DeFi Protocol Bug Mistakenly Rewards Users $80 Million in COMP Tokens

October 02, 2021, 9:45 AM AEST - 2 weeks ago

A bug in Compound (COMP) protocol’s new Proposal 062 has led to an over-distribution of at least US$80 million worth of COMP to some of its users.

Compound Finance (COMP), the lending protocol, reported an incident on September 30 regarding some “unusual activity” with its token distribution after executing Protocol 062, a community-driven update:

According to Protocol founder Robert Leshner, a bug in the update resulted in excessive amounts of COMP being distributed to several users, some of whom were able to claim millions of dollars’ worth of tokens.

The upgrade was designed to “split COMP rewards distribution” from the previous set 50/50 share model, and was fully verified by the community without issues.

Culprit Was Likely a Single Letter Bug

Mudit Gupta, a programmer from SushiSwap, explained that a single letter bug was responsible for the error, causing a reverse rug pull and paying out more rewards than it was supposed to.

Leshner also stated that “the impact is bounded, at worst, 280,000 COMP tokens”, worth over US$85 million at the time of writing. The impacted contract contained only a limited amount of rewards, with the majority sitting in a different reservoir contract.

Patching Under Way, Optional White Hat Rewards

Since COMP aims to run as a decentralised autonomous organisation (DAO), any changes made to the protocol have a seven-day governance process before it can make its way to production. In the meantime, Compound Labs and community members are “evaluating potential steps to patch the COMP distribution”.

Users who return the assets can keep 10 percent as a white hat reward, Leshner added, but whether the lucky recipients choose to return a few million dollars to the platform remains to be seen – although if history is any indication, it is certainly possible.

The Bigger the Jungle, the More Bugs You’ll Find

Since the DeFi boom, one of the major issues protocols have been facing are bugs in the code causing havoc in unexpected ways. In early September, a bug in OpenSea destroyed US$130,000 worth of NFTs on the marketplace.

With code in smart contracts, sometimes the simplest errors can translate into massive problems. Recently, the decentralised exchange DeversiFi had an error in a library that processes decimals, the result of which was paying US$22 million for a $100k deposit transaction.

As the DeFi industry grows and more smart contracts are created as vehicles for both simple and complex transactions, it’s important to remember that some programmer somewhere in the world sat and wrote that code. Using projects with qualified teams, and code audited by a verified third party, is something to look out for, but since the space is so new there will most certainly be kinks to iron out.

Disclaimer: The content and views expressed in the articles are those of the original authors own and are not necessarily the views of Crypto News. We do actively check all our content for accuracy to help protect our readers. This article content and links to external third-parties is included for information and entertainment purposes. It is not financial advice. Please do your own research before participating.