Compounding problems: $65m more COMP at risk as devs wait for time-locked bug fix

While Compound’s developers submitted a fix for the protocol’s bug on Sept. 30, the update won’t take effect until a seven-day time-lock on code updates has passed.

Major DeFi money market Compound’s woes are worsening, with nearly $150 million worth of COMP now at risk due to a buggy upgrade to the protocol that went live last week.

On Sept. 30, Cointelegraph reported that a bug had resulted in between $70 million and $85 million worth of COMP tokens being mistakenly offered to users as rewards after an update intended to fix bugs and “split COMP rewards distribution” went awry.

Despite the reward distribution error being identified quickly, Compound’s week-long delay on enacting new governance measures meant that the error will not be fixed until Oct. 7.

On Oct. 3, Compound founder Robert Leshner tweeted that 202,472.5 COMP (worth approximately $65 million) had been placed at risk after the protocol’s drip function was called for the first time in roughly two months.

The drip function makes tokens held in Compound’s Reservoir available to users, with 0.5 COMP being accumulated by the Reservoir per block. Leshner noted that “the majority of COMP reserved for users” is held in the Reservoir.

This brings the total COMP at risk to approximately 490k, of which 136k is still in the Comptroller, and 117k has been returned to the community so far (THANK YOU ).

— Robert Leshner (@rleshner) October 3, 2021

SushiSwap developer Mudit Gupta took to social media to criticize the use of time-locks on governance, asserting that roughly 100 people were aware of that the threat posed by the drip function since the Sept. 30 bug was discovered but they were unable to act due to the time-delay on updating the protocol.

Gupta also warned of the risks associated with upgradable smart contracts, asserting they are inappropriate for “large [DeFi] primitives.”

This is why timelocks on everything are not always the best option. About a hundred people knew about this possibility since day 1 but their hands were tied due to the timelock.

All of this 68.8m can be drained, not just a quarter if there are malicious actors involved. https://t.co/xB5T1sjUQ8

— Mudit Gupta (@Mudit__Gupta) October 3, 2021

“I’ve come to see upgradability as more of a bug than a feature,” he added.

While Leshner’s tweet revealed that roughly 117,000 COMP worth $37.6 million had been returned to the protocol following the initial incident, Yearn Finance developer Banteg estimated that one-third of the funds placed at risk by the drip function had already been claimed by users at roughly 3:30 pm UTC on Oct. 3.

Banteg tallied the total value of COMP tokens placed at risk by the protocol’s bug to now be $147 million.

Related: Hackers exploit MFA flaw to steal from 6,000 Coinbase customers — Report

Despite the bug’s initial identification causing the price of COMP to quickly crash 3% from $330 to $286 on Sept. 30, the token quickly recovered and traded above $340 on Oct. 2, according to CoinGecko.

COMP has shed 7% of its value since tagging a local high of $347.5 on Oct. 3, last changing hands for $322 at the time of writing.