$22M Drained From Compound Contract That Was Hit for $80M Last Week

About $66 million – and counting – was recently added to the still vulnerable contract, thus making more funds available for exploit.

AccessTimeIconOct 4, 2021 at 5:58 a.m. UTC
Updated May 11, 2023 at 3:58 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global event for everything crypto, blockchain and Web3.Register Now

A faulty Compound Finance contract intended to disburse liquidity mining rewards over time was topped off with $66 million in tokens on Sunday morning.

  • About $22 million of those funds were then exploited due to the same bug that drained $80 million in tokens throughout the latter half of last week, per one DeFi developer, who told CoinDesk that the remaining $44 million has now been determined to be at risk.
  • How NEAR Enables Multichain Access From One Account
    00:56
    How NEAR Enables Multichain Access From One Account
  • Over $67M in Crypto Lost to Hacks and Exploits in February: Immunefi Report
    00:56
    Over $67M in Crypto Lost to Hacks and Exploits in February: Immunefi Report
  • Hacks Involving North Korea Are 'Even Greater Problem': Legal Experts
    09:43
    Hacks Involving North Korea Are 'Even Greater Problem': Legal Experts
  • Breaking Down the State of Hacking in 2024
    02:01
    Breaking Down the State of Hacking in 2024
    • At approximately 9:30 a.m. ET, one ETH address claimed 37,504 of the tokens, worth $12 million, and another claimed 14,995, worth $4.9 million. The funds were claimed by contracts from the MakerDAO DSProxy factory, and are now in two separate addresses.
    • Additional claims of 9,499, 1,699 and 2,999 COMP have brought the total drained to $22 million.

    MakerDAO representatives have been active in helping to find solutions to the bug, per Compound founder Robert Leshner. A MakerDAO rep did not return a request for comment by the time of publication.

    • In a tweet on Sunday morning, pseudonymous Yearn.Finance core contributor “banteg,” who has also been weighing in on Compound governance forums in the wake of the bug, wrote that the ability to top off the bugged contract has been “known for a few days now” but the community plan “was to keep shush and hope nobody discovers it for a week.”
    • Compound’s contracts do not have a multi-signature scheme that allows for more immediate upgradability; instead, changes can only be made after a seven-day governance process designed to make the protocol more resilient to hostile changes. That security architecture is now serving as a barrier to a patch to the faulty code.
    • A debate is underway in the community regarding what users should do with the funds they’ve received. Leshner split the debate broadly into two categories: DeFi “builders” who see protocols like Compound as public goods and the erroneous tokens as belonging to the community, and “profit maximalists” more inclined to say “haha, f*** you, this is your problem.”
    • The adding of new funds to the contract is still underway. Users are now continuously calling a function to add funds to the Comptroller contract from the Compound Reservoir, potentially putting the added funds at risk.
    • In a statement to CoinDesk, banteg said that while it was initially estimated the impact of the exploit was just one-quarter of the $66 million recently added funds, more addresses were found that could make claims that would empty the comptroller.
    • The price of COMP has lost more than 5% in the last 24 hours and in recent trading was at $330.53.

    UPDATE (Oct. 3, 16:32 UTC): Increases amount of exploit to $22 million, updates to say entire $66 million is now considered vulnerable.

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

    Andrew Thurman

    Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.



    Read more about