Compound crisis averted? Securing exposed COMP could be just the start

Published at: Oct. 8, 2021

As the decentralized finance (DeFi) market continues to pique the interest of investors across the globe, a few incidents have shone a major spotlight on the vulnerabilities various platforms operating within this space are continually exposed to. 

For example, it has recently been unveiled that due to a buggy system upgrade, prominent DeFi money market Compound had put approximately $150 million worth of the native COMP tokens at risk of a third-party hack.

Even though the error was recognized fairly early as Compound’s developers submitted a fix for the protocol’s bug soon after, it’s worth noting that the upgrade is governed by a seven-day time lock, as a result of which no tangible efforts to resolve the issue could have been enacted until Oct. 7. The proposal to fix the bug has since successfully passed and is set to be executed on Oct. 9, but that may not be the end of this story.

Taking to Twitter after the bug was uncovered, Compound founder Robert Leshner admitted that 202,472.5 COMP, worth approximately $64 million at the time of writing, was at risk due to the protocol’s “drip function” being called into action for the first time in over 60-days. The drip function is designed to make any tokens held in Compound’s Reservoir available to users, with 0.5 COMP being accumulated by the Reservoir per block.

Following the incident, Leshner noted that a vast majority of all COMP tokens in existence today — that are currently “reserved for users” — are held in the platform’s aforementioned reservoir system. This revelation may have had a large role to play in COMPs depreciating value, so much so that after the initial identification of the bug, the price of COMP quickly crashed from $330 to $286, only to make a strong recovery thereafter, according to data from Cointelegraph Markets Pro.

That said, since Oct. 3, the token has steadily declined with the digital asset’s value dropping from a price point of around $350, taking its 30-day losses to a staggering 40% from a local top of around $525.

When asked to provide his take on the severity of the problem and what he believes may happen to the platform’s native asset pool over the course of the coming few days, Leshner told Cointelegraph that all that needs to be said in relation to the matter had already been covered “sufficiently,” thus declining to comment on the matter any further.

The DeFi community has a say

To gain a better overview of what this entire incident means for the crypto ecosystem at large, Cointelegraph reached out to Winston, a pseudonymous moderator for DeFi yield farming aggregator Harvest Finance. In their view, even though for the most part, the community has been quite honest in returning a bulk of the funds, such reliance can not always be depended upon to bail platforms out all the time.

He further added: “This debacle could have, undoubtedly, been handled better by the team but it also goes to show how sometimes these ‘security features’ can hamper a project rather than helping it.” Winston continued on by saying that he hopes lessons will be learned:

“Many protocols will start to consider the advantages of having a shorter time lock to not only prevent things like this from happening but also to make them more flexible and able to move swiftly.”

SushiSwap developer Mudit Gupta criticized Compound’s use of time-locks for governance-related purposes, claiming that only around 100 people were aware of the threat posed by the drip function since the bug was discovered on Sept. 30, with no action having been taken since due to the time-delay function being in place.

Gupta went on to further warn DeFi users about the various risks associated with upgradable smart contracts, claiming that they are, by their very design, not meant for “large [DeFi] primitives.” Adding that he also views “upgradability as more of a bug than a feature.”

That being said, it should be noted that SushiSwap too was on the receiving end of a hack recently, that saw a nefarious third party agent compromising the supply chain of the platform’s token launchpad MISO to a tune of $3 million. Not only that but at the end of September, reports also surfaced that a hacker had identified a vulnerability that might have placed more than $1 billion worth of user funds held by SushiSwap under threat.

Technical bugs aren't new

George Harrap, the co-founder of Solana-based portfolio visualization platform Step Finance, told Cointelegraph that crypto bugs, exploits and hacks aren’t really anything new within this space, adding that such instances are just a part and parcel of an industry where everything is digitized.

Also, in a Tweet, Leshner issued a stern warning to the recipients of the erroneous tokens, stating that any wrongful acquisitions would potentially be met with real-world consequences — primarily in the form of action being taken by the United States Internal Revenue Service (IRS). On the matter, Harrap said:

“What's more interesting is the reaction of Compound's founder than the bug itself where he threatened to DOX users. That’s not a good example for anything in DeFi and I think is the cause for many to reconsider their involvement in Compound."

Providing a somewhat alternative take on the matter, Rotem Yakir, DeFi developer at Orbs, a public blockchain infrastructure designed for close integration with Ethereum Virtual Machine- (EVM)-based layer ones, told Cointelegraph that the Compound saga serves as a crucial reminder of the disadvantages of being a completely decentralized platform, failing to elaborate any further on the statement. However, he did add:

“Comp is one of the most prominent projects in the DeFi space and although this might hurt, it will not kill them and they will become stronger in the end."

