$22M Drained From Compound Contract That Was Hit for $80M Last Week

About $66 million – and counting – was recently added to the still vulnerable contract, thus making more funds available for exploit.

Oct 3, 2021 at 2:43 p.m. UTC
Updated Oct 4, 2021 at 5:13 p.m. UTC

A faulty Compound Finance contract intended to disburse liquidity mining rewards over time was topped off with $66 million in tokens on Sunday morning.

  • About $22 million of those funds were then exploited due to the same bug that drained $80 million in tokens throughout the latter half of last week, per one DeFi developer, who told CoinDesk that the remaining $44 million has now been determined to be at risk.
  • At approximately 9:30 a.m. ET, one ETH address claimed 37,504 of the tokens, worth $12 million, and another claimed 14,995, worth $4.9 million. The funds were claimed by contracts from the MakerDAO DSProxy factory, and are now in two separate addresses.
  • Additional claims of 9,499, 1,699 and 2,999 COMP have brought the total drained to $22 million.

MakerDAO representatives have been active in helping to find solutions to the bug, per Compound founder Robert Leshner. A MakerDAO rep did not return a request for comment by the time of publication.

  • In a tweet on Sunday morning, pseudonymous Yearn.Finance core contributor “banteg,” who has also been weighing in on Compound governance forums in the wake of the bug, wrote that the ability to top off the bugged contract has been “known for a few days now” but the community plan “was to keep shush and hope nobody discovers it for a week.”
  • Compound’s contracts do not have a multi-signature scheme that allows for more immediate upgradability; instead, changes can only be made after a seven-day governance process designed to make the protocol more resilient to hostile changes. That security architecture is now serving as a barrier to a patch to the faulty code.
  • A debate is underway in the community regarding what users should do with the funds they’ve received. Leshner split the debate broadly into two categories: DeFi “builders” who see protocols like Compound as public goods and the erroneous tokens as belonging to the community, and “profit maximalists” more inclined to say “haha, f*** you, this is your problem.”
  • The adding of new funds to the contract is still underway. Users are now continuously calling a function to add funds to the Comptroller contract from the Compound Reservoir, potentially putting the added funds at risk.
  • In a statement to CoinDesk, banteg said that while it was initially estimated the impact of the exploit was just one-quarter of the $66 million recently added funds, more addresses were found that could make claims that would empty the comptroller.
  • The price of COMP has lost more than 5% in the last 24 hours and in recent trading was at $330.53.

UPDATE (Oct. 3, 16:32 UTC): Increases amount of exploit to $22 million, updates to say entire $66 million is now considered vulnerable.

DISCLOSURE

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

Andrew Thurman is a tech reporter at CoinDesk with a focus on DeFi.