Compound protocol again loses tens of millions of dollars due to bug in the Comptroller smart contract

Compound could lose more than $160 million due to a bug in the Comptroller smart contract, which has already cost the lending protocol $82 million.

The Comptroller is responsible for distributing COMP in the process of liquidity mining. After the activation of REP-062 this week, the protocol encountered a bug that allowed tokens to be claimed beyond the rule-set amount. Thus $82m were withdrawn from Compound.

By triggering the drip() function, unknown actors transferred 202,472 COMP governance tokens (~$66.8 million at the time of writing) from the Reservoir smart contract, according to leading yEarn.Finance developer who goes by the handle banteg.

It appears my estimate was low because of stale data in accruedComp. Four users managed to claim $21.5m so far, so maybe there are more funds at risk. I don’t know of a quick way to check all addresses. pic.twitter.com/IOHRby8nni

— banteg (@bantg) October 3, 2021

According to him, after the drip() function was initiated, four large transactions drained 64,997 COMP (~$21.5 million) from the Comptroller address. According to banteg, only “base-state addresses can drain funds.” The developer stressed that there are at least five more addresses that could collectively claim tokens worth $45 million.

«The drip issue had been known to Compound Labs and security researchers for several days. It was decided to keep it secret, hoping no one would notice the problem until a patch is released,» said banteg in an interview Decrypt.

The founder of the project, Robert Leshner, said that 490,000 COMP (~$161.7 million) were at risk. Of these, “136,000 tokens are still in the Comptroller, and 117,000 have been returned to the community.”

This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU 🙏).

— Robert Leshner (@rleshner) October 3, 2021

Earlier in an interview with CoinDesk, Leshner called the situation a “moral dilemma”. He urged community members to return the ill-gotten cryptocurrency and threatened to report the incident to the IRS. Yet not everyone responded to the plea.

If you received a large, incorrect amount of COMP from the Compound protocol error:

Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.

Otherwise, it’s being reported as income to the IRS, and most of you are doxxed.

— Robert Leshner (@rleshner) October 1, 2021

In June, Compound Labs opened a subsidiary structure Compound Treasury. It provides neobanks and other financial institutions with access to the DeFi ecosystem.

Read ForkLog’s bitcoin news on our Telegram — crypto news, prices and analytics.