$ 162 million after a bug within the DeFi protocol compound
traffic_analyzer | Getty Images
We thought the slaughter for the popular decentralized financial or DeFi staking protocol Compound was over, but it turns out that millions are more at risk than we thought. According to Robert Leshner, founder of Compound Labs, there is about $ 162 million up for grabs after an upgrade that went very wrong.
The price of Compound’s native token, called Comp, is down about 4.8%.
First, the Compound boss tweeted on Friday that there was an upper limit on how many Comp tokens could be accidentally distributed, noting that “the worst case scenario would be 280,000 Comp tokens, or about 92.6 million US dollars. Dollars are limited “.
But on Sunday morning, Leshner revealed that the pool of cash that had already been emptied had been replenished – unlocking an additional 202,472.5 Comp tokens for use, or about $ 66.9 million at current price.
Some, including a core developer of DeFi platform Yearn, are billing this as the biggest fund loss ever in a smart contracts incident, but for their part, investors don’t seem too bothered.
“The crypto market dismissed the biggest fund loss of all time as if it were nothing,” said Mudit Gupta, a core developer of the decentralized crypto exchange SushiSwap. “The future for DeFi is bright, but we are in uncharted territory and there is still a lot to learn.”
What always goes wrong
DeFi protocols like Compound were developed to emulate traditional financial systems like banks and stock exchanges using blockchains enriched with self-executing smart contracts.
On Wednesday, Compound released a pretty standard upgrade. However, soon after implementation, it was clear that something had gone seriously wrong when users started raising millions of dollars in Comp tokens.
For example, Comp tokens worth $ 30 million were claimed in one transaction.
However, saving the entire debacle was the fact that the available money pool – called the comptroller contract – had a limited number of tokens. The problem is that this leaky pool received a new inflow of money and 0.5 comp tokens are added roughly every 15 seconds, according to Gupta.
“When the Drip () function was called this morning, it sent the backlog (202,472.5, approximately two months COMP since the function was last called) into the log for distribution to users,” wrote Leshner in a tweet on Sunday morning .
Leshner noted that this increases the overall risk to 490,000 comp tokens, or about $ 162 million.
There are some suggestions to fix the bug, but Compound’s governance model is such that any changes to the protocol require a multi-day voting window, and Gupta said it would take another week for the successful proposal to execute.
In the meantime, that money pool is available again to users who know how to take advantage of the bug.
Compound made it clear that no funds provided or borrowed were at risk, which is some consolation.
“No user funds are or have been at risk, so it’s not that big of a deal,” said Gupta. “Everyone has been watered down somehow, but has not lost anything directly.”
There are also some white hats in the community.
After the compound founder asked users to voluntarily return the platform’s crypto tokens, some did so. Leshner said about 117,000 Comp tokens, or $ 38.7 million, had been returned as of Sunday morning.
But as Mati Greenspan, portfolio manager and founder of Quantum Economics, points out, how things go with this flaw is almost irrelevant. “The bigger problem is – can it happen again?” He said.
Compound is the fifth largest DeFi protocol in the world valued at $ 10.3 billion, according to DeFi Llama, which provides ranking and metrics for DeFi protocols.
Greenspan said the protocol could easily absorb that loss, and much of it would likely be returned, “but the bigger problem would be when people lose confidence in the system’s ability to function properly.”
Gupta said an immediate problem is that the Comptroller account was giving away comp tokens that were reserved for future rewards.
You can think of Comptroller as the heart of Compound, explained Gupta. It facilitates all core functions like borrowing, lending and rewarding.
The comptroller monitors the cash pool that is used to pay rewards to users who provide their crypto to their borrowers at a set interest rate, which is usually a single digit APY.
“Future rewards may need to be reduced to make comptrollers solvent,” said Gupta.