COMP, the native token of DeFi lending protocol Compound is down by another 8% today having faced its second exploit in less than a week’s time. This is a bit unfortunate for blue-chip DeFi platforms like Compound as it shakes the trust of investors. On the weekly chart, the COMP price is down by more than 15%.
Last week, an upgrade to the DeFi protocol Compound went haywire thereby mistakenly releasing $90.1 million to its users. Soon after Compound Labs founder Robert Leshner tweeted:
If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat. Otherwise, it’s being reported as income to the IRS, and most of you are doxxed.
Second Exploit of Compound
On Sunday, October 3, Leshner also confirmed another bug in Compound’s Controller Contract contract, a part of the protocol distributing yield farming rewards to users. The bug was first spotted by Yearn.Finance core developer Banteg.
The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller.
I've run the numbers and it seems about 1/4 of that could be drained.https://t.co/I4mGeNX6uT
— banteg (@bantg) October 3, 2021
It clearly means that another $21 million could be drained after the contract exploit. Later, the Compound chief Leshner also tweeted as to how many COMP tokens could be accidentally distributed. He further noted that “the impact is bounded, at worst, 280,000 comp tokens,” or about $92.6 million. Leshner wrote:
The Reservoir contract holds the majority of COMP reserved for users, and drips 0.50 COMP/block into the protocol. Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called.
When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users.
This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU).
However, the Compound chief remains optimistic about the patches arriving through the governance process. This will fix the issue of distribution. He further added that the community members are actively working to fix this matter.
This could be the biggest ever fund loss through smart contracts in the history of DeFi. Mudit Gupta, a core developer at SushiSwap DEX told CNBC:
“The crypto market shrugged off the largest-ever fund loss as if it was nothing. The future for DeFi is bright but we’re in uncharted territory, and there’s a lot to be learned still.”