{"id":50433,"date":"2021-09-30T12:55:20","date_gmt":"2021-09-30T09:55:20","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=50433"},"modified":"2025-09-02T17:59:01","modified_gmt":"2025-09-02T14:59:01","slug":"compound-suffers-multimillion-dollar-losses-due-to-protocol-update-bug","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/compound-suffers-multimillion-dollar-losses-due-to-protocol-update-bug\/","title":{"rendered":"Compound suffers multimillion-dollar losses due to protocol update bug"},"content":{"rendered":"<p>The developers of the lending protocol Compound reported a bug in the distribution of governance token COMP that emerged after the activation of <a href=\"https:\/\/compound.finance\/governance\/proposals\/62\"><span data-descr=\"request for proposals\" class=\"old_tooltip\">RFP<\/span>-062<\/a>. According to the project founder Robert Leshner, in the worst case the damage could exceed $82 million.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol.<\/p>\n<p>The new Comptroller contract contains a bug, causing some users to receive far too much COMP. <a href=\"https:\/\/t.co\/Fy6nLgDqKy\">https:\/\/t.co\/Fy6nLgDqKy<\/a><\/p>\n<p>\u2014 Robert Leshner (@rleshner) <a href=\"https:\/\/twitter.com\/rleshner\/status\/1443380518498848768?ref_src=twsrc%5Etfw\">September 30, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The Compound <a href=\"https:\/\/u1f987.com\/en\/news\/what-is-compound-comp\">liquidity mining process<\/a> is in place \u2014 participants receive COMP tokens for depositing assets into its pools. The mining rate is 0.5 COMP\/block (~2312 COMP\/day).<\/p>\n<p>RFP-062, which came into effect on September 30, changed the previous governance token distribution model (50\/50). Now liquidity providers and borrowers receive COMP according to specific coefficients.<\/p>\n<p>The update was also intended to fix minor bugs, but it itself contained a serious vulnerability \u2014 users were paid tokens beyond the amount set by the rules.<\/p>\n<p>One of the first to notice the problem was a community member under the alias napgener. He pointed to several suspicious transactions, according to which the protocol paid users $15 million in COMP for borrowing and supplying only a negligible amount of USDC, ETH, and DAI.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">Some funky business happening on <a href=\"https:\/\/twitter.com\/search?q=%24COMP&#038;src=ctag&#038;ref_src=twsrc%5Etfw\">$COMP<\/a><br \/>possible rug in the <a href=\"https:\/\/twitter.com\/compoundfinance?ref_src=twsrc%5Etfw\">@compoundfinance<\/a> comptroller. \u26a0\ufe0f<a href=\"https:\/\/twitter.com\/rleshner?ref_src=twsrc%5Etfw\">@rleshner<\/a> <a href=\"https:\/\/t.co\/IRTJIQnBEx\">https:\/\/t.co\/IRTJIQnBEx<\/a><\/p>\n<p>\u2014 napgener 0xbullmarket.eth (@napgener) <a href=\"https:\/\/twitter.com\/napgener\/status\/1443350694635921409?ref_src=twsrc%5Etfw\">September 29, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Several users could have exploited the bug already. In the blockchain <a href=\"https:\/\/etherscan.io\/tx\/0xf4bfef1655f2092cf062c008153a5be66069b2b1fedcacbf4037c1f3cc8a9f45\">\u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043e\u0432\u0430\u043d\u0430<\/a> \u0442\u0440\u0430\u043d\u0437\u0430\u043a\u0446\u0438\u044f, in which the address received 91 000 COMP (~$26.8 million) for providing zero liquidity. To claim the tokens, its owner paid $157.77 in gas.<\/p>\n<p>Subsequently, the same address used the decentralized exchange Uniswap to swap part of the COMP (~$140,000) for stablecoins USDC.<\/p>\n<p>According to Leshner, user assets are safe. The Comptroller contract address <a href=\"https:\/\/etherscan.io\/address\/0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B\">contains<\/a> a limited quantity of tokens, so &#8220;in the worst case the impact is limited to 280,000 COMP&#8221; (~$82.6 million at the time of writing).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">The Comptroller contract (0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B) contains a limited quantity of COMP; the majority sits in the Reservoir contract (0x2775b1c75658Be0F640272CCb8c72ac986009e38) which releases 0.50 COMP\/block.<\/p>\n<p>The impact is bounded; at worst, 280k COMP tokens.<\/p>\n<p>\u2014 Robert Leshner (@rleshner) <a href=\"https:\/\/twitter.com\/rleshner\/status\/1443380523028697095?ref_src=twsrc%5Etfw\">September 30, 2021<\/a><\/p><\/blockquote>\n<p> <script async=\"\" src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>As of writing, the Comptroller address holds only 3,721 COMP (~$1.1 million).<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>&#8220;There are no administrative controls or community tools to disable COMP distribution. Any changes to the protocol require a seven-day review process before deployment&#8221;, wrote Leshner.<\/p>\n<\/blockquote>\n<p>In the wake of the incident, the price of COMP fell by more than 10%, according to <a href=\"https:\/\/www.coingecko.com\/en\/coins\/compound\">CoinGecko<\/a>. At the time of writing, the token trades near $296.<\/p>\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"490\" src=\"https:\/\/u1f987.com\/wp-content\/uploads\/COMPUSDT_2021-09-30_12-38-10-1024x490.png\" alt=\"Compound project suffers multimillion-dollar losses due to protocol update bug\" class=\"wp-image-151318\" srcset=\"https:\/\/u1f987.com\/wp-content\/uploads\/COMPUSDT_2021-09-30_12-38-10-1024x490.png 1024w, https:\/\/u1f987.com\/wp-content\/uploads\/COMPUSDT_2021-09-30_12-38-10-300x144.png 300w, https:\/\/u1f987.com\/wp-content\/uploads\/COMPUSDT_2021-09-30_12-38-10-768x368.png 768w, https:\/\/u1f987.com\/wp-content\/uploads\/COMPUSDT_2021-09-30_12-38-10-1536x735.png 1536w, https:\/\/u1f987.com\/wp-content\/uploads\/COMPUSDT_2021-09-30_12-38-10.png 1834w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption>Hourly chart of COMP\/USDT on Binance. Data: <a href=\"https:\/\/ru.tradingview.com\/symbols\/COMPUSDT\/\">TradingView<\/a>.<br \/><\/figcaption><\/figure>\n<p>In June, Compound Labs <a href=\"https:\/\/u1f987.com\/en\/news\/compound-labs-opens-defi-access-for-institutions\">opened a subsidiary structure, Compound Treasury<\/a>. It provides neobanks and other financial institutions with access to the DeFi ecosystem.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The developers of the lending protocol Compound reported a bug in the distribution of governance tokens COMP that arose after the activation of RFP-062. According to founder Robert Leshner, in the worst case the damage could exceed $82 million.<\/p>\n","protected":false},"author":1,"featured_media":50434,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1494,1093],"class_list":["post-50433","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-compound-comp","tag-defi"],"aioseo_notices":[],"amp_enabled":true,"views":"24","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/50433","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/comments?post=50433"}],"version-history":[{"count":1,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/50433\/revisions"}],"predecessor-version":[{"id":50435,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/posts\/50433\/revisions\/50435"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media\/50434"}],"wp:attachment":[{"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/media?parent=50433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/categories?post=50433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/u1f987.com\/en\/wp-json\/wp\/v2\/tags?post=50433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}