A Bug was exploited in the DeFi Lending Protocol Compound’s Controller contract.
Founder of DeFi Lending Protocol Compound, Robert Leshner discovered a “moral
dilemma” in his smart contract just a week ago.
On Sunday morning, a flawed Compound Finance contract that was supposed to disburse liquidity mining rewards over time transferred $68 million in tokens.
Four significant transactions have drained the pool of 64,997 COMP, or $21.4 million, a core developer at Yearn. Finance tweeted about the attack. One of these transactions resulted in a withdrawal of 37,504 COMP ($12.3 million). Only “addresses with the buggy state can drain,” according to Twitter user, Bantag. Another five addresses might claim $45 million, “emptying the Comptroller.”
He goes on to say that he ran the calculations and it appears like around a quarter of that may be drained. “It looks that my estimate was low because of stale data in accruedComp.” So far, four people have been able to collect $21.5 million, but there could be more money up for grabs. There isn’t a quick way to check all addresses.
One ETH address claimed 37,504 tokens worth $12 million at 9:30 a.m. ET, while another claimed 14,995 tokens worth $4.9 million. The funds were claimed by MakerDAO DSProxy factory contracts are currently split between two addresses.
The total amount siphoned has now reached $22 million, as per additional claims of 9,499, 1,699, and 2,999 COMP.
Following a recent upgrade called Proposal 062, the Comptroller pool began giving out 280,000 COMP to the wrong people last week. However, due to the nature of Compound’s governance, it takes seven days for them to fix the error.
CBW - External Analyst