04 Oct 2021 · 2 min read

Compound Contract Bug Keeps Infesting Before Fix Can be Implemented

Source: Adobe/Сергей Шиманович

Decentralized finance (DeFi) protocol Compound Finance faced more trouble over the weekend, when on Sunday, nearly USD 65m worth of COMP was dripped into the contract plagued by a bug.

Per Etherscan, on October 3, COMP 202,472.5 worth USD 64.67m was transferred from the Compound Reservoir contract and into the protocol.

What this means is that the freshly infused funds are at risk of being exploited as well. Yesterday, an address showed a transfer of some 4.8m, and another one nearly USD 12m.

It turns out that this ability to add funds to the compromised contract has been known, but it was apparently decided to keep it a secret.

yearn.finance (YFI) core contributor ‘banteg’ alleged that “this was known for a few days now, but there is no possible mitigation, so the plan was to keep shush and hope nobody discovers it for a week.”

Compound Lab’s October 2 tweet announced a new proposal that “patches the bug introduced” by the proposal that caused it, and “resumes the COMP distribution for the majority of users.” It seems that the team behind the protocol was hoping that nobody would use this ability until the two proposals that followed the faulty one have been implemented on October 7.

In response, Robert Leshner, Founder of Compound Labs, said that the Reservoir contract holds the majority of COMP reserved for users, and that it drips 0.50 COMP/block into the protocol. “Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called.”

So what had happened, per the founder, is that when somebody did call for this “drip function” on Sunday morning, it sent the entire backlog of COMP 202,472.5 – or some two months of COMP since the last time the function was called – into the protocol for distribution to users.

And while c. COMP 117,000 (USD 37.28m) has been returned until the time of the post, in total some COMP 490,000 (156.12m) were reported as vulnerable.

As reported, Compound Finance passed and executed a proposal last week, but soon found out that due to a bug in a smart contract, users were able to claim millions in COMP rewards, with some USD 82m impacted at the time.

A couple of days later, Leshner tweeted what was largely perceived as a threat of doxing those who don't return the claimed COMP, as well as a poor move on his part, which he followed with an apology after receiving heavy backlash.

At 10:42 UTC, COMP is trading at USD 318. It’s down 6% in a day and 9% in a week.
Learn more: 
- DeFi Is Not a New Concept and Is Misnamed As Decentralized - SEC Chair
- Why DeFi Isn’t Always As Decentralized As You Might Think 
- Decentralization in Crypto Is a Hard to Measure Ideal