Even as billions of dollars were poured into the DeFi space over the past year, the industry continues to be plagued with regular exploits and hacks. Most recently, one of DeFi’s biggest lending and borrowing protocols, Compound Finance, fell victim to a bug that could potentially cost the company millions of dollars.
The interest rate protocol recently introduced an update that led “some users to receive far too much COMP” tokens in unearned rewards. Compound Labs, the team behind the Compound protocol, tweeted about the incident earlier, stating,
“Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062. No supplied/borrowed funds are at risk — Compound Labs and members of the community are investigating discrepancies in the COMP distribution.”
Later, the protocol’s founder, Robert Leshner, tweeted out an explanation stating that the newly introduced Proposal 62 which updated the Comptroller contract, tasked with distributing COMP to users of the protocol, contained a bug that caused this issue.
The update’s purpose was to split the COMP distribution to borrowers and liquidity suppliers based on governance-set ratios rather than the 50/50 model that was used previously, along with fixing minor bugs. However, as the upgraded contract contained a bug, some users were able to claim around 168,000 COMP tokens already, which were worth almost $50 million at press time.
Leshner further revealed that “the impact is bounded, at worst, 280,000 COMP tokens,” which was worth about $80 million at the time of writing. While there are still thousands of tokens left in the Comptroller, the protocol’s decentralized nature prevents the distribution contract from being changed without governance interaction. He said,
“There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production. Labs, and members of the community, are evaluating potential steps to patch the COMP distribution.”
DeFi Llama developer “0xngmi,” who delved deeper into the issue, reported on Twitter that most of the faulty rewards were on the borrower side, with one user taking their 10 million in COMP and dumping them on OKEX and Huobi for stablecoins.
He also stated that the bug only allowed people who had borrowed from the protocol earlier to claim these rewards, while those greedy enough to try borrowing now to earn these rewards wouldn’t be successful.
At the time of writing, COMP had lost over 11% of its valuation over the past day and was priced at $300, presumably due to fear spread by the bug.
DeFi protocols are vulnerable to bugs because of hackers having the ability to leverage through even minor bugs in the codebase. Last month, one of the biggest DeFi hacks took place when a white hat hacker stole over $600 million from Poly Network. While this protocol was lucky enough to be returned their funds, pNetwork lost $12.7 million last week in an exploit that cost them 277 Bitcoins.