Compound Bug Puts 490k COMP at Risk to Become the Largest Fund Loss in a Smart Contract Incident


The total COMP at risk has now increased to about 490k COMP tokens, amounting to over $155 million at the current price of $317.71.

This latest surge in the affected tokens is due to another $68.8 million of COMP being sent to the Comptroller. Last week, this updated Comptroller Contract containing a bug had resulted in erroneously sending millions of dollars to some users.

At the time, Robert Leshner, founder of Compound Labs, had said that the mistaken claims could be at worst 280k COMP tokens.

Now, this figure, according to Leshner, has further increased to 490k after Banteg, the core developer of DeFi protocol Yearn Finance (YFI) — which has more than $5 billion in total value locked (TVL) — tweeted “The best-kept secret in DeFi is out,” on Sunday.

“Someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller,” added Banteg, noting about 1/4 of that could already be drained. The number was later found to be even higher.

“The bug tallies to $147m, making it officially the largest fund loss in a smart contract incident.”

Leshner then took to Twitter to acknowledge the situation, noting that in the Reservoir contract, the majority of the COMP tokens are reserved for users and drips 0.50 COMP per block into the protocol.

“Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called.”

Mudit Gupta, a developer at DEX SushiSwap, noted that this is why “timelocks on everything are not always the best option,” because though people know about this issue, no one could do anything about it due to the timelock.

Out of the total 490k COMP at risk, 136k is still in the Comptroller, and 117k has been returned to the community so far, Leshner shared.

“Going forward, I'm optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.”

Leshner thanked those who had returned the COMP and said that the protocol had created portraits for them to recognize their deeds.

Last week, as we reported, Leshner had threatened the users that he would report those who did not return the funds to the IRS. But later backtracked the statement as he received criticism and realized his mistake in doing so.

“I’m sorry, and I hope you can forgive me. It was a very very dumb tweet,” he said in response to one user talking about Leshner’s original tweet making him wanna leave the Compound platform.

Get Daily Headlines

Enter Best Email to Get Trending Crypto News & Bitcoin Market Updates

What to Know More?

Join Our Telegram Group to Receive Live Updates on The Latest Blockchain & Crypto News From Your Favorite Projects

Join Our Telegram

Stay Up to Date!

Join us on Twitter to Get The Latest Trading Signals, Blockchain News, and Daily Communication with Crypto Users!

Join Our Twitter

Add comment

E-mail is already registered on the site. Please use the Login form or enter another.

You entered an incorrect username or password

Sorry, you must be logged in to post a comment.
Bitcoin Exchange Guide