One of the biggest lending and borrowing protocols in decentralised finance has been hit by some kind of bug or hack that has resulted in it paying out millions of dollars worth of tokens in unearned rewards.

Compound Finance, the fifth-biggest DeFi project with US$9.9 billion in total value locked (TVL), began giving away the rewards this morning after an update to its contract.

Compound founder Robert Leshner tweeted that proposal 62 and the new contract “were written by a community member, with review from multiple other community members.

“This is the greatest opportunity, and greatest risk for a decentralized protocol — that an open development process allows a bug to enter production.”

Some 280,000 COMP tokens were at risk — three per cent of circulating supply. At US$301 per COMP, that’s US$84.3 million.

At 3.48pm AEST, the contract still contained 31,000 COMP (US$9.4 million), with more claims coming in every minute.

There isn’t any administrative control to stop users from claiming the unearned bounty, Leshner added. Any change to the protocol requires a seven-day governance process.

One user had claimed 19,000 COMP and sold it for US$5.45 million in Tether, according to a Twitter sleuth.

Another got 29,665 COMP (US$9 million) and had already sold some of it, while a third had claimed 91,000 COMP (US$27million) from an account that’s potentially identifiable because it’s linked to big online exchanges.

There was some online debate whether was this had been an honest mistake or was a well-crafted scam. It apparently could have been prevented by just the addition of two characters.

The flaw apparently allows people who had borrowed from the protocol “some time ago” to claim unearned COMP rewards. Less-than-honourable people trying to borrow now to claim the unearned bounty were out of luck.

The bug doesn’t put any user funds at risk from people who have lent to the protocol, according to Leshner.

The COMP token dropped from US$315 to as low as $286 immediately after the flaw was uncovered.