DeFi Money Market Compound Overpays $15M in COMP Rewards in Possible Exploit


In a possible exploit on Wednesday night, decentralized money market Compound has been erroneously paying out millions of dollars in COMP tokens intended as liquidity mining rewards.

First flagged by Twitter user “napgener,” they pointed to three Etherscan transactions showing users receiving a total of $15 million in COMP tokens in exchange for borrowing and supplying tiny quantities of tokens, including USDC, ETH and DAI.

Compound has a liquidity mining program that rewards depositors and borrowers, but often at a rate of a single-digit APY. The botched payout sums indicate a flaw in the comptroller contract, which disburses the COMP liquidity mining rewards, possibly related to a recent upgrade.

Observers have noted that Compound’s comptroller contract is not managed by a multi-sig controlled by Compound Labs, and any fix to the exploit may require a governance vote among COMP holders.

Compound acknowledged the exploit on its official Twitter handle and said no user funds are at risk:

The price of COMP has plunged on the news, falling from a 24-hour high of $334 to as low as $290. At the time of publication, it sits at $301, according to CoinGecko.

A request for comment sent to Compound Labs was not returned by press time.

This is a developing story and will be updated.