Compound Finance Suffers Bug Leading To ~$50M Token Distribution
Compound Finance (COMP) has seemingly suffered a token distribution bug after introducing and passing a recent governance vote that addressed rewards distribution, Proposal 62. Shortly thereafter, Compound reported in a tweet that there was unusual behavior regarding COMP distribution following the vote, but that “no supplied/borrowed funds are at risk.”
The funds that are in jeopardy due to the bug sit only in the Comptroller contract, which means that there is a total cap of 280,000 COMP tokens that are at risk. However, that’s still a hefty number, worth over $80M USD at the time of publishing. One transaction was reportedly as high as nearly $30M alone.
Let’s Get Movin’
With governance often comes the lack of immediate action. As Compound Finance CEO and Founder Robert Leshner noted in a tweet discussing the events at hand, “there are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process.”
The Compound team quickly rolled out the initial governance process with Proposal 63 up for review, which temporarily disables COMP distribution rewards while the team and community address the fix for the protocol.
Leshner adds that while Proposal 63 is up for review, “a patch to restart the distribution is in development.” While this gives the team time to address the issue, Proposal 63 does note that all ~280,000 tokens will be at risk.
Leshner has since gone on Twitter asking recipients of mistaken distributed COMP to return it, with the below tweet:
If you received a large, incorrect amount of COMP from the Compound protocol error:Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.Otherwise, it's being reported as income to the IRS, and most of you are doxxed.— Robert Leshner (@rleshner) October 1, 2021
He took a bit of heat for the tweet, and followed up by stating that it was a “bone-headed tweet / approach” and that his intentions lie in “trying to do anything I can do to help the community get some of its COMP back.”
Smart contract specialist Kurt Barry noted just how costly small errors in code can impact blockchain projects:
Smart contracts are unforgiving of the tiniest errors…COMP bug is a tragic case of ">" instead of ">=" (in two code locations). Two characters, tens of millions of value lost.— Kurt Barry (@Kurt_M_Barry) September 30, 2021
Truly a tough set of circumstances for the Compound Finance community, however many have shown approval of Leshner’s response.
The move is not the first mishap in the rapidly growing world of DeFi. Last month, the Poly Network suffered a hack that cost over $600M USD. In a bit of a bizarre set of circumstances, the Poly hacker returned most of the stolen crypto back to the network. And in the last week, cross-chain DeFi protocol pNetwork lost over $12M USD in tokenized Bitcoin to attackers.Source