traffic_analyzer | Getty Images
We thought the slaughter for the popular decentralized financial or DeFi staking protocol Compound was over, but it turns out that millions are more at risk than we thought. Approximately $ 162 million is up for grabs after an upgrade goes very wrong. after Robert Leshner, Founder of Compound Labs.
The price of Compound’s native token, called Comp, is down about 4.8%.
First the compound boss tweeted on Friday There was a cap on how many Comp tokens could be accidentally distributed, noting that “the worst case impact is capped at 280,000 Comp tokens,” or about $ 92.6 million.
However, on Sunday morning, Leshner announced that the cash pool, which had already been emptied, had been replenished – exposing another 202,472.5 Comp tokens for exploitation, or about $ 66.9 million at current price.
Some, including a core developer at DeFi platform Yearn, are charging for this as the biggest fund loss ever in a smart contract incident, but investors, for their part, don’t seem to care too much.
“The crypto market has dismissed the biggest fund loss of all time as if it were nothing,” said Mudit Gupta, a core developer of the decentralized crypto exchange SushiSwap. “The future for DeFi is bright, but we are in uncharted territory and there is still a lot to learn.”
What always goes wrong
DeFi protocols like Compound were designed to Build traditional financial systems like banks and stock exchanges using blockchains enriched with self-executing smart contracts.
On Wednesday, Compound released a pretty standard upgrade. However, soon after implementation, it was clear that something had gone seriously wrong when users started raising millions of dollars in Comp tokens.
For example, Comp tokens worth $ 30 million were claimed in one transaction.
However, saving the entire debacle was the fact that the available money pool – called the comptroller contract – had a limited number of tokens. The problem is that this leaky pool has received a new inflow of money and 0.5 comp tokens are added roughly every 15 seconds, according to Gupta.
“When the Drip () function was called this morning, it sent the backlog (202,472.5, approximately two months COMP since the function was last called) in the log for distribution to users.” Leshner wrote in a tweet on Sunday morning.
Leshner noted that this increased the Comp’s overall risk to 490,000 Comp tokens, or about $ 162 million.
There are some suggestions to fix the bug, but Compound’s governance model is such that any changes to the protocol require a multi-day voting window, and Gupta said it would take another week for the successful proposal to execute.
In the meantime, that money pool is back for users who know how to take advantage of the bug.
Compound made it clear that no funds provided or borrowed were at risk, which is some consolation.
“No user funds are or have been at risk, so it’s not that big of a deal,” said Gupta. “Everyone has been watered down somehow, but has not lost anything directly.”
There are also some white hats in the community.
After the Compound founder asked users to voluntarily return the platform’s crypto tokens, some did so. Leshner said about 117,000 Comp tokens, or $ 38.7 million, had been returned by Sunday morning.
But as Mati Greenspan, portfolio manager and founder of Quantum Economics, points out, how things go with this flaw is almost irrelevant. “The bigger problem is – can it happen again?” He said.
Compound is the fifth largest DeFi protocol in the world valued at $ 10.3 billion, according to DeFi Llama, which provides ranking and metrics for DeFi protocols.
Greenspan said the protocol could easily absorb that loss, and much of it would likely be returned, “but the bigger problem would be when people lose confidence in the system’s ability to function properly.”
Gupta said an immediate problem is that the Comptroller account was giving away comp tokens that were reserved for future rewards.
You can think of Comptroller as the heart of Compound, explained Gupta. It facilitates all core functions like borrowing, lending and rewarding.
The comptroller monitors the cash pool that is used to pay rewards to users who provide their crypto to their borrowers at a set interest rate, which is usually a single digit APY.
“Future rewards may need to be reduced to make comptrollers solvent,” said Gupta.