$22M Drained From Compound Contract That Was Hit for $80M Last Week

About $66 million – and counting – was recently added to the still vulnerable contract, thus making more funds available for exploit.

Oct 3, 2021 at 2:43 p.m. UTC
Updated Oct 4, 2021 at 5:13 p.m. UTC

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

A faulty Compound Finance contract intended to disburse liquidity mining rewards over time was topped off with $66 million in tokens on Sunday morning.

  • About $22 million of those funds were then exploited due to the same bug that drained $80 million in tokens throughout the latter half of last week, per one DeFi developer, who told CoinDesk that the remaining $44 million has now been determined to be at risk.
  • At approximately 9:30 a.m. ET, one ETH address claimed 37,504 of the tokens, worth $12 million, and another claimed 14,995, worth $4.9 million. The funds were claimed by contracts from the MakerDAO DSProxy factory, and are now in two separate addresses.
  • Additional claims of 9,499, 1,699 and 2,999 COMP have brought the total drained to $22 million.

MakerDAO representatives have been active in helping to find solutions to the bug, per Compound founder Robert Leshner. A MakerDAO rep did not return a request for comment by the time of publication.

  • In a tweet on Sunday morning, pseudonymous Yearn.Finance core contributor “banteg,” who has also been weighing in on Compound governance forums in the wake of the bug, wrote that the ability to top off the bugged contract has been “known for a few days now” but the community plan “was to keep shush and hope nobody discovers it for a week.”
  • Compound’s contracts do not have a multi-signature scheme that allows for more immediate upgradability; instead, changes can only be made after a seven-day governance process designed to make the protocol more resilient to hostile changes. That security architecture is now serving as a barrier to a patch to the faulty code.
  • A debate is underway in the community regarding what users should do with the funds they’ve received. Leshner split the debate broadly into two categories: DeFi “builders” who see protocols like Compound as public goods and the erroneous tokens as belonging to the community, and “profit maximalists” more inclined to say “haha, f*** you, this is your problem.”
  • The adding of new funds to the contract is still underway. Users are now continuously calling a function to add funds to the Comptroller contract from the Compound Reservoir, potentially putting the added funds at risk.
  • In a statement to CoinDesk, banteg said that while it was initially estimated the impact of the exploit was just one-quarter of the $66 million recently added funds, more addresses were found that could make claims that would empty the comptroller.
  • The price of COMP has lost more than 5% in the last 24 hours and in recent trading was at $330.53.

UPDATE (Oct. 3, 16:32 UTC): Increases amount of exploit to $22 million, updates to say entire $66 million is now considered vulnerable.


Read more about
The Festival for the Decentralized World
Thursday - Sunday, June 9-12, 2022
Austin, Texas
Save a Seat Now

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

CoinDesk - Unknown

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

CoinDesk - Unknown

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.

Trending

1
CoinDesk - Unknown
One River’s Carbon Neutral Bitcoin ETF Rejected by SEC

It's the latest in the agency's string of rejections of spot Bitcoin ETF applications.

It's the latest in the agency's string of rejections of spot Bitcoin ETF applications.

CoinDesk - Unknown
2
CoinDesk - Unknown
A Second Chance: New Terra Blockchain to Launch Saturday, UST Now Live on Polygon

The most valuable crypto stories for Friday, May 27, 2022.

The most valuable crypto stories for Friday, May 27, 2022.

CoinDesk - Unknown
3
CoinDesk - Unknown
Bitcoin Faces Resistance at $33K; Support at $22K-$25K

Volatility could rise, especially if another price breakdown occurs.

Volatility could rise, especially if another price breakdown occurs.

CoinDesk - Unknown
4
CoinDesk - Unknown
UK Crypto Hedge Fund Weathers Market Storm With Arbitrage Strategy

Nickel Digital Asset Management’s arbitrage fund is only down about 0.6% this year, compared to bitcoin’s drop of roughly 40% and the Nasdaq’s dip of 24%.

Nickel Digital Asset Management’s arbitrage fund is only down about 0.6% this year, compared to bitcoin’s drop of roughly 40% and the Nasdaq’s dip of 24%.

CoinDesk - Unknown