Bug in DeFi Protocol Compound Mistakenly Sends $82 Million In COMP Rewards to Users
Robert Leshner, the founder of the DeFi project, which has the fifth-largest TVL at $9.63 billion, says the mistaken claims have been at worst 280k COMP tokens worth about $82 million.
Decentralized finance protocol (DeFi) Compound encountered a bug in its code that resulted in erroneously giving an unusual amount of COMP tokens worth millions of dollars in liquidity mining rewards.
“Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062,” tweeted the team late on Wednesday.
But the team assured that no supplied or borrowed funds are at risk, and the team is investigating discrepancies in the COMP distribution.
If confirmed, it is indeed a very elusive boundary case! @rleshner https://t.co/z0Cj3R2wEt pic.twitter.com/aAl5YTNmP0
— PeckShield Inc. (@peckshield) September 30, 2021
Proposal 62, which went into effect on Wednesday, intended to have two different COMP distribution rates for each market, borrow-side and supply-side rates, instead of the previous 50/50 share model.
But the updated Comptroller Contract contained a new bug that allowed some users to claim thousands of COMP tokens. According to Robert Leshner, founder of Compound Labs, the mistaken claims have been at worst 280k COMP tokens worth about $82 million.
“Exploiters were people that had borrowed some time ago, borrowing now and trying to exploit doesn't work,” said 0xngmi of DeFiLlama.
Smart contracts are unforgiving of the tiniest errors…COMP bug is a tragic case of ">" instead of ">=" (in two code locations). Two characters, tens of millions of value lost.
— Kurt Barry (@Kurt_M_Barry) September 30, 2021
In a series of tweets, Leshner shared that the new Comptroller contract ended up distributing far too many COMP tokens to users of the protocol. The proposal and the contract, he further shared, were written by a community member.
“All supplied assets, borrowed assets, and positions are completely unaffected. Users don't have to worry about their funds; the only risk is that you (or another user) receives an unfairly large quantity of COMP.”
Leshner went on to explain that there are no tools or admin controls to disable this COMP distribution. Moreover, any changes to the protocol require a 7-day governance process to make their way into production.
Compound Labs and community members are now “evaluating potential steps to patch the COMP distribution.”
Just a reminder that the literal interpretation of "code is law" is dumb. Behind every code there is some intent. There was no intent to give outsized rewards in Comptroller, so it's a bug. Thus, you should return any excess COMP if you got any.
— banteg (@bantg) September 30, 2021
Compound Finance is the fifth largest DeFi project with $9.63 billion in total value locked (TVL), down from almost $13 billion ATH earlier this month.
The project token has a market cap of $1.73 billion and is down 12% in the past 24 hours to trade at $293.69, down 68% from the mid-May peak of $910.5.