It is worth noting that even though Leshner’s tweets stated that roughly 117,000 COMP — worth $37.6 million — had been returned to the protocol after the detection of the initial fault, Yearn.finance developer banteg noted that one-third of the funds that were placed at risk by the drip function had already been claimed by users at roughly 3:30 pm UTC on Sunday.

In banteg’s estimation, the total value of COMP tokens that were placed at risk as a result of the bug now stands at a whopping $147 million.

Related: DAOs can solve important dilemmas but more education is required

Thus, with all of this striking data now available for everyone to see, the incident is likely to set a precedent for how such incidents within the DeFi ecosystem could play out. DeFi enthusiasts are hoping that the situation will reach some sort of resolution, especially after the votes on the proposals to reverse the bug have succeeded — with the misplaced assets hopefully returning to where they rightfully belong — as it otherwise stands to potentially mar the image of the sector.

Tags
Related Posts
Ether already ‘flippening’ Bitcoin, says Celsius CEO
Bitcoin (BTC), the largest cryptocurrency by market capitalization, has already started losing its market dominance to Ether (ETH), according to Celsius Network CEO Alex Mashinsky. In a Monday interview with Kitco News, Mashinsky argued that the Ether “flippening,” or the hypothetical scenario in which Ether overtakes Bitcoin as the world’s most valued cryptocurrency, is already happening right now. Mashinsky said that the flippening has already happened on Celsius. “We manage about $17 billion in deposits, or in customer coins, and the number one coin held in dollar terms is Ethereum,” he said. Mashinsky also predicted that Ether will have completely …
Decentralization / July 6, 2021
‘We want to build Minterest as a fairer financial system,’ says CEO Josh Rogers
Decentralized finance (DeFi) protocols have gained significant traction in the cryptocurrency sector, with a total value locked surpassing $271 billion, based on data from DefiLlama. One exceptionally popular category of DeFi services is that of decentralized borrowing and lending, where users can pledge their crypto as collateral and take out stablecoin loans (or vice versa) to pay for everyday expenses while their investment continues to grow. Such protocols typically charge a spread or difference between deposit and lending rates as a service fee. But then there are protocols like Minterest that seek to distribute a vast majority, if not all, …
Decentralization / Nov. 18, 2021
Axie Infinity devs release governance token for Ronin Blockchain to mixed player response
On Thursday, Sky Mavis, the creator of monster-battle game Axie Infinity, released its much-anticipated RON governance token. The token is based on its Ethereum (ETH) sidechain Ronin Network. Its purpose includes paying for transactions on Ronin, staking, and participating in community proposals. According to its developers, Ronin has over 250,000 unique daily active addresses. When ranked by the number of weekly active users, Katana, Ronin's decentralized exchange (DEX), is the No. 2 largest DEX. In addition, the blockchain surpassed $5 billion in deposited value, with 15% of all NFT transactions occurring on the network in 2021. In total, there have …
Decentralization / Jan. 27, 2022
What are the worst crypto mistakes to avoid in 2022? | Find out now on The Market Report
“The Market Report” with Cointelegraph is live right now. On this week’s show, Cointelegraph’s resident experts discuss the worst mistakes you should avoid making in crypto. But first, market expert Marcel Pechman carefully examines the Bitcoin (BTC) and Ether (ETH) markets. Are the current market conditions bullish or bearish? What is the outlook for the next few months? Pechman is here to break it down. Next up: the main event. Join Cointelegraph analysts Benton Yaun, Jordan Finneseth and Sam Bourgi as they talk about the worst crypto mistakes to avoid making in 2022. First up we have Bourgi, who thinks …
Decentralization / April 12, 2022
Terra 2.0: A crypto project built on the ruins of $40 billion in investors' money
Terra remained the focus of the majority of headlines throughout May for its spiral collapse leading to a loss of over $40 billion in investors’ money. Despite some early resistance from the community and heavy backlash from the likes of Binance CEO Changpeng “CZ” Zhao, Terra co-founder Do Kwon managed to relaunch the collapsed network with a new chain called Terra 2.0 (Phoenix-1). The amended proposal for the relaunch of the network by increasing the genesis liquidity, which introduces a new liquidity profile for pre-attack Luna Classic (LUNC) holders and decreases the distribution to post-attack TerraUSD Classic (USTC) holders, was …
Decentralization / June 3, 2022