Compound Incorrect Reward Calculation Bug

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Compound Finance

Compound Finance reached unanymous support on a proposal to upgrade their smart contract to mint additional COMP tokens, which were considered to be unfair. They came up with a proposal that would break various smart contracts, before coming out with another to revert the damage.

In the end, the majority of additional funds were not returned, though the loss to the market price was not as significant as in some other cases. The protocol continues.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]

About Compound Finance

"Compound, one of the leading defi-based protocols, is launching a new service called Treasury. Compound’s Treasury is a new product designed to help institutions enter the defi space. Launched in partnership with Circle and Fireblocks, it skips the uber astounding rates conventional defi protocols offer. However, it seeks to offer stable revenue for companies looking to get passive income from their funds in dollars." "Treasury allows third parties to use fiat dollars to enter the space."

"The DeFi lending pioneer made the announcement in a blog post on June 29, adding that the new Compound Treasury has been designed for non-crypto native businesses and financial institutions to access the benefits of the protocol."

"Compound stated that the protocol has performed flawlessly throughout the market volatility and has secured itself as a pillar of the DeFi ecosystem. It wants to bring this security and reliability to institutional investors by expanding its suite of products."

"This proposal splits COMP rewards distributions between borrowers and suppliers. Upon passing, governance will be enabled to set reward rates specifically for borrowers vs. suppliers in any market." "At the moment, the COMP rewards rate for any single market is applied at the same rate for both suppliers and borrowers. This creates undesirable market conditions such as, but not limited to, negative interest rates when borrowing various assets." "This proposal changes the Comptroller logic to have two different COMP distribution rates for each and every market - borrow-side (compBorrowSpeeds) rate and supply-side (compSupplySpeeds) rate." "If governance is able to change the ratio, we can more effectively incentivize, develop, and maintain markets. For example, distributing all rewards for a market to its suppliers is a good way to incentivize deposits. Or we could distribute more to borrowers to incentivize borrowing."

"A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol." "Proposal 62 and the new contract were written by a community member, with review from multiple other community members." "For Votes – 100%"

"Starting from ~22:20 UTC on Sep 29th, certain users could claim rewards that they had not earned." "Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062." "No supplied/borrowed funds are at risk -- Compound Labs and members of the community are investigating discrepancies in the COMP distribution."

"Compound upgraded their comptroller contract to [a new contract] which had a one letter bug on L1217." "The new Comptroller contract contains a bug, causing some users to receive far too much COMP." "This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected."

"About 240k COMP tokens (~$70m) have been given away already and another 40k (~$13m) will likely be given away soon. If you had supplied tokens before today, go try your luck." "The impact of the bug is limited to the comp available in the comptroller’s smart contract, which is approximately 280,000 comp, worth $88 million at the time of writing."

"This is the greatest opportunity, and greatest risk for a decentralized protocol–that an open development process allows a bug to enter production."

"The bug happens when someone supplies tokens for a market with zero comp rewards like cSUSHI, and cTUSD before the market is initialized or migrated."

"`supplyIndex` for such tokens remains equal to `compInitialIndex` which means that the if block on L1217 is not triggered." "The check there should have been >= rather than >."

"Since the if block is not triggered, `supplierIndex` remains 0 while `supplyIndex` is 1e36."

"The delta of the indexes becomes 1e36 and the protocol pays out rewards for 1e36 indexes rather than the intended zero rewards."

"The last version of comptroller had the same checks but it was fine then because the initial value of `supplyIndex` was 0 rather than 1e36."

"Logically, the check should have been `>=` even then but since the default was 0, `>` was functionally equivalent but a bit more optimal."

"In the latest version, changes happened to the default values which meant that this optimization became invalid. If someone only reviewed the delta of the upgraded contract, they might have missed this."

"A small change at one place can introduce a vulnerability at another."

"The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller." "When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users."

"If you tally the initial $80m, $22m already claimed after the drip and the $45m currently at risk, the bug tallies to $147m, making it officially the largest fund loss in a smart contract incident."

"Due to the governance processes and the policies of applying governance changes to the platform, there is no quick and easy fix to this problem. Each governance proposal requires at least seven days to be passed, approved, and applied. However, proposal 063, presented by some community members, disables the ability to claim comp until the bug is resolved."

"There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production."

"All supplied assets, borrowed assets, and positions are completely unaffected. Users don't have to worry about their funds; the only risk is that you (or another user) receives an unfairly large quantity of COMP." "Labs, and members of the community, are evaluating potential steps to patch the COMP distribution."

"Proposal 063 by @Arr00c @tylerether and other community members disables the ability to claim COMP, until the correct distribution logic is restored."

"Proposal 62 introduced a bug in the COMP distribution logic that allowed users borrowing certain assets to claim more than their intended share of COMP. This puts all of the COMP tokens in the Comptroller contract at risk, but not those in the Reservoir contract. For more details, see Leshner's tweets here. This change will prevent further COMP from being distributed until the correct logic is restored."

