DeFi Platform Compound Mistakenly Pays Out Millions in COMP After Upgrade
DeFi protocol Compound (COMP) seems to have fallen victim to a bug in one of its smart contracts, leading to overpayment of COMP liquidity mining rewards to users.
Compound Pays Out Millions in COMP Tokens
Compound (COMP), the world’s fourth-largest Ethereum-based DeFi lending and borrowing protocol with more than $9 billion in TVL today suffered a technical setback that resulted in the protocol erroneously paying out COMP tokens worth $27 million.
The issue was highlighted by Twitter user “napgener” who brought to attention three Ethereum transactions that show a user receiving a whopping $15 million in COMP tokens in return for borrowing and sending a small amount of tokens such as USDC, ETH, and DAI.
Some funky business happening on $COMP
possible rug in the @compoundfinance comptroller. ⚠️@rleshner https://t.co/IRTJIQnBEx— napgener 0xBearMarket (@napgener) September 29, 2021
Specifically, the issue occurred due to the passing of Proposal 62 which is aimed toward splitting the COMP distribution to liquidity suppliers and borrowers basis the governance-set ratios rather than the previous 50/50 share model.
Further, Proposal 62 also included patches to a few minor bugs in the protocol.
Unfortunately, however, a new bug within the upgraded Comptroller Contract has allowed users to mistakenly claim over 167,000 COMP tokens worth a whopping $50 million.
Compound Founder Explains the Bug
Shortly after the vulnerability came to light, Compound Labs founder, Robert Leshner took to Twitter to detail the finer nuances of the mishap.
A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol.
The new Comptroller contract contains a bug, causing some users to receive far too much COMP. https://t.co/Fy6nLgDqKy
— Robert Leshner (@rleshner) September 30, 2021
Leshner noted that the Comptroller Contract address “contains a limited quantity of COMP,” adding that the vast majority of COMP token rewards are residing in another smart contract address.
Leshner added that due to the aforementioned minuscule quantity of COMP tokens in the Comptroller Contract, that impact could, at worst, be worth 280,000 COMP tokens. At press time, the same was worth $83 million.
Leshner went on to add:
“There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production. Labs, and members of the community, are evaluating potential steps to patch the COMP distribution.”
Funnily enough, the Compound bug resulted in one of the few instances where users instead of getting their assets stolen were rewarded disproportionality by the protocol.
