Compound's problem has been compounded by the fact that developers are unable to fix the bug until Thursday.
A missing = in a piece of code now means that Compound tokens worth about $156 million are at risk of being drained — and worse still, helpless developers won’t be able to start fixing the bug until Thursday.
Last week, the lending protocol had announced that there were major problems when Compound Proposal 62 came into effect, as users were now allowed to claim far greater rewards than what they were entitled to.
Last Wednesday, Compound Labs CEO Robert Leshner said the glitch had affected a rewards pool of 280,000 COMP tokens — worth $89 million at the time of writing. But in an update on Sunday, Leshner revised this figure upwards to 490,000 COMP.
With Compound’s smart contracts effectively now a source of free money, its governance mechanisms are now facing some unwelcome scrutiny.
Any changes that need to be made to the protocol take seven days to process — meaning that, when something goes badly wrong like this, it takes a week for a remedy to be put into action.
SushiSwap developer Mudit Gupta tweeted:
“This is why timelocks on everything are not always the best option. About a hundred people knew about this possibility since day one but their hands were tied due to the timelock.”
On the bright side, Leshner has said that approximately 117,000 COMP (worth about $37.2 million) that was drained has now been returned — helping to mitigate the damage.
As news of the vulnerability emerged, COMP’s price fell from $335 to $285 — down 15% in a single day.
Prices have since mounted something of a recovery, with the governance tokens changing hands at $318.31 as of Monday morning.
Leo Jakobson contributed reporting to this article.