$162 million up for grabs after DeFi bug, warns Compound founder
traffic_analyzer | Getty Images
We thought the carnage was over for popular decentralized finance, or DeFi, staking protocol Compound, but as it turns out, millions more than we thought are at risk. About $162 million is up for grabs after an upgrade gone very wrong, according to Robert Leshner, founder of Compound Labs.
The price of Compound’s native token, called comp, is down about 4.8%.
At first, the Compound chief tweeted Friday that there was a cap to how many comp tokens could be accidentally distributed, noting that “the impact is bounded, at worst, 280,000 comp tokens,” or about $92.6 million.
But on Sunday morning, Leshner revealed that the pool of cash that had already been emptied once had been replenished – exposing another 202,472.5 comp tokens to exploit, or roughly $66.9 million at its current price.
Some, including a core developer at DeFi platform Yearn, are billing this as the biggest-ever fund loss in a smart contract incident, but investors, for their part, don’t seem to care all that much.
“The crypto market shrugged off the largest-ever fund loss as if it was nothing,” said Mudit Gupta, a core developer at decentralized crypto exchange SushiSwap. “The future for DeFi is bright but we’re in uncharted territory, and there’s a lot to be learned still.”
What keeps going wrong
DeFi protocols such as Compound are designed to recreate traditional financial systems such as banks and exchanges using blockchains enriched with self-executing smart contracts.
On Wednesday, Compound rolled out what should have been a pretty standard upgrade. Soon after implementation, however, it was clear that something had gone seriously wrong, once users started to receive millions of dollars in comp tokens.
For example, $30 million worth of comp tokens were claimed in one transaction.
The saving grace of the entire debacle, however, was the fact that the pool of cash that was open to exploit – something called the Comptroller contract – had a finite amount of tokens. The problem is that this leaky pool got a fresh influx of cash, and 0.5 comp tokens are being added roughly every 15 seconds, according to Gupta.
“When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users,” Leshner wrote in a tweet Sunday morning.
Leshner noted that this brought the total comp at risk to 490,000 comp tokens, or about $162 million.
There are a few proposals to fix the bug, but Compound’s governance model is such that any changes to the protocol require a multiday voting window, and Gupta said it takes another week for the successful proposal to be executed.
In the meantime, this pool of cash is once again up for grabs for users who know how to exploit the bug.
Compound made clear that no supplied or borrowed funds were at risk, which is some consolation.
“No user funds are or were at risk so it’s not that big of a deal,” said Gupta. “Everyone kinda got diluted but didn’t lose anything directly.”
There are also some white hats in the community.
After the Compound founder begged users to voluntarily return the platform’s crypto tokens, some did. Leshner said that as of Sunday morning, about 117,000 comp tokens, or $38.7 million, had been returned.
But as Mati Greenspan, portfolio manager and Quantum Economics founder, points out, how things play out with this bug is almost entirely beside the point. “The bigger issue is — can it happen again?” he said.
Compound is the world’s fifth-largest DeFi protocol with a total value locked of $10.3 billion, according to DeFi Llama, which provides ranking and metrics for DeFi protocols.
Greenspan said the protocol can easily absorb this loss and a lot of it will likely be returned, “but the larger issue would be if people lose confidence in the system’s ability to function properly.”
Gupta said one immediate problem is that the Comptroller account has given away comp tokens that were reserved for future rewards.
You can think of Comptroller as the heart of Compound, Gupta explained. It facilitates all core features like borrowing, lending, and rewarding.
Comptroller oversees the pool of cash used to pay rewards to users who provide their crypto to borrowers at a set interest rate, which is typically a single-digit APY.
“Future rewards might have to be reduced to make Comptroller solvent,” said Gupta.