‘Incredibly subtle’ Compound Finance coding flaw lets borrowers claim up to US$84m in unearned tokens
Link copied to
One of the biggest lending and borrowing protocols in decentralised finance has been hit by some kind of bug or hack that has resulted in it paying out millions of dollars worth of tokens in unearned rewards.
Compound Finance, the fifth-biggest DeFi project with US$9.9 billion in total value locked (TVL), began giving away the rewards this morning after an update to its contract.
Compound founder Robert Leshner tweeted that proposal 62 and the new contract “were written by a community member, with review from multiple other community members.
“This is the greatest opportunity, and greatest risk for a decentralized protocol — that an open development process allows a bug to enter production.”
Some 280,000 COMP tokens were at risk — three per cent of circulating supply. At US$301 per COMP, that’s US$84.3 million.
At 3.48pm AEST, the contract still contained 31,000 COMP (US$9.4 million), with more claims coming in every minute.
There isn’t any administrative control to stop users from claiming the unearned bounty, Leshner added. Any change to the protocol requires a seven-day governance process.
One user had claimed 19,000 COMP and sold it for US$5.45 million in Tether, according to a Twitter sleuth.
Another got 29,665 COMP (US$9 million) and had already sold some of it, while a third had claimed 91,000 COMP (US$27million) from an account that’s potentially identifiable because it’s linked to big online exchanges.
I’m optimistic for recovery, I know at least 1/3 was whitehatted out by a big user and most other people who claimed all had exchange interactions that make it unlikely they would try to take the money and run
— John Morrow (@jmo_mx) September 30, 2021
There was some online debate whether was this had been an honest mistake or was a well-crafted scam. It apparently could have been prevented by just the addition of two characters.
Smart contracts are unforgiving of the tiniest errors…COMP bug is a tragic case of “>” instead of “>=” (in two code locations). Two characters, tens of millions of value lost.
— Kurt Barry (@Kurt_M_Barry) September 30, 2021
The $COMP bug is incredibly subtle. The Compound community is one of the best in the space, and they got unlucky.
I have always been paranoid about contract upgrades. It’s much easier to rush and audit only the changed code. It feels safe. But weird things can happen
— David Kajpust (@davekajpust) September 30, 2021
The flaw apparently allows people who had borrowed from the protocol “some time ago” to claim unearned COMP rewards. Less-than-honourable people trying to borrow now to claim the unearned bounty were out of luck.
The bug doesn’t put any user funds at risk from people who have lent to the protocol, according to Leshner.
The COMP token dropped from US$315 to as low as $286 immediately after the flaw was uncovered.