DeFi Protocol Bug Mistakenly Rewards Users $80 Million in COMP Tokens

A bug in Compound (COMP) protocol’s new Proposal 062 has led to an over-distribution of at least US$80 million worth of COMP to some of its users.

Compound Finance (COMP), the lending protocol, reported an incident on September 30 regarding some “unusual activity” with its token distribution after executing Protocol 062, a community-driven update:

🚨 Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062.

No supplied/borrowed funds are at risk — Compound Labs and members of the community are investigating discrepancies in the COMP distribution.

— Compound Labs (@compoundfinance) September 29, 2021

According to Protocol founder Robert Leshner, a bug in the update resulted in excessive amounts of COMP being distributed to several users, some of whom were able to claim millions of dollars’ worth of tokens.

The upgrade was designed to “split COMP rewards distribution” from the previous set 50/50 share model, and was fully verified by the community without issues.

Culprit Was Likely a Single Letter Bug

Mudit Gupta, a programmer from SushiSwap, explained that a single letter bug was responsible for the error, causing a reverse rug pull and paying out more rewards than it was supposed to.

A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol.

The new Comptroller contract contains a bug, causing some users to receive far too much COMP. https://t.co/Fy6nLgDqKy

— Robert Leshner (@rleshner) September 30, 2021

Leshner also stated that “the impact is bounded, at worst, 280,000 COMP tokens”, worth over US$85 million at the time of writing. The impacted contract contained only a limited amount of rewards, with the majority sitting in a different reservoir contract.

Patching Under Way, Optional White Hat Rewards

Since COMP aims to run as a decentralised autonomous organisation (DAO), any changes made to the protocol have a seven-day governance process before it can make its way to production. In the meantime, Compound Labs and community members are “evaluating potential steps to patch the COMP distribution”.

Users who return the assets can keep 10 percent as a white hat reward, Leshner added, but whether the lucky recipients choose to return a few million dollars to the platform remains to be seen – although if history is any indication, it is certainly possible.

If you received a large, incorrect amount of COMP from the Compound protocol error:

Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.

Otherwise, it's being reported as income to the IRS, and most of you are doxxed.

— Robert Leshner (@rleshner) October 1, 2021

The Bigger the Jungle, the More Bugs You’ll Find

Since the DeFi boom, one of the major issues protocols have been facing are bugs in the code causing havoc in unexpected ways. In early September, a bug in OpenSea destroyed US$130,000 worth of NFTs on the marketplace.

With code in smart contracts, sometimes the simplest errors can translate into massive problems. Recently, the decentralised exchange DeversiFi had an error in a library that processes decimals, the result of which was paying US$22 million for a $100k deposit transaction.

As the DeFi industry grows and more smart contracts are created as vehicles for both simple and complex transactions, it’s important to remember that some programmer somewhere in the world sat and wrote that code. Using projects with qualified teams, and code audited by a verified third party, is something to look out for, but since the space is so new there will most certainly be kinks to iron out.