Compound suffers multimillion-dollar losses due to protocol update bug

The developers of the lending protocol Compound reported a bug in the distribution of governance token COMP that emerged after the activation of RFP-062. According to the project founder Robert Leshner, in the worst case the damage could exceed $82 million.

A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol.

The new Comptroller contract contains a bug, causing some users to receive far too much COMP. https://t.co/Fy6nLgDqKy

— Robert Leshner (@rleshner) September 30, 2021

The Compound liquidity mining process is in place — participants receive COMP tokens for depositing assets into its pools. The mining rate is 0.5 COMP/block (~2312 COMP/day).

RFP-062, which came into effect on September 30, changed the previous governance token distribution model (50/50). Now liquidity providers and borrowers receive COMP according to specific coefficients.

The update was also intended to fix minor bugs, but it itself contained a serious vulnerability — users were paid tokens beyond the amount set by the rules.

One of the first to notice the problem was a community member under the alias napgener. He pointed to several suspicious transactions, according to which the protocol paid users $15 million in COMP for borrowing and supplying only a negligible amount of USDC, ETH, and DAI.

Some funky business happening on $COMP
possible rug in the @compoundfinance comptroller. ⚠️@rleshner https://t.co/IRTJIQnBEx

— napgener 0xbullmarket.eth (@napgener) September 29, 2021

Several users could have exploited the bug already. In the blockchain зарегистрирована транзакция, in which the address received 91 000 COMP (~$26.8 million) for providing zero liquidity. To claim the tokens, its owner paid $157.77 in gas.

Subsequently, the same address used the decentralized exchange Uniswap to swap part of the COMP (~$140,000) for stablecoins USDC.

According to Leshner, user assets are safe. The Comptroller contract address contains a limited quantity of tokens, so “in the worst case the impact is limited to 280,000 COMP” (~$82.6 million at the time of writing).

The Comptroller contract (0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B) contains a limited quantity of COMP; the majority sits in the Reservoir contract (0x2775b1c75658Be0F640272CCb8c72ac986009e38) which releases 0.50 COMP/block.

The impact is bounded; at worst, 280k COMP tokens.

— Robert Leshner (@rleshner) September 30, 2021

As of writing, the Comptroller address holds only 3,721 COMP (~$1.1 million).

“There are no administrative controls or community tools to disable COMP distribution. Any changes to the protocol require a seven-day review process before deployment”, wrote Leshner.

In the wake of the incident, the price of COMP fell by more than 10%, according to CoinGecko. At the time of writing, the token trades near $296.

In June, Compound Labs opened a subsidiary structure, Compound Treasury. It provides neobanks and other financial institutions with access to the DeFi ecosystem.