HomeBlockchainSecurityCompound: a bug allows users to withdraw up to $140 million

Compound: a bug allows users to withdraw up to $140 million

Compound, an Ethereum-based DeFi protocol, has been hit by a bug that would allow users to withdraw up to $140 million in COMP, the native token.

Robert Leshner, founder of Compound Labs, has acknowledged the problem but has yet to fix the bug, worsening the situation.

The bug which made Compound vulnerable

After the bug suffered last week, acknowledged and declared by Compound‘s founder Robert Leshner himself, the situation for one of DeFi’s main crypto lending protocols continues to worsen.

According to Banteg, developer of Yearn (another DeFi protocol), someone called a function known as drip that made millions of COMP tokens available for withdrawal.

“The best-kept secret in DeFi is out, someone called drip() on Compound’s Reservoir, which sent another $68.8m of COMP to Comptroller. I’ve run the numbers and it seems about 1/4 of that could be drained”.

The bug that allegedly affected Compound would make the Comptroller contract vulnerable, which by receiving more than 200 thousand COMP with the drip function, would allow users to claim unusual and, more importantly, large amounts of COMP.

Leshner’s response to Banteg was the following:

“The Reservoir contract holds the majority of COMP reserved for users, and drips 0.50 COMP/block into the protocol. Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called”.

“When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users”.

“This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far”.

Compound bug
A new proposal for Compound: disabling the ability to claim COMP

Compound and the proposal under vote

With this situation at stake, Compound’s proposals are being put to a vote today. First among them is proposal 63, which suggests “disabling the ability to claim COMP, until the correct distribution logic is restored”.

While proposal 64, suggests that “certain community members patches the bug introduced in Proposal 062, and resumes the COMP distribution for the majority of users”.

Meanwhile scrolling through Leshner‘s official Twitter account, some tweets are thanking those users who, understanding the inconvenience, are returning COMP to the community.

The consequences for the price of COMP

With more than $1.7 billion in market capitalization, COMP is experiencing a price drop.

Looking at the chart, since the last week of September when the bug was revealed, the price of COMP has dropped below $370, to $312 at the time of writing, while, for the last three months the price has hovered above $400.

This is nothing like the ATH or All-Time High recorded last May 2021, when the price exceeded $850. 


Stefania Stimolo
Stefania Stimolo
Graduated in Marketing and Communication, Stefania is an explorer of innovative opportunities. She started out as a Sales Assistant for e-commerce, and in 2016 she began to develop a passion for the digital world, initially in the Network Marketing sector, where she discovered and became passionate about the ideals behind Bitcoin and Blockchain technology, which lead her to work as a copywriter and translator for ICO projects and blogs, and organize introductory courses.