DeFi Deja Vu: $160 Million at Risk in Another Compound Finance Bug

Compound Labs has suffered a second major blow after another bug in the system was discovered. About US$162 million is up for grabs in what is being called the “biggest-ever fund loss in a smart contract incident”.

Another bad day for DeFi staking protocol Compound. ~$162 million up for grabs after an upgrade gone very wrong.

We thought at most 280k comp tokens were at risk. Now it's 490k and counting. 0.5 comp tokens added every ~15 seconds.https://t.co/t9dXnGdHX6 @Mudit__Gupta

— MacKenzie Sigalos (@KenzieSigalos) October 3, 2021

The Hits Just Keep Coming

The hits just keep coming for popular DeFi staking protocol Compound (COMP) after what was supposed to be a routine upgrade went horribly wrong.

This is the second in just a few days to rock the protocol after a bug in COMP’s new Proposal 062 led to an over-distribution of around US$80 million worth of COMP to some of its users. Compound founder Robert Leshner asked users to give the funds back and thanked those who did.

Thank you 0x261f for returning COMP to the community 🙏

— Robert Leshner (@rleshner) October 2, 2021

On October 3, somebody exploited a bug in Compound’s Comptroller contract, part of the protocol that distributes yield farming rewards to users. After calling Compound’s drip () function, the attacker had transferred 202,472 COMP, worth US$68 million, from Compound’s reservoir to its Comptroller.

Since a tweet about the bug by Banteg, a core developer at Yearn.Finance, the Comptroller pool has been drained of about 64,997 COMP (US$21.5 million).

It appears my estimate was low because of stale data in accruedComp. Four users managed to claim $21.5m so far, so maybe there are more funds at risk. I don't know of a quick way to check all addresses. pic.twitter.com/IOHRby8nni

— banteg (@bantg) October 3, 2021

Bug Takes Seven Days to Correct

On October 1, Leshner tweeted that the amount of COMP tokens that could be accidentally distributed would be limited to 280,000 comp tokens, worth about US$92.6 million, but revealed on Sunday that more were at risk.

This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU 🙏).

— Robert Leshner (@rleshner) October 3, 2021

Leshner revealed that the Comptroller pool, already emptied once, had been replenished, thereby exposing a further 202,472.5 COMP tokens worth around US$66.9 million.

Total carnage has been avoided as the pool of cash exposed has a limited amount of tokens. The problem, however, is that the pool is replenished with cash at a rate of 0.5 comp tokens added every 15 seconds.

When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users.

— Robert Leshner (@rleshner) October 3, 2021

Leshner tweeted that when the drip () function was called on October 3, it sent a backlog of 202,472.5 COMP (about two months of COMP since the function was last called) into the protocol to distribute to users.

The community developers were hoping that Proposals 63 or 64 would go into effect before that happened, but because of the way in which Compound’s governance is structured the bug would take seven days to correct.  

Bugs, Bugs and More Bugs

For many crypto users, DeFi is becoming synonymous with bugs and hacks. Recently a bug was found on NFT marketplace OpenSea which destroyed 42 NFTs worth an estimated US$130,000. The bug was discovered when Nick Johnson, lead developer of Ethereum Name Server (ENS), tried to transfer an ENS name to one of his personal accounts, but it ended up in an unused burn address.

Earlier this month, the Avalanche blockchain also suffered its first hack. Zabu Finance, a DeFi project that runs on the chain, was exploited for US$3.3 million after a hacker identified a bug in the contract used by yield farms to distribute rewards. Zabu’s price quickly plummeted to zero.