San Francisco based DeFi platform Compound has revealed around $62 million worth of its COMP tokens have not been returned after a flawed smart contract update on September 29th allowed many users to help themselves to the platform’s native token.
The bug in the Comptroller contract was introduced on September 29th when the Proposal 62 upgrade was executed. The bug created a situation where some users were able to accrue and claim far more COMP than they should have been entitled to.
Compound says despite pleas to its users to return the assets to the community Timelock, 200,000 Comp tokens have not been returned. At COMP’s current price of US$312 that means around US$62.4 million worth of COMP tokens remain outstanding. Compound says 163,000 COMP tokens have been returned by users.
COMPOUND reviews its testing protocols
The error in the Proposal 62 upgrade has brought the COMP community together around more robust testing and simulation prior to the launch of any future governance proposals.
The platform’s code was originally audited by Trail of Bits and OpenZeppelin but Compound does not record either company having checked Proposal 62. Compound does maintain a Bug Bounty program with a maximum payout of $150,000 dollars for “eligible discoveries.”
Compound has admitted that “not much testing’ of Proposal 26 was done and it has identified the follow threads in its community forum as indicative of the types of actions it will take before rolling out similar upgrades.
- More Rigorous Process On Reviewing Large Code Changes (RE: Comp Bug 9/29/21)
- Protocol Emergency Brakes: Approving a set of Fast-Acting Governance Actions for protocol risk reduction
- Building a more robust deployment process to prevent future meltdown
No individual users funds were lost due to the smart contract exploits deployed in the Proposal 62 upgrade. Nonetheless, the misappropriation of 200,000 COMP tokens serves as a timely reminder that a DeFi platform’s security is only as good as the code of its smart contracts – and users of such platforms should adopt a cautious approach to placing their assets in such an environment.
