Compound may lose more than $160 million due to a bug in the Comptroller smart contract, which has already cost the lending protocol $82 million.
Comptroller is responsible for the distribution of COMP during the liquidity mining process. After activating REP-062 this week, a bug appeared in the protocol that allows you to receive tokens in excess of the amount set by the rules. As a result, the company lost $82 million.
By calling the drip function, unknown persons transferred 202,472 COMP management tokens (~$66.8 million at the time of writing) from the Reservoir smart contract to the problematic address, said the lead developer of yEarn.Finance under the nickname banteg.
Four large transactions emptied the Comptroller address
According to him, after the initiation of the drip function, four large transactions emptied the Comptroller address by 64,997 COMP (~$21.5 million). According to banteg, only “addresses with a basic state can drain funds”. The developer stressed that there are at least five more addresses that together can request tokens for $45 million.
For several days, Compound Labs and security experts have been aware of the drip issue. But they decided to keep it a secret. “Hoping that no one will notice the problem until the patch is released,” banteg said in an interview with Decrypt.
The founder of the project, Robert Leshner, said that 490,000 COMP (~$161.7 million) were at risk. Of these, “136,000 (tokens) are still in Comptroller. And 117,000 have been returned to the community.”
Earlier in a conversation with CoinDesk, Leshner called the situation a “moral dilemma.” He called on community members to return the unfairly received cryptocurrency and threatened to report the incident to the Internal Revenue Service (IRS). However, not everyone responded to this request.
Recall that in June Compound Labs opened a subsidiary of Compound Treasury. It provides non-banks and other financial institutions with access to the DeFi ecosystem.