Losses of up to 490,000 COMP estimated, due to bug in Compound Finance upgrade

The recent bug-incident related to the Compound Finance upgrade resulted in a loss of over $80 million worth of COMP. In this regard, Compound Labs founder Robert Leshner had earlier said that the total COMP at risk was about 280,000 tokens at worst. But, he has updated on Twitter that the risk was in fact to the tune of 490,000 COMP tokens.

This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU ????). — Robert Leshner (@rleshner) October 3, 2021

The above risk is said to be a repercussion of the Proposal 062 execution on the DeFi platform. Leshner explained that the community developers were hopeful that another set of upgrades, namely Proposal 63 or 64, would be applied before the weakness was spotted. However, the reservoir smart contract is “dripping 0.50 COMP/block into the protocol.”

As part of the 490,000 tokens at risk, 136,000 are still in the Comptroller while 117,000 were returned to the community, according to the founder. Leshner had gone on Twitter after the initial breach asking the users to return the “unfairly large quantity of COMP.”

Until then, Compound assured the users,

“No supplied/borrowed funds are at risk.”

Meanwhile, Leshner is hopeful that the upcoming governance upgrade will fix the distribution bug in the COMP protocol. But, it didn’t look like an immediate solution. In an official announcement, the DeFi platform stated,

“All proposals are subject to a 3 day voting period, and any address with voting power can vote for or against the proposal.”

After the proposal receives at least 400,000 votes, it takes another two days to be implemented with the Timelock. On 30 September, Compound Labs had notified that the community members proposed to disable Proposal 063 until the bug was fixed. As per this, Timelock is expected to apply the protocol change by October 7.

Mudit Gupta, a core developer at DeFi exchange SushiSwap tweeted,

“This is why timelocks on everything are not always the best option.”

As the community rushed against time, another core developer had found addresses that could exploit the bug to drain the money from the Comptroller. He estimated that a quarter of the $68.8m funds are at risk.

The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller. I've run the numbers and it seems about 1/4 of that could be drained.https://t.co/I4mGeNX6uT — banteg (@bantg) October 3, 2021

However, Gupta estimated that the entire transferred amount was at risk of immediate loss by bad actors. As we discussed the extent of loss, COMP had already lost around 7% of the total value locked (TVL) in the past week.

(function($) {window.fnames = new Array(); window.ftypes = new Array();fnames[1]='MERGE1';ftypes[1]='text';fnames[0]='MERGE0';ftypes[0]='email';}(jQuery));var $mcj = jQuery.noConflict(true);