$160M At Risk Due to Bug in DeFi Lending Protocol Compound
Editor's note: This article has been updated with comments from Robert Leshner and Banteg.
A week ago, Compound founder Robert Leshner called a bug in his lending protocol’s smart contract a “moral dilemma.” Perhaps for some, but for others today the smart contracts became a vending machine full of free cash.
Today, someone exploited a bug in Compound’s Controller contract, which is the part of the protocol that distributes yield farming rewards to users. By calling Compound’s drip() function, they transferred $68 million, or 202,472 COMP, from Compound’s reservoir to its Comptroller.
Since Banteg, a core developer at Yearn.Finance, tweeted about the exploit earlier this afternoon, four major transactions have drained the Comptroller pool of 64,997 COMP, or $21.4 million. One of those transactions withdrew 37,504 COMP, or $12.3 million. Banteg said that only “addresses with the buggy state can drain" and that there are another five addresses that could claim $45m, "emptying the Comptroller."
It appears my estimate was low because of stale data in accruedComp. Four users managed to claim $21.5m so far, so maybe there are more funds at risk. I don't know of a quick way to check all addresses. pic.twitter.com/IOHRby8nni— banteg (@bantg) October 3, 2021
Last week, following an update called Proposal 062, the Comptroller pool started distributing 280,000 COMP to the wrong people. Leshner asked users to give the funds back and thanked anyone who did.
Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear https://t.co/EZLb7g91Ew— Robert Leshner (@rleshner) October 1, 2021
But because of the way Compound's governance is structured, it takes seven days to correct the error.
Anyone can add more COMP to the Comptroller pool by calling drip(), a public function, but nobody had called in weeks.
"When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users," tweeted Leshner today.
"The drip issue has been known to Compound and the security researchers for a few days now," Banteg told Decrypt, "but since there was no mitigation, it was decided to keep it under wraps hoping nobody would notice until a patch is out."
Community developers hoped that patches would go live before drip() was called, Leshner tweeted today. Banteg called the exploit “the best-kept secret in DeFi.”
This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU 🙏).— Robert Leshner (@rleshner) October 3, 2021
Leshner said that the total amount of COMP at risk is now approximately 490,000, or $160 million, "of which 136k is still in the Comptroller, and 117k has been returned to the community so far."
Commenting on Banteg's post, crypto trader Christopher Mooney said, “I’m honestly impressed it took this long with the number of people that knew. Restores my faith in humanity a little, but in the end one of you chose chaotic neutral.”
Leshner tweeted, "Going forward, I'm optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug." COMP has fallen by 4.6% in the past 24 hours.Source