The developers of the Compound protocol reported an error in the process of distributing COMP management tokens that occurred after the activation of RFP-062. According to the project founder and CEO Robert Leshner, in the worst case, the damage will exceed $82 million.
The Compound protocol provides for a liquidity mining process. Thus, participants receive COMP tokens for placing assets in its pools. The mining rate is 0.5 COMP/block (~2312 COMP/per day).
RFP-06, which came into force on September 30, changed the previous model of distribution of management tokens (50/50). Now liquidity providers and borrowers receive COMP based on special coefficients.
The update was also designed to fix minor bugs. But in itself contained a serious vulnerability. Users receive tokens in excess of the amount set by the rules
It is possible that several users have already used this error. The transaction was registered in the blockchain. During which the address received 91,000 COMP (~$27.3 million) for providing zero liquidity. To get tokens, its owner paid $157.77 for gas.
Subsequently, the same address used the Uniswap decentralized exchange to exchange part of the COMP (~$140,000) for USDC stablecoins.
User assets are safe
According to Leshner, user assets are safe. The address of the Comptroller contract contains a limited number of tokens. The impact has a limit, “at worst, 280k COMP tokens.” (~84 million at the time of writing).
At the time of writing, only 3,721 COMP (~$1.1 million) remained at the controller’s address. “There are no administrative controls or community tools to disable the distribution of COMP. Any changes to the protocol require a seven-day review process before implementation”. The CEO of the company wrote.
Against the background of the incident, the COMP price dropped by more than 10%, according to CoinGecko. In addition, at the time of writing, the token is trading near $299.