DeFi Money Market Compound Overpays Millions in COMP Rewards in Possible Exploit; Founder Says $80M at Risk

Compound erroneously paid out millions in liquidity mining rewards following an update to one of its smart contracts. In one transaction, $27 million was claimed.

AccessTimeIconSep 30, 2021 at 12:36 a.m. UTC
Updated May 11, 2023 at 4:49 p.m. UTC

In a possible exploit on Wednesday night, decentralized money market Compound has been erroneously paying out millions of dollars in COMP tokens intended as liquidity mining rewards.

Twitter user “napgener” first flagged the issue, pointing to three Ethereum transactions showing users receiving a total of $15 million in COMP tokens in exchange for borrowing and supplying tiny quantities of tokens, including USDC, ETH and DAI.

Compound has a liquidity mining program that rewards depositors and borrowers, but often at a rate of a single-digit APY. The botched payout sums indicate a flaw in the comptroller contract, which disburses the COMP liquidity mining rewards, possibly related to a recent upgrade.

Observers have noted that Compound’s comptroller contract is not managed by a multi-sig controlled by Compound Labs, and any fix to the exploit may require a governance vote among COMP holders.

Per DeFi Llama, Compound is the world’s fifth-largest decentralized finance protocol with a total value locked (TVL) of $10.2 billion.

Compound acknowledged the exploit on its official Twitter handle and said no user funds are at risk:

Likewise, Compound founder Robert Leshner acknowledged the exploit in a tweet, saying that “at worst” only 280,000 COMP tokens are at risk of being erroneously claimed.

He also noted that “there are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production. Labs, and members of the community, are evaluating potential steps to patch the COMP distribution.”

Shortly after Leshner’s tweet, at 1:38 UTC on Thursday (9:38 p.m. ET on Wednesday), some 91,000 COMP tokens worth $27 million were claimed in a single transaction. The user appears to have supplied $0 in crypto assets to the platform; they paid $154.77 in gas fees to take in their dubious haul.

The same wallet then swapped $140,000 in COMP for USDC via Uniswap.

The price of COMP has plunged on the news, falling from a 24-hour high of $334 to as low as $290. At the time of this story’s latest update, it sits at $290, according to CoinGecko.

A request for comment sent to Compound Labs was not returned by press time.

This is a developing story and will be updated.

UPDATE (Sept. 30, 1:23 UTC): Adds comments from Compound founder Robert Leshner.

UPDATE (Sept. 30, 2:02 UTC): Adds detail on subsequent transactions.

UPDATE (Sept. 30, 2:08 UTC): Changes headline.

UPDATE (Sept. 30, 2:11 UTC): Updates current price of COMP.


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Andrew Thurman

Andrew Thurman was a tech reporter at CoinDesk with a focus on DeFi.