DeFi Protocol Bug Mistakenly Rewards Users $80 Million in COMP Tokens
A bug in Compound (COMP) protocol’s new Proposal 062 has led to an over-distribution of at least US$80 million worth of COMP to some of its users.
Compound Finance (COMP), the lending protocol, reported an incident on September 30 regarding some “unusual activity” with its token distribution after executing Protocol 062, a community-driven update:
According to Protocol founder Robert Leshner, a bug in the update resulted in excessive amounts of COMP being distributed to several users, some of whom were able to claim millions of dollars’ worth of tokens.
The upgrade was designed to “split COMP rewards distribution” from the previous set 50/50 share model, and was fully verified by the community without issues.
Culprit Was Likely a Single Letter Bug
Mudit Gupta, a programmer from SushiSwap, explained that a single letter bug was responsible for the error, causing a reverse rug pull and paying out more rewards than it was supposed to.
Leshner also stated that “the impact is bounded, at worst, 280,000 COMP tokens”, worth over US$85 million at the time of writing. The impacted contract contained only a limited amount of rewards, with the majority sitting in a different reservoir contract.
Patching Under Way, Optional White Hat Rewards
Since COMP aims to run as a decentralised autonomous organisation (DAO), any changes made to the protocol have a seven-day governance process before it can make its way to production. In the meantime, Compound Labs and community members are “evaluating potential steps to patch the COMP distribution”.
Users who return the assets can keep 10 percent as a white hat reward, Leshner added, but whether the lucky recipients choose to return a few million dollars to the platform remains to be seen – although if history is any indication, it is certainly possible.
The Bigger the Jungle, the More Bugs You’ll Find
Since the DeFi boom, one of the major issues protocols have been facing are bugs in the code causing havoc in unexpected ways. In early September, a bug in OpenSea destroyed US$130,000 worth of NFTs on the marketplace.
With code in smart contracts, sometimes the simplest errors can translate into massive problems. Recently, the decentralised exchange DeversiFi had an error in a library that processes decimals, the result of which was paying US$22 million for a $100k deposit transaction.
As the DeFi industry grows and more smart contracts are created as vehicles for both simple and complex transactions, it’s important to remember that some programmer somewhere in the world sat and wrote that code. Using projects with qualified teams, and code audited by a verified third party, is something to look out for, but since the space is so new there will most certainly be kinks to iron out.