Compound Contract Bug Keeps Infesting Before Fix Can be Implemented

fused funds are at risk of being exploited as well. Yesterday, an address showed a transfer of some 4.8m, and another one nearly USD 12m.

It turns out that this ability to add funds to the compromised contract has been known, but it was apparently decided to keep it a secret.

yearn.finance (YFI) core contributor ‘banteg’ alleged that “this was known for a few days now, but there is no possible mitigation, so the plan was to keep shush and hope nobody discovers it for a week.”

Compound Lab’s October 2 tweet announced a new proposal that “patches the bug introduced” by the proposal that caused it, and “resumes the COMP distribution for the majority of users.” It seems that the team behind the protocol was hoping that nobody would use this ability until the two proposals that followed the faulty one have been implemented on October 7.

In response, Robert Leshner, Founder of Compound Labs, said that the Reservoir contract holds the majority of COMP reserved for users, and that it drips 0.50 COMP/block into the protocol. “Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called.”

So what had happened, per the founder, is that when somebody did call for this “drip function” on Sunday morning, it sent the entire backlog of COMP 202,472.5 – or some two months of COMP since the last time the function was called – into the protocol for distribution to users.

And while c. COMP 117,000 (USD 37.28m) has been returned until the time of the post, in total some COMP 490,000 (156.12m) were reported as vulnerable.

This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU 🙏).

— Robert Leshner (@rleshner) October 3, 2021

As reported, Compound Finance passed and executed a proposal last week, but soon found out that due to a bug in a smart contract, users were able to claim millions in COMP rewards, with some USD 82m impacted at the time.

A couple of days later, Leshner tweeted what was largely perceived as a threat of doxing those who don’t return the claimed COMP, as well as a poor move on his part, which he followed with an apology after receiving heavy backlash.

At 10:42 UTC, COMP is trading at USD 318. It’s down 6% in a day and 9% in a week.
____
Learn more: 
DeFi Is Not a New Concept and Is Misnamed As Decentralized – SEC Chair
Why DeFi Isn’t Always As Decentralized As You Might Think 
Decentralization in Crypto Is a Hard to Measure Ideal 

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: