A bug in the latest update to one of Compound’s smart contracts has led to payouts of millions of dollars in liquidity mining rewards.
Twitter User Spots Unusual COMP Activity
Earlier today, the Compound Protocol team tweeted out that the latest Proposal 62 update to the Comptroller smart contract contained a bug, which led to unusual distribution and overpaying of COMP to users. The team also stated that the supplied or borrowed assets were not at risk and that they were investigating all discrepancies in COMP distribution.
Compound’s liquidity mining program pays out rewards at the rate of a single-digit annual percentage yield. Therefore, when Twitter user “napgener” saw three Ethereum transactions showing users receiving a total of $15 million in COMP tokens in exchange for borrowing and supplying tiny quantities of tokens, they flagged the issue as unusual activity.
Bug Targets COMP’s Liquidity Distribution Model
The latest upgrade and the new smart contract were written by a community member to facilitate COMP distribution to liquidity suppliers and borrowers based on governance-set ratios instead of the prior 50-50 share model. The new protocol was also reviewed by multiple community members. However, the bug made its way into the upgraded Comptroller Contract and mistakenly allowed some users to claim as much as about 168,000 COMP tokens already, worth around $50 million.
Ethereum-based liquidity pool Curve Finance retweeted a statement that pointed out the hard trade-off between permissionlessness and taking care of vulnerabilities quickly and discreetly. Curve Finance tweeted,
“Things need to be reeeally well tested when they go more permissionless.”
Compound Lab Founder Speaks Out
According to founder Robert Leshner,
“This is the greatest opportunity, and greatest risk for a decentralized protocol--that an open development process allows a bug to enter production.”
Leshner also clarified that the damage has been contained to 280,000 COMP tokens, which is still worth a whopping $80 million, as the majority of the reward was in a different Reservoir contract address. Furthermore, since there are no admin controls or community tools to disable the COMP distribution, changing the protocol will take 7 days of governance time to finally be implemented.
However, shortly after Leshner’s announcement on Twitter, a single transaction cleaned out 91,000 COMP tokens worth $27 million, with the user paying nothing in crypto-assets and just a $154.77 gas fee. The same wallet then swapped $140,000 in COMP for USDC via Uniswap. This has caused the price of COMP to drop from $334 to as low as $290 within 24 hours. It has somewhat stabilized since then and sits at around $297 at the time of reporting.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.