The Compound lending protocol bug that was reported to be present by Robert Leshner, is posing a risk to $160 million on the platform as we are reading more today in our cryptocurrency news.
A week ago, the founder Robert Leshner called a Compound lending protocol bug in the smart contract a “moral dilemma” but some today saw the smart contract becoming a vending machine full of free cash due to the bug as someone exploited the bug in the Controller contract today which is a part of the protocol that distributes yield farming rewards to the users. By calling Compound drip function they transferred $68 million from Compound reservoir to the Comptroller.
Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear https://t.co/EZLb7g91Ew
— Robert Leshner (@rleshner) October 1, 2021
Since the Yearn Finance core developer tweeted about the exploit earlier this afternoon, four big transactions drained the pool of Compound out of $24 million. One of the transactions withdrew $12.3 million and Banteg said the only addresses with the buggy state can drain and that there are another few addresses that could claim the $45M and empty the comptroller. Following the update called Proposal 062, the Comptroller pool started distributing 280,000 COMP to the wrong people and Leshner asked the users to give the funds back, thanking anyone that did but because of how the governance is structured for the protocol, it took seven days to correct the error.
Anyone can add more COMP to the pool by calling drip () which is a public function but nobody called in weeks.
“When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users. “ Leshner pointed out.
The best-kept secret in DeFi is out, someone called drip() on Compound’s Reservoir, which sent another $68.8m of COMP to Comptroller.
I’ve run the numbers and it seems about 1/4 of that could be drained.https://t.co/I4mGeNX6uT
— banteg (@bantg) October 3, 2021
The drip issue was known to Compound and the security researchers but since there was no mitigation, it was decided to keep it under the ground hoping nobody will notice until the patch is out. Community developers hoped that these patches will go live before drip was called so Leshner tweeted explained but Banteg called the exploit the “best-kept secret in DeFi.” Leshner explained that the total amount of comp at risk is at $160 million out of which 136K are still in the comptroller and 117K has been returned to the community so far. Commenting on the Banteg post, trader Chsirtoper Mooney said:
“I’m honestly impressed it took this long with the number of people that knew. Restores my faith in humanity a little, but in the end one of you chose chaotic neutral.”
DC Forecasts is a leader in many crypto news categories, striving for the highest journalistic standards and abiding by a strict set of editorial policies. If you are interested to offer your expertise or contribute to our news website, feel free to contact us at [email protected]