Compound’s $150M Bug Fixed, But Two-Day Wait Remains
Market Musings

Compound’s $150M Bug Fixed, But Two-Day Wait Remains

3 months ago

A proposal to fix the DeFi lending protocol took seven days to pass, and requires another two days to implement even though up to $43 million in COMP tokens is still at risk.

Compound’s $150M Bug Fixed, But Two-Day Wait Remains

Table of Contents

Seven days and many millions of dollars later, a patch to fix a bug in the Compound lending protocol has been approved by the decentralized lending protocol’s token holders.

On September 30, Compound discovered a bug in its latest update (Proposal 62) was allowing COMP token holders to take far more than their fair share of rewards. $70 million worth had been lost as of Oct. 1. 
The problem is that the decentralized finance protocol’s smart contract requires a seven-day voting process before the loophole that being exploited can be fixed — with as much as $43 million worth of COMP tokens still at risk. 
Compound Labs’ founder Robert Leshner said a total of 490,000 COMP, worth about $150 million, was vulnerable because of the bug. By Oct. 3, Leshner reported that Compound’s losses had grown to 354,000 COMP worth more than $110 million — although 117,000 COMP had since been returned, leaving the actual losses at about $74 million at that point.

On October 7, Proposal 64 passed. It will fix the problem after a governance-mandated two-day pause. 

According to Tyler Lowen, who was working on the fix, No. 64 will temporarily freeze reward issuance. But only to those affected by the bug. He said:

“I want to make it clear that COMP rewards are still accruing at normal and expected rates and that everyone will be able to claim their rightfully earned COMP — the majority right away and the rest shortly after.”

Listen to the CoinMarketRecap podcast on Apple PodcastsSpotify and Google Podcasts

Fighting the Fix

The process shows a big weakness in decentralized protocol governance: Its inability to move quickly in case of an emergency. 

That was demonstrated most clearly by Proposal 63, the first fix, which passed by a wide margin but was scrapped before implementation after controversy arose.

It wasn’t just a few angry community members. Blockchain at Berkeley — the university’s blockchain innovation hub —  tweeted out a recommendation to vote no on Proposal 63, calling it a brute-force solution that “erodes trust in the protocol.” 
Lowen agreed, adding that he voted against it after community feedback. Leshner supported it despite the controversy, calling it a “tool at the community’s disposal” that in the end wasn’t needed.