"This change disables distributing accrued COMP until a long-term fix is tested and implemented. As this change was pushed out as quickly as possible, please follow along in the forum thread where we will provide more information during the review period"

"Suggest voting against this proposal because it would brick the integrations which expect being able to call claimComp which will be always reverting with the proposed change." "Proposal 63 - revert when collecting COMP - was canceled by the community multisig several hours ago, and so the reverts will not be happening."

"Proposal 62 introduced a bug in the COMP distribution logic that allowed users borrowing certain assets to claim more than their intended share of COMP. Proposal 63 prevents further COMP from being distributed until the correct logic is restored but causes issues for protocols that integrated with Compound and required the claim functionality."

Proposal 64 will "[p]atch the bug introduced in Proposal 62 and pessimistically allow COMP reward withdrawals until the bad COMP accruals can be fixed." "After this proposal passes, we'll have a state where we'll be able to compute an exhaustive list of users with bad COMP accrual values. From there, we'll submit another proposal to fix the bad COMP accrual values and return everything to normal." "Proposal 64 (no revert) has now passed, and is waiting in timelock."

"Leshner tried to warn community members that, if the majority of the claimed comp was not returned, he would report it to the IRS as income, revealing their identities in the process. This caused almost universal uproar from Compound users, who questioned how decentralized the protocol really was."

"If you received a large, incorrect amount of COMP from the Compound protocol error please return it to the Compound Timelock. Keep 10% as a white-hat."

"Otherwise, it's being reported as income to the IRS, and most of you are doxxed."

"I’m trying to do anything I can to help the community get some of its COMP back, and this was a bone-headed tweet / approach. That’s on me."

"For the majority of users, the COMP Distribution will return to normal after execution."

"Certain users (that hit the 62 bug) will be unable to claim COMP until after a future patch."

"Probably a bug in the claim contract that rewarded the first claimer with thousands of COMP. Someone interacted with the protocol unintentionally knowing it was bugged, got lucky with thousands of COMP, then intentionally yolo’d and sold it off"

"a guy took 30k COMP out and swapped 5k COMP to ETH on sushiswap lol"

"One of the people that exploited @compoundfinance took their 10M in COMP and dumped them on OKEX and Huobi for stables, then started farming curve with them."

"[their account] Must be KYC'd because they withdrew millions from these CEXes"

"excess claimed: 357777.8663014873 comp" "returned to timelock: 116919.43972 comp (32.68%)"

"The only victims were COMP token holders, who temporarily suffered faster dilution than they expected."

"If you compare the negative impact on token holders to the happiness of the users who “won” their rewards, then this doesn’t seem to be a disaster. However, a repeat of this would not be sustainable."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Compound Incorrect Reward Calculation Bug
Date Event Description
October 3rd, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $148,800,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Defi Platform Compound Bug Allows Users to Claim $88 Million in Tokens – Bitcoin News (Oct 3, 2021)
  2. @rleshner Twitter (Oct 3, 2021)
  3. @rleshner Twitter (Oct 3, 2021)
  4. @rleshner Twitter (Oct 11, 2021)
  5. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  6. Compound Finance to Launch DeFi Treasury for Institutions (Oct 18, 2021)
  7. Compound Launches Treasury to Introduce Institutions to Defi – Bitcoin News (Dec 3, 2021)
  8. @rleshner Twitter (Dec 3, 2021)
  9. Compound (Dec 3, 2021)
  10. RFP 16: Dynamic COMP reward distribution - Proposals - Compound Community Forum (Dec 3, 2021)
  11. Split COMP rewards distribution by TylerEther · Pull Request #144 · compound-finance/compound-protocol · GitHub (Dec 3, 2021)
  12. compound-protocol/hypothetical_mainnet_upgrade.scen at f73b29373eb65cedf24896d7be46eed38435fc91 · TylerEther/compound-protocol · GitHub (Dec 3, 2021)
  13. @compoundfinance Twitter (Dec 3, 2021)
  14. $271.11 | Compound (COMP) Token Tracker | Etherscan (Dec 3, 2021)
  15. @Mudit__Gupta Twitter (Dec 3, 2021)
  16. Comptroller | 0x374abb8ce19a73f2c4efad642bda76c797f19233 (Dec 3, 2021)
  17. Compound (Dec 3, 2021)
  18. @bantg Twitter (Dec 3, 2021)
  19. @bantg Twitter (Dec 3, 2021)
  20. @rleshner Twitter (Dec 3, 2021)
  21. comp.ipynb · GitHub (Dec 3, 2021)
  22. Rekt - Overcompensated (Dec 3, 2021)
  23. SlowMist Hacked - SlowMist Zone (Nov 6, 2021)
  24. Compound Contract Bug Keeps Infesting Before Fix Can be Implemented (Dec 1, 2022)
  25. DeFi protocol Compound mistakenly gives away $90 million to users (Nov 9, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Compound_Incorrect_Reward_Calculation_Bug&oldid=5047"