.com\/blog\/wp-json\/wp\/v2\/tags?post=1280"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}