$66M in Tokens Added to Recently Hacked, Still Vulnerable Compound Contract

  • A faulty Compound Finance contract intended to disburse liquidity mining rewards over time has been topped off with $66 million – and counting – in tokens on Sunday morning.
  • Over a quarter of those funds may have been exploited due to the same bug that drained $80 million in tokens throughout the latter half of last week, per one DeFi developer.

Read more: DeFi Money Market Compound Overpays Millions in COMP Rewards in Possible Exploit; Founder Says $80M at Risk

  • At approximately 9:30 AM EDT, one ETH address claimed 37,504 of the tokens worth $12 million, and another claimed 14,995 worth $4.9 million. The funds were claimed by contracts from the MakerDAO DSProxy factory, and are now in two separate addresses.

MakerDAO representatives have been active in helping to find solutions to the bug, per Compound founder Robert Leshner. A MakerDAO rep did not return a request for comment by the time of publication.

  • In a tweet on Sunday morning, pseudonymous Yearn.Finance core contributor ‘banteg,’ who has also been weighing in on Compound governance forums in the wake of the bug, wrote that the ability to top off the bugged contract has been “known for a few days now” but that the community plan “was to keep shush and hope nobody discovers it for a week.” Banteg did not return a request for comment by the time of publication.
  • Compound’s contracts do not have a multi-signature scheme that allows for more immediate upgradability, and instead changes can only be made after a seven-day governance process designed to make the protocol more resilient to hostile changes. That security architecture is now serving as a barrier to a patch to the faulty code.
  • A debate is underway in the community regarding what users should do with the funds that they’ve received. Leshner split the debate broadly into two categories: DeFi “builders” who see protocols like Compound as public goods and the erroneous tokens as belonging to the community, and “profit maximalists” more inclined to say “haha, f*** you, this is your problem.”
  • Users are now continuously calling a function to add funds to the Comptroller contract from the Compound Reservoir, potentially putting additional tokens at risk.