DeFi Platform Compound Mistakenly Pays Out Millions in COMP After Upgrade
Compound Pays Out Millions in COMP Tokens
Compound (COMP), the world’s fourth-largest Ethereum-based DeFi lending and borrowing protocol with more than $9 billion in TVL today suffered a technical setback that resulted in the protocol erroneously paying out COMP tokens worth $27 million.
The issue was highlighted by Twitter user “napgener” who brought to attention three Ethereum transactions that show a user receiving a whopping $15 million in COMP tokens in return for borrowing and sending a small amount of tokens such as USDC, ETH, and DAI.
Specifically, the issue occurred due to the passing of Proposal 62 which is aimed toward splitting the COMP distribution to liquidity suppliers and borrowers basis the governance-set ratios rather than the previous 50/50 share model.
Further, Proposal 62 also included patches to a few minor bugs in the protocol.
Unfortunately, however, a new bug within the upgraded Comptroller Contract has allowed users to mistakenly claim over 167,000 COMP tokens worth a whopping $50 million.
Compound Founder Explains the Bug
Shortly after the vulnerability came to light, Compound Labs founder, Robert Leshner took to Twitter to detail the finer nuances of the mishap.
Leshner noted that the Comptroller Contract address “contains a limited quantity of COMP,” adding that the vast majority of COMP token rewards are residing in another smart contract address.
Leshner added that due to the aforementioned minuscule quantity of COMP tokens in the Comptroller Contract, that impact could, at worst, be worth 280,000 COMP tokens. At press time, the same was worth $83 million.
Leshner went on to add:
“There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production. Labs, and members of the community, are evaluating potential steps to patch the COMP distribution.”
Funnily enough, the Compound bug resulted in one of the few instances where users instead of getting their assets stolen were rewarded disproportionality by the protocol.