A Bug was exploited in the DeFi Lending Protocol Compound’s Controller contract.


Founder of DeFi Lending Protocol Compound, Robert Leshner discovered a “moral
dilemma” in his smart contract just a week ago.
On Sunday
morning, a flawed Compound Finance contract that was supposed to disburse
liquidity mining rewards over time transferred $68 million in tokens.
Four
significant transactions have drained the pool of 64,997 COMP, or $21.4
million, a core developer at Yearn. Finance tweeted about the attack. One of
these transactions resulted in a withdrawal of 37,504 COMP ($12.3 million).
Only “addresses with the buggy state can drain,” according to Twitter user,
Bantag. Another five addresses might claim $45 million, “emptying the
Comptroller.”
He goes on to
say that he ran the calculations and it appears like around a quarter of that
may be drained. “It looks that my estimate was low because of stale data in
accruedComp.” So far, four people have been able to collect $21.5 million, but
there could be more money up for grabs. There isn’t a quick way to check all
addresses.
One ETH address
claimed 37,504 tokens worth $12 million at 9:30 a.m. ET, while another claimed
14,995 tokens worth $4.9 million. The funds were claimed by MakerDAO
DSProxy factory contracts are currently split between two addresses.
The total
amount siphoned has now reached $22 million, as per additional claims of 9,499,
1,699, and 2,999 COMP.
Following a recent upgrade called Proposal 062, the Comptroller pool began giving out 280,000 COMP to the wrong people last week. However, due to the nature of Compound’s governance, it takes seven days for them to fix the error.

Pavan A
CBW - External Analyst
INDIA