The problems of the large DeFi money market, Compound, are exacerbated as COMP, valued at nearly $ 150 million, is now at risk due to a flawed upgrade of the protocol that went live last week.
On September 30, Cointelegraph reported that a bug resulted in $ 70 million to $ 85 million worth of COMP tokens being falsely offered as a reward after an update to fix bugs and the “split COMP reward distribution” went wrong had gone.
Although the reward distribution bug was quickly identified, Compound’s weeks of delay in introducing new governance measures meant that the bug was not fixed until October 7th.
On October 3, Compound founder Robert Leshner tweeted that 202,472.5 COMP (valued at about $ 65 million) were at risk after the protocol’s drip feature was called for the first time in about two months.
The drip feature provides users with tokens in Compound’s reservoir, with 0.5 COMP being accumulated per block from the reservoir. Leshner noted that “the majority of COMPs are reserved for users” are kept in the reservoir.
This increases the total COMP at risk to approximately 490,000, of which 136,000 are still in the comptroller and 117,000 have been returned to the community so far (THANK YOU).
– Robert Leshner (@rleshner) October 3, 2021
SushiSwap developer Mudit Gupta used social media to criticize the use of time locks for governance, claiming that around 100 people were aware of the drip threat since the September 30 bug was discovered, but they weren’t in were able to act accordingly on the time delay in updating the log.
Gupta also warned of the risks associated with upgradeable smart contracts, claiming they are unsuitable for “big” [DeFi] Primitives. ”
Because of this, timeouts for everything aren’t always the best option. About a hundred people had known of this possibility as of Day 1, but their hands were tied due to the timeout.
All of those 68.8 million can be drained, not just a quarter if malicious actors are involved. https://t.co/xB5T1sjUQ8
– Mudit Gupta (@Mudit__Gupta) October 3, 2021
“For me, upgradeability is more of a bug than a feature,” he added.
While Leshner’s tweet revealed that around $ 117,000 worth of $ 37.6 million COMP were returned to the log after the first incident, Yearn Finance developer Banteg reported estimated that a third of the funds endangered by the drip function were already claimed by users on October 3 at around 3:30 p.m. UTC.
Banteg put the total value of the COMP tokens at risk from the error in the protocol at now $ 147 million.
Related: Hackers Take Advantage of MFA Flaws to Steal 6,000 Coinbase Customers – Report
Despite the initial identification of the bug, which quickly plunged COMP’s price 3% from $ 330 to $ 286 on September 30, the token quickly rebounded, trading above $ 340 on October 2, according to CoinGecko.
COMP has lost 7% of its value since it hit a local high of $ 347.5 on October 3 and last changed hands at $ 322 at the time of writing.