DeFi bug resulted in an $80 million loss for Compound Finance

    03 Oct 2021

    On Wednesday, soon after executing the upgrade, patching minor bugs, Compound Labs reported “unusual activity,” resulting in some users being able to get more COMP tokens than allowable. A bug in the code posed $80 million worth of COMP at risk of unfair distribution. The incident may lead to a COMP price crash.

    According to CNBC, the Ethereum-based DeFi interest rate protocol Compound Finance launched Proposal 62 this week, introducing two COMP distribution rates for protocol users. However, the new Comptroller contract was deployed with a bug that allows users to borrow certain assets to claim more than their fair share of COMP.

    The upgrade was designed to “split COMP rewards distribution and bug fixes” and was fully verified without issues. However, within hours, the team noted “unusual activity,” stating that “Compound Labs and members of the community are investigating discrepancies in the COMP distribution.”

    The founder of Compound Labs, Robert Leshner, noted that “all supplied assets, borrowed assets, and positions” were unaffected by the bug. Still, he highlighted that 280,000 COMP tokens worth $80 million are at risk of being misrewarded to users. He added that any change to the protocol requires a week-long governance process to make it into production.

    Although a temporary patch for the distribution bug has been proposed, some users have already taken advantage of the exploit. Over 91,000 COMP tokens, worth $27.5 million, were claimed in a single transaction following the discovery. The wallet owner has since swapped most of the tokens received for USDC.

    The sudden spike in sales saw COMP price dip below $290. Although the asset has shown signs of recovery in the last few hours, further selling around the current price levels could lead to significant losses.

    Now, the founder is making a plea and issuing some threats to incentivize the voluntary return of the platform’s crypto tokens.

    “If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it,” Leshner tweeted late Thursday.

    “Keep 10% as a white-hat. Otherwise, it’s being reported as income to the IRS, and most of you are doxxed,” he continued.

    Later, Leshner shared some insight regarding the events:

    “Proposal 62 and the new contract were written by a community member, with review from multiple other community members. This is the greatest opportunity, and greatest risk for a decentralized protocol–that an open development process allows a bug to enter production.”

    Whether reward recipients choose to return many millions of dollars to the platform remains to be seen, though if history is any indication, it is certainly possible.

    “Alchemix [another DeFi protocol] had a similar incident a few months back where they gave out more rewards than intended,” blockchain security researcher Mudit Gupta told CNBC. “Almost everyone who got the extra rewards refunded the extra.”

    However, the difference is that the Alchemix exchange lost just $4.8 million.

    But Gupta remains hopeful. “This makes me optimistic that people will refund most of the COMP tokens, as well, but you can never be sure,” he said.

    As reported in August, the DeFi project Poly Network suffered a $612-million hack that did the hacker steal assets from Ethereum, Binance Chain, and the Polygon Network. It was the biggest heist in DeFi history. However, the suspected hacker later returned all the stolen funds, saying he did it “for fun.”

    Leave a Reply

    Your email address will not be published. Required fields are marked *