Robert Leshner, founder of decentralized finance biz Compound Labs, has asked for the return of roughly $90m worth of COMP tokens after a smart contract bug distributed more of the cryptocurrency than it should have.
COMP tokens get distributed on a daily basis to users of the Compound protocol. They grant holders a say in the communal governance of the protocol, which is used for financial transactions like borrowing and lending with cryptocurrencies.
Decentralized finance relies on smart contracts that don’t necessarily live up to their name to handle transactions. That is to say, the code controlling these smart contracts often contains dumb mistakes.
“A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol,” said Leshner on Wednesday, via Twitter. “The new Comptroller contract contains a bug, causing some users to receive far too much COMP.”
According to Leshner, at most 280,000 tokens were wrongly distributed. At the current COMP token value of about $322, that’s more than 90m US dollars.
On Thursday, Leshner pleaded for the tokens to be returned, offering to let Good Samaritans keep 10 per cent, and hinting at consequences for those who fail to comply.
He wrote:
Those discussing the incident on Compound’s Discord chat space note that recipients of the errant funds need to use the claimComp
function manually to get the COMP tokens – the tokens won’t just show up in one’s account automatically. Some individuals have already done so – here’s a transaction claiming about $29m.
Discord chat participants also appear to be none too pleased with the doxxing threat. “Total clown show up in here,” one individual complained. “Protocol error and innocent people threatened w dox.”
Despite Leshner’s commitment to report windfall recipients to US tax authorities – as his company is presumably obligated to do under US tax law – some participants in the Compound community have already returned their accidental COMP riches. Others have suggested keeping the money and paying whatever tax is due on the COMP windfall would still be rather lucrative.
Meanwhile, Compound Proposition 63 is being reviewed and is scheduled to be voted on in a few days. It “disables the ability to claim COMP, until the correct distribution logic is restored.” That still leaves time for recipients of misdirected funds to cash in.
The bug, according to blockchain security researcher Mudit Gupta, consists of a single character: the Compound code update used a >
operator where it should have used >=
.
Compound Incident Analysis:
Compound upgraded their comptroller contract to https://t.co/mgLGKCywxf which had a one letter bug on L1217.
This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected. 🧵👇 pic.twitter.com/BskHIibsUJ
— Mudit Gupta (@Mudit__Gupta) September 30, 2021
“The bug happens when someone supplies tokens for a market with zero comp rewards like cSUSHI, and cTUSD before the market is initialized or migrated,” said Gupta via Twitter. “supplyIndex
for such tokens remains equal to compInitialIndex
which means that the if
block on [Line 1217] is not triggered.”
By using the >
operator rather than the >=
operator, the if
code block is not called and the supplierIndex
variable stays at 0 while supplyIndex
is 1e36. The delta, or difference between the two values, becomes 1e36 and the Compound protocol then pays out a reward for 1e36 indexes instead of zero.
In the Compound forum, developers discussing the incident believe it would be a good idea to commit to rigorous testing and auditing prior to major code changes. ®