Compound reward exploit discovered, proposal to fix it requires a seven-day governance lock-up period, creating an awkward situation
The lending platform Compound experienced an abnormal distribution of COMP liquidity mining rewards after implementing a recent proposal, potentially impacting up to 280,000 COMP tokens worth nearly $90 million. The token price briefly dropped below $300, and the team and community are assessing the necessary steps to address the issue.
Check out the 10/4 update Yearn core developer bangteg stated on 10/3 that several addresses with vulnerabilities were still present. The founder confirmed the news and expressed the intention to address the issue promptly.
Table of Contents
Proposal 62
Proposal 62, led by the community, aims to change the previous mining rewards system from a 50/50 split between borrowers and lenders to a governance-set ratio. This adjustment is in response to negative interest rates in certain markets, primarily in the non-stablecoin market. The upgrade is also expected to address some minor vulnerabilities.
Abnormal Reward Distribution
However, following the implementation of the proposal, Compound Labs and community members quickly discovered an abnormality in the COMP reward distribution. Subsequently, Proposal 63 was released to temporarily halt users from claiming COMP tokens until the reward distribution is rectified.
Compound founder Robert Leshner also mentioned in a tweet that there are no security concerns regarding the assets of borrowers and lenders. The issue lies in users potentially receiving excessive COMP token rewards.
With a limited supply of COMP tokens within the Comptroller contract address, the worst-case scenario could involve the release of 280,000 COMP tokens, valued at $89 million, in a single block, impacting the system.
Governance: Opportunity and Risk
Leshner stated:
Proposal 62's contract was written by a community member and reviewed by several others. This decentralized protocol presents both the greatest opportunity and the greatest risk, as errors can arise during the open-source development process, and there are no permissions to halt COMP reward distribution. Any proposal amendments also require a 7-day governance process before implementation.
He mentioned that the new Proposal 63 will be executed after seven days, halting additional reward claims while also affecting normal reward distribution. The team and community are working on a solution to restart liquidity mining.
Community Feedback
Synthetix founder Kain Warwick provided insights on the "7-day governance process":
This is a great example of the current trade-off dilemma between time locks. Synthetix's new governance model allows token holders to unlock with a sufficiently high vote count. Compound can do it too, so don't worry.
On the other hand, Robert Leshner's recent tweet warned users who received extra rewards to return 10% of the COMP as a white-hat hacker reward; otherwise, it will be reported as "income" to the IRS.
Some users criticized this action, stating that embracing government intervention and threatening users with central authorities goes against the spirit of DeFi.
David Hoffman, founder of Bankless, commented:
The cool thing about blockchain is that it allows everyone to see the bad and unfair practices.
Several hours later, Robert Leshner responded, acknowledging his mistake and expressing gratitude for the community's strength and intelligence. The COMP token price dropped to a minimum of $279 but had since recovered to $323 before the deadline. Some users have started returning the excess COMP tokens.
Legal Advisor Resignation
In the aftermath, Compound's legal advisor resigned after two and a half years of service on October 2. He did not provide any comments on the recent events at Compound.
1/ Some personal news: after 2.5 amazing years, yesterday was my last day at @compoundfinance ❤️
It's been a genuine honor helping @rleshner, @justHGH, & the Compound Labs team build the future of finance 🤖
I'm taking October off, then starting a new challenge (stay tuned) 🧵
— Jake Chervinsky (@jchervinsky) October 1, 2021
October 4 Update: Ongoing Vulnerabilities, Await Fix
On the evening of October 3, Yearn's core developer, bangteg, reported that someone called the drip function in the Compound Treasury Reservoir contract, transferring $68.8 million worth of COMP to the claimable mining rewards in the Comptroller. He identified several addresses that could extract funds from the contract, posing a risk to Compound.
The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller.
I've run the numbers and it seems about 1/4 of that could be drained.https://t.co/I4mGeNX6uT
— banteg (@bantg) October 3, 2021
Compound's founder later confirmed the issue, hoping that the ongoing governance Proposal 63 or Proposal 64 would address the problem promptly. While acknowledging the risk exposed by banteg's function call, he remains optimistic that decentralized governance will resolve the situation. COMP had dropped by 7% at the time of writing.
The Reservoir contract holds the majority of COMP reserved for users, and drips 0.50 COMP/block into the protocol.
Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called. https://t.co/FK3sew2W0b
— 🤖 Leshner (@rleshner) October 3, 2021