Compound, a leading and established decentralized finance protocol built on Ethereum, is still facing vulnerabilities due to a recent development on its bug situation which began last week.
According to an initial disclosure from a Yearn Finance developer codenamed banteg, a “drip” function was called from the protocol, essentially enabling funds in $COMP, its native token, to be available for claiming by its users. The amount of $COMP available from the function runs up to over $140 million according to the developer’s estimates.
The best-kept secret in DeFi is out, someone called drip() on Compound’s Reservoir, which sent another $68.8m of COMP to Comptroller.
I’ve run the numbers and it seems about 1/4 of that could be drained.https://t.co/I4mGeNX6uT
— banteg (@bantg) October 3, 2021
This latest development of the Compound bug situation sees over 200,000 COMP tokens sent to the Comptroller contract , the same protocol component that was affected during the onset of the bug last week. Initially, the bug allowed users to claim unusually high amounts of the native token. This drip function manages to move funds between the “cold wallet” contract of the token which is responsible for the Compound Reservoir onto the Comptroller contract for distribution among all holders.
The Reservoir contract holds the majority of COMP reserved for users, and drips 0.50 COMP/block into the protocol.
Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called. https://t.co/FK3sew2W0b
— Robert Leshner (@rleshner) October 3, 2021
The Yearn Finance developer said that at least five different addresses could drain over $45 million from these tokens alone, impacting the $COMP negatively by rapidly dragging down its price.
Compound Labs’ Robert Leshner has acknowledged the situation and said that the drip function in question was not called for weeks, and that his team expected the bug from last week to be patched before any new funds could be exposed to further risk.
“I’m optimistic about the patches making their way through the governance process, which fix the distribution, and the community members that are working to manage this bug.” said Leshner.
However, due to Compound’s internal governance procedures, the previous bug remains unresolved as the protocol awaits review of new proposals for approval. Compound’s native token, $COMP, has been down by at least 3-4% in the past 24 hours.