Mistakes were made, but who lost out?
A community led (but professionally checked) proposal contained a bug which allowed for the distribution of ~$80M in excess COMP rewards.
Starting from ~22:20 UTC on Sep 29th, certain users could claim rewards that they had not earned.
Like an “infinite mint” but not quite as deadly, the damage done was indirect.
The only victims were COMP token holders, who temporarily suffered faster dilution than they expected.
Even with the excess dilution, it’s hard to call this a crash.
Big players like Compound have earned the confidence of the community, making this $80 million mishap seem like a drop in the ocean.
The Compound team did their part to downplay the situation, while Robert Leshner was quick to distance himself from the incident.
However, Compound Labs cannot escape their involvement, as they were clearly credited with reviewing the faulty code before it was deployed.
Compound: Comptroller contract
The bug was contained in the comptrollerImplementation’s calculations for long-term users who were supplying or borrowing before the compInitialIndex was established.
Kurt Barry identified the root of the exploit on Twitter;
Smart contracts are unforgiving of the tiniest errors...COMP bug is a tragic case of ">" instead of ">=" (in two code locations).
For a full breakdown, see Mudit Gupta’s thread.
Those early to interact were able to withdraw enormously inflated rewards, but as the Comptroller’s funds dwindled, latecomers could only pick up the scraps.
A further community proposal to disable COMP rewards and halt losses has been launched, however with only around $250k remaining in the Comptroller contract, it seems to be too late.
If you compare the negative impact on token holders to the happiness of the users who “won” their rewards, then this doesn’t seem to be a disaster. However, a repeat of this would not be sustainable.
The full consequences are yet to be revealed, as 0xngmi pointed out on Twitter, perhaps those users who could incorrectly claim rewards were not used to covering their tracks.
One of the people that exploited @compoundfinance took their 10M in COMP and dumped them on OKEX and Huobi for stables, then started farming curve with them.
[their account] Must be KYC'd because they withdrew millions from these CEXes
Ser, I got bad news for you
This is a story of system failure, in which no singular party is to blame.
Many individuals were involved in a complex, collaborative project, but in the end it comes down to:
Two characters, tens of millions of value lost.
REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.
donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.
you might also like...
Compound’s governance has backfired, and not for the first time. An oracle update has bricked the cEther market for a week. Compound say that “Funds are not immediately at risk, but this is a developing situation…”
Compound - REKT
It’s worse than we thought. Last week ~$80M in excess COMP was wrongly distributed. Now another ~$68.8M has been sent to the vulnerable vault, and even more COMP is being given away.