COMPOUND FINANCE

DESCRIPTION OF EVENTS

"Compound, one of the leading defi-based protocols, is launching a new service called Treasury. Compound’s Treasury is a new product designed to help institutions enter the defi space. Launched in partnership with Circle and Fireblocks, it skips the uber astounding rates conventional defi protocols offer. However, it seeks to offer stable revenue for companies looking to get passive income from their funds in dollars." "Treasury allows third parties to use fiat dollars to enter the space."

"The DeFi lending pioneer made the announcement in a blog post on June 29, adding that the new Compound Treasury has been designed for non-crypto native businesses and financial institutions to access the benefits of the protocol."

"Compound stated that the protocol has performed flawlessly throughout the market volatility and has secured itself as a pillar of the DeFi ecosystem. It wants to bring this security and reliability to institutional investors by expanding its suite of products."

"This proposal splits COMP rewards distributions between borrowers and suppliers. Upon passing, governance will be enabled to set reward rates specifically for borrowers vs. suppliers in any market." "At the moment, the COMP rewards rate for any single market is applied at the same rate for both suppliers and borrowers. This creates undesirable market conditions such as, but not limited to, negative interest rates when borrowing various assets." "This proposal changes the Comptroller logic to have two different COMP distribution rates for each and every market - borrow-side (compBorrowSpeeds) rate and supply-side (compSupplySpeeds) rate." "If governance is able to change the ratio, we can more effectively incentivize, develop, and maintain markets. For example, distributing all rewards for a market to its suppliers is a good way to incentivize deposits. Or we could distribute more to borrowers to incentivize borrowing."

"A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol." "Proposal 62 and the new contract were written by a community member, with review from multiple other community members." "For Votes – 100%"

"Starting from ~22:20 UTC on Sep 29th, certain users could claim rewards that they had not earned." "Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062." "No supplied/borrowed funds are at risk -- Compound Labs and members of the community are investigating discrepancies in the COMP distribution."

"Compound upgraded their comptroller contract to [a new contract] which had a one letter bug on L1217." "The new Comptroller contract contains a bug, causing some users to receive far too much COMP." "This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected."

"About 240k COMP tokens (~$70m) have been given away already and another 40k (~$13m) will likely be given away soon. If you had supplied tokens before today, go try your luck." "The impact of the bug is limited to the comp available in the comptroller’s smart contract, which is approximately 280,000 comp, worth $88 million at the time of writing."

"This is the greatest opportunity, and greatest risk for a decentralized protocol–that an open development process allows a bug to enter production."

"The bug happens when someone supplies tokens for a market with zero comp rewards like cSUSHI, and cTUSD before the market is initialized or migrated."

"`supplyIndex` for such tokens remains equal to `compInitialIndex` which means that the if block on L1217 is not triggered." "The check there should have been >= rather than >."

"Since the if block is not triggered, `supplierIndex` remains 0 while `supplyIndex` is 1e36."

"The delta of the indexes becomes 1e36 and the protocol pays out rewards for 1e36 indexes rather than the intended zero rewards."

"The last version of comptroller had the same checks but it was fine then because the initial value of `supplyIndex` was 0 rather than 1e36."

"Logically, the check should have been `>=` even then but since the default was 0, `>` was functionally equivalent but a bit more optimal."

"In the latest version, changes happened to the default values which meant that this optimization became invalid. If someone only reviewed the delta of the upgraded contract, they might have missed this."

"A small change at one place can introduce a vulnerability at another."

"The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller." "When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users."

"If you tally the initial $80m, $22m already claimed after the drip and the $45m currently at risk, the bug tallies to $147m, making it officially the largest fund loss in a smart contract incident."

"Due to the governance processes and the policies of applying governance changes to the platform, there is no quick and easy fix to this problem. Each governance proposal requires at least seven days to be passed, approved, and applied. However, proposal 063, presented by some community members, disables the ability to claim comp until the bug is resolved."

"There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production."

"All supplied assets, borrowed assets, and positions are completely unaffected. Users don't have to worry about their funds; the only risk is that you (or another user) receives an unfairly large quantity of COMP." "Labs, and members of the community, are evaluating potential steps to patch the COMP distribution."

"Proposal 063 by @Arr00c @tylerether and other community members disables the ability to claim COMP, until the correct distribution logic is restored."

"Proposal 62 introduced a bug in the COMP distribution logic that allowed users borrowing certain assets to claim more than their intended share of COMP. This puts all of the COMP tokens in the Comptroller contract at risk, but not those in the Reservoir contract. For more details, see Leshner's tweets here. This change will prevent further COMP from being distributed until the correct logic is restored."

