Compound Bug Overpays Millions in COMP

Published 2 years ago on September 30, 2021

Twitter User Spots Unusual COMP Activity
Bug Targets COMP’s Liquidity Distribution Model
Compound Lab Founder Speaks Out

A bug in the latest update to one of Compound’s smart contracts has led to payouts of millions of dollars in liquidity mining rewards.

Twitter User Spots Unusual COMP Activity

Earlier today, the Compound Protocol team tweeted out that the latest Proposal 62 update to the Comptroller smart contract contained a bug, which led to unusual distribution and overpaying of COMP to users. The team also stated that the supplied or borrowed assets were not at risk and that they were investigating all discrepancies in COMP distribution.

Compound’s liquidity mining program pays out rewards at the rate of a single-digit annual percentage yield. Therefore, when Twitter user “napgener” saw three Ethereum transactions showing users receiving a total of $15 million in COMP tokens in exchange for borrowing and supplying tiny quantities of tokens, they flagged the issue as unusual activity.

Bug Targets COMP’s Liquidity Distribution Model

The latest upgrade and the new smart contract were written by a community member to facilitate COMP distribution to liquidity suppliers and borrowers based on governance-set ratios instead of the prior 50-50 share model. The new protocol was also reviewed by multiple community members. However, the bug made its way into the upgraded Comptroller Contract and mistakenly allowed some users to claim as much as about 168,000 COMP tokens already, worth around $50 million.

Ethereum-based liquidity pool Curve Finance retweeted a statement that pointed out the hard trade-off between permissionlessness and taking care of vulnerabilities quickly and discreetly. Curve Finance tweeted,

“Things need to be reeeally well tested when they go more permissionless.”

Compound Lab Founder Speaks Out

According to founder Robert Leshner,

“This is the greatest opportunity, and greatest risk for a decentralized protocol--that an open development process allows a bug to enter production.”

Leshner also clarified that the damage has been contained to 280,000 COMP tokens, which is still worth a whopping $80 million, as the majority of the reward was in a different Reservoir contract address. Furthermore, since there are no admin controls or community tools to disable the COMP distribution, changing the protocol will take 7 days of governance time to finally be implemented.

However, shortly after Leshner’s announcement on Twitter, a single transaction cleaned out 91,000 COMP tokens worth $27 million, with the user paying nothing in crypto-assets and just a $154.77 gas fee. The same wallet then swapped $140,000 in COMP for USDC via Uniswap. This has caused the price of COMP to drop from $334 to as low as $290 within 24 hours. It has somewhat stabilized since then and sits at around $297 at the time of reporting.

Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Investment Disclaimer

Amara Khatri

Amara is a graduate in Business Management, and has been following the world of crypto since 2019. Having a keen eye for detail, Amara enjoys finding breaking stories via Twitter, official press releases and website blog posts. Outside of crypto, Amara enjoys rock climbing, dancing and spending time with her siblings.