Compounding problems: $65m more COMP at risk as devs wait for time-locked bug fix

Compounding problems: $65m more COMP at risk as devs wait for time-locked bug fix

Major DeFi money market Compound’s woes are worsening, with nearly $150 million worth of COMP now at risk due to a buggy upgrade to the protocol that went live last week.

On Sept. 30, Cointelegraph reported that a bug had resulted in between $70 million and $85 million worth of COMP tokens being mistakenly offered to users as rewards after an update intended to fix bugs and “split COMP rewards distribution” went awry.

Despite the reward distribution error being identified quickly, Compound’s week-long delay on enacting new governance measures meant that the error will not be fixed until Oct. 7.

Trending: Dr. Stella Immanuel: “The Whole Pandemic Was A TROJAN HORSE For Vaccines – Fauci Is Epitome Of Evil.”

On Oct. 3, Compound founder Robert Leshner tweeted that 202,472.5 COMP (worth approximately $65 million) had been placed at risk after the protocol’s drip function was called for the first time in roughly two months.

The drip function makes tokens held in Compound’s Reservoir available to users, with 0.5 COMP being accumulated by the Reservoir per block. Leshner noted that “the majority of COMP reserved for users” is held in the Reservoir.

This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU ).

— Robert Leshner (@rleshner) October 3, 2021

SushiSwap developer Mudit Gupta took to social media to criticize the use of time-locks on governance, asserting that roughly 100 people were aware of that the threat posed by the drip function since the Sept. 30 bug was discovered but they were unable to act due to the time-delay on updating the protocol.

Gupta also warned of the risks associated with upgradable smart contracts, asserting they are inappropriate for “large [DeFi] primitives.”

This is why timelocks on everything are not always the best option. About a hundred people knew about this possibility since day 1 but their hands were tied due to the timelock.

All of this 68.8m can be drained, not just a quarter if there are malicious actors involved.

— Mudit Gupta (@Mudit__Gupta) October 3, 2021

“I’ve come to see upgradability as more of a bug than a feature,” he added.

While Leshner’s tweet revealed that roughly 117,000 COMP worth $37.6 million had been returned to the protocol following the initial incident, Yearn Finance developer Banteg estimated that one-third of the funds placed at risk by the drip function had already been claimed by users at roughly 3:30 pm UTC on Oct. 3.

Banteg tallied the

Continue reading

You Might Like


Join the conversation!

Please share your thoughts about this article below. We value your opinions, and would love to see you add to the discussion!

Thanks for sharing!
Send this to a friend