DeFi Deja Vu: $160 Million at Risk in Another Compound Finance Bug

October 05, 2021, 10:45 AM AEST - 1 week ago

Compound Labs has suffered a second major blow after another bug in the system was discovered. About US$162 million is up for grabs in what is being called the “biggest-ever fund loss in a smart contract incident”.

The Hits Just Keep Coming

The hits just keep coming for popular DeFi staking protocol Compound (COMP) after what was supposed to be a routine upgrade went horribly wrong.

This is the second in just a few days to rock the protocol after a bug in COMP’s new Proposal 062 led to an over-distribution of around US$80 million worth of COMP to some of its users. Compound founder Robert Leshner asked users to give the funds back and thanked those who did.

On October 3, somebody exploited a bug in Compound’s Comptroller contract, part of the protocol that distributes yield farming rewards to users. After calling Compound’s drip () function, the attacker had transferred 202,472 COMP, worth US$68 million, from Compound’s reservoir to its Comptroller.

Since a tweet about the bug by Banteg, a core developer at Yearn.Finance, the Comptroller pool has been drained of about 64,997 COMP (US$21.5 million).

Bug Takes Seven Days to Correct

On October 1, Leshner tweeted that the amount of COMP tokens that could be accidentally distributed would be limited to 280,000 comp tokens, worth about US$92.6 million, but revealed on Sunday that more were at risk.

Leshner revealed that the Comptroller pool, already emptied once, had been replenished, thereby exposing a further 202,472.5 COMP tokens worth around US$66.9 million.

Total carnage has been avoided as the pool of cash exposed has a limited amount of tokens. The problem, however, is that the pool is replenished with cash at a rate of 0.5 comp tokens added every 15 seconds.

Leshner tweeted that when the drip () function was called on October 3, it sent a backlog of 202,472.5 COMP (about two months of COMP since the function was last called) into the protocol to distribute to users.

The community developers were hoping that Proposals 63 or 64 would go into effect before that happened, but because of the way in which Compound’s governance is structured the bug would take seven days to correct.  

Bugs, Bugs and More Bugs

For many crypto users, DeFi is becoming synonymous with bugs and hacks. Recently a bug was found on NFT marketplace OpenSea which destroyed 42 NFTs worth an estimated US$130,000. The bug was discovered when Nick Johnson, lead developer of Ethereum Name Server (ENS), tried to transfer an ENS name to one of his personal accounts, but it ended up in an unused burn address.

Earlier this month, the Avalanche blockchain also suffered its first hack. Zabu Finance, a DeFi project that runs on the chain, was exploited for US$3.3 million after a hacker identified a bug in the contract used by yield farms to distribute rewards. Zabu’s price quickly plummeted to zero.

Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.