$ 162 million to be won after a bug in the DeFi protocol compound

We thought the carnage was over for People’s Decentralized Finance, or DeFi, the Compound Staking Protocol, but it turns out millions more than we thought are at risk. Around $ 162 million is up for grabs after an upgrade gone horribly wrong, according to Robert Leshner, founder of Compound Labs.

The price of Compound’s native token, called comp, is down about 4.8%.

At the beginning, the head of the Compound tweeted on Friday that there was a cap on the number of composition tokens that could be accidentally distributed, noting that “the impact is limited, at worst, to 280,000 composition tokens”, or about $ 92.6 million.

But on Sunday morning, Leshner revealed that the money pool that had already been emptied once had been replenished – exposing another 202,472.5 composition tokens to mine, or roughly $ 66.9 million at its current price.

Some, including a lead developer of the DeFi Yearn platform, charge for this as the biggest loss of funds ever in a smart contract incident, but investors, for their part, don’t seem to care much.

“The crypto market ignored the biggest loss of funds on record as if nothing had happened,” said Mudit Gupta, lead developer at decentralized crypto exchange SushiSwap. “The future of DeFi is bright, but we are in uncharted territory, and there is still a lot to learn.”

DeFi protocols such as Compound are designed to recreate traditional financial systems such as banks and stock exchanges using blockchains enriched with self-executing smart contracts.

Compound rolled out what should have been a pretty standard upgrade on Wednesday. Soon after implementation, however, it was clear that something had seriously gone wrong, once users started receiving millions of dollars in dialing tokens.

For example, $ 30 million in membership tokens was claimed in a single transaction.

The saving grace of the whole debacle, however, was the fact that the money pool that was open for mining – something called the Controller’s Contract – had a finite amount of tokens. The problem is that this leaky pool has received a new influx of money, and 0.5 composition tokens are added about every 15 seconds, according to Gupta.

“When the drop () function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users,” Leshner wrote in a tweet on Sunday morning.

Leshner noted that this brought the total at-risk membership to 490,000 membership tokens, or about $ 162 million.

There are a few proposals to fix the bug, but Compound’s governance model is such that any changes to the protocol require a multi-day voting window, and Gupta said it takes another week for the successful proposal to be executed. .

In the meantime, this pot is up for grabs again for users who know how to exploit the bug.

Compound made it clear that no funds provided or borrowed were at risk, which is some consolation.

“No user fund is or was at risk, so it’s not that big of a deal,” Gupta said. “Everyone got watered down a bit but didn’t lose anything directly.”

There are also white hats in the community.

After the founder of Compound pleaded with users to voluntarily return the platform’s crypto tokens, some did. Leshner said as of Sunday morning about 117,000 compensation tokens, or $ 38.7 million, had been returned.

But as Mati Greenspan, portfolio manager and founder of Quantum Economics points out, the way things are going with this bug is almost completely irrelevant. “The biggest problem is – can it happen again? ” he said.

Compound is the fifth largest DeFi protocol in the world with a total locked-in value of $ 10.3 billion, according to DeFi Llama, which provides ranking and metrics for DeFi protocols.

Greenspan said the protocol can easily absorb this loss and much of it will likely be returned, “but the biggest problem would be if people lose confidence in the system’s ability to function properly.”

Gupta said an immediate issue is that the controller’s account donated reward tokens that were reserved for future rewards.

You can think of the controller as the heart of Compound, Gupta explained. It facilitates all the basic features like borrowing, lending, and reward.

The controller oversees the pool of money used to pay rewards to users who provide their crypto to borrowers at a fixed interest rate, which is usually a single-digit APY.

“Future rewards may have to be reduced for the controller to be solvent,” Gupta said.