"This change disables distributing accrued COMP until a long-term fix is tested and implemented. As this change was pushed out as quickly as possible, please follow along in the forum thread where we will provide more information during the review period"

"Suggest voting against this proposal because it would brick the integrations which expect being able to call claimComp which will be always reverting with the proposed change." "Proposal 63 - revert when collecting COMP - was canceled by the community multisig several hours ago, and so the reverts will not be happening."

"Proposal 62 introduced a bug in the COMP distribution logic that allowed users borrowing certain assets to claim more than their intended share of COMP. Proposal 63 prevents further COMP from being distributed until the correct logic is restored but causes issues for protocols that integrated with Compound and required the claim functionality."

Proposal 64 will "[p]atch the bug introduced in Proposal 62 and pessimistically allow COMP reward withdrawals until the bad COMP accruals can be fixed." "After this proposal passes, we'll have a state where we'll be able to compute an exhaustive list of users with bad COMP accrual values. From there, we'll submit another proposal to fix the bad COMP accrual values and return everything to normal." "Proposal 64 (no revert) has now passed, and is waiting in timelock."

"Leshner tried to warn community members that, if the majority of the claimed comp was not returned, he would report it to the IRS as income, revealing their identities in the process. This caused almost universal uproar from Compound users, who questioned how decentralized the protocol really was."

"If you received a large, incorrect amount of COMP from the Compound protocol error please return it to the Compound Timelock. Keep 10% as a white-hat."

"Otherwise, it's being reported as income to the IRS, and most of you are doxxed."

"I’m trying to do anything I can to help the community get some of its COMP back, and this was a bone-headed tweet / approach. That’s on me."

"For the majority of users, the COMP Distribution will return to normal after execution."

"Certain users (that hit the 62 bug) will be unable to claim COMP until after a future patch."

"Probably a bug in the claim contract that rewarded the first claimer with thousands of COMP. Someone interacted with the protocol unintentionally knowing it was bugged, got lucky with thousands of COMP, then intentionally yolo’d and sold it off"

"a guy took 30k COMP out and swapped 5k COMP to ETH on sushiswap lol"

"One of the people that exploited @compoundfinance took their 10M in COMP and dumped them on OKEX and Huobi for stables, then started farming curve with them."

"[their account] Must be KYC'd because they withdrew millions from these CEXes"

"excess claimed: 357777.8663014873 comp" "returned to timelock: 116919.43972 comp (32.68%)"

"The only victims were COMP token holders, who temporarily suffered faster dilution than they expected."

"If you compare the negative impact on token holders to the happiness of the users who “won” their rewards, then this doesn’t seem to be a disaster. However, a repeat of this would not be sustainable."

Compound Finance reached unanymous support on a proposal to upgrade their smart contract to mint additional COMP tokens, which were considered to be unfair. They came up with a proposal that would break various smart contracts, before coming out with another to revert the damage.

In the end, the majority of additional funds were not returned, though the loss to the market price was not as significant as in some other cases. The protocol continues.

Defi Platform Compound Bug Allows Users to Claim $88 Million in Tokens – Bitcoin News (Oct 3)
@rleshner Twitter (Oct 3)
@rleshner Twitter (Oct 3)
@rleshner Twitter (Oct 11)
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Compound Finance to Launch DeFi Treasury for Institutions (Oct 18)
Compound Launches Treasury to Introduce Institutions to Defi – Bitcoin News (Dec 3)
@rleshner Twitter (Dec 3)
Compound (Dec 3)
RFP 16: Dynamic COMP reward distribution - Proposals - Compound Community Forum (Dec 3)
Split COMP rewards distribution by TylerEther · Pull Request #144 · compound-finance/compound-protocol · GitHub (Dec 3)
compound-protocol/hypothetical_mainnet_upgrade.scen at f73b29373eb65cedf24896d7be46eed38435fc91 · TylerEther/compound-protocol · GitHub (Dec 3)
@compoundfinance Twitter (Dec 3)
$271.11 | Compound (COMP) Token Tracker | Etherscan (Dec 3)
@Mudit__Gupta Twitter (Dec 3)
Comptroller | 0x374abb8ce19a73f2c4efad642bda76c797f19233 (Dec 3)
Compound (Dec 3)
@bantg Twitter (Dec 3)
@bantg Twitter (Dec 3)
@rleshner Twitter (Dec 3)
comp.ipynb · GitHub (Dec 3)
Rekt - Overcompensated (Dec 3)
SlowMist Hacked - SlowMist Zone (Nov 6)
Compound Contract Bug Keeps Infesting Before Fix Can be Implemented (Dec 1)
DeFi protocol Compound mistakenly gives away $90 million to users (Nov 9)

More case studies

GravyScale Fraudulent
Investment

Polygon Double
Spend Vulnerability