Compound Bug Puts 490k COMP at Risk to Become the Largest Fund Loss in a Smart Contract Incident
The total COMP at risk has now increased to about 490k COMP tokens, amounting to over $155 million at the current price of $317.71.
This latest surge in the affected tokens is due to another $68.8 million of COMP being sent to the Comptroller. Last week, this updated Comptroller Contract containing a bug had resulted in erroneously sending millions of dollars to some users.
At the time, Robert Leshner, founder of Compound Labs, had said that the mistaken claims could be at worst 280k COMP tokens.
Now, this figure, according to Leshner, has further increased to 490k after Banteg, the core developer of DeFi protocol Yearn Finance (YFI) — which has more than $5 billion in total value locked (TVL) — tweeted “The best-kept secret in DeFi is out,” on Sunday.
“Someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller,” added Banteg, noting about 1/4 of that could already be drained. The number was later found to be even higher.
“The bug tallies to $147m, making it officially the largest fund loss in a smart contract incident.”
I used to be one of the biggest proponents of upgradable smart contracts.
However, over time, I've come to see upgradablity as more of a bug than a feature.
It's still good in some scenarios but probably not great for large primitives like Compound, Aave, Uni, Sushi, Maker etc.
— Mudit Gupta (@Mudit__Gupta) October 3, 2021
Leshner then took to Twitter to acknowledge the situation, noting that in the Reservoir contract, the majority of the COMP tokens are reserved for users and drips 0.50 COMP per block into the protocol.
“Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called.”
Mudit Gupta, a developer at DEX SushiSwap, noted that this is why “timelocks on everything are not always the best option,” because though people know about this issue, no one could do anything about it due to the timelock.
Out of the total 490k COMP at risk, 136k is still in the Comptroller, and 117k has been returned to the community so far, Leshner shared.
“Going forward, I'm optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.”
Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear https://t.co/EZLb7g91Ew
— Robert Leshner (@rleshner) October 1, 2021
Leshner thanked those who had returned the COMP and said that the protocol had created portraits for them to recognize their deeds.
Last week, as we reported, Leshner had threatened the users that he would report those who did not return the funds to the IRS. But later backtracked the statement as he received criticism and realized his mistake in doing so.
“I’m sorry, and I hope you can forgive me. It was a very very dumb tweet,” he said in response to one user talking about Leshner’s original tweet making him wanna leave the Compound platform.