Leading DeFi Protocol Compound Leaked Over $100 Million in Rewards

It started as a technocratic tweak to a long-running DeFi blue chip. “Proposal 62” voted on by holders of the Compound protocol’s governance token, COMP, was meant to give governance wider latitude in distributing incentives to lenders and borrowers.

Compound kicked off the 2020 “DeFi summer” with its then-novel use of liquidity mining following the debut of its COMP governance token in June of last year. With it, anyone providing or using liquidity in the money market protocol would earn COMP — lenders and borrows benefitted equally — rewards were split 50/50.

After a year of real-world testing, it became clear there were some unintended and deleterious side effects, particularly in non-stablecoin markets: WBTC (wrapped bitcoin), for example, could be borrowed at effectively a negative interest rate.

To address this problem, Proposal 62, enabled COMP rewards to be set heterogeneously across markets. It passed unanimously and went into effect on September 29.

Then, trouble:

The protocol was paying out too much in COMP rewards to a subset of its users. It needed an immediate patch, first to pause all COMP distribution and then to repair the design flaw in Prop 62.

Compound Labs Inc., a Delaware corporation headquartered in San Francisco, originally developed the protocol, but in a move to decentralize control over its future evolution, they implemented a governance process of reviews, voting, and finally what’s known as a “timelock” on all changes approved by COMP token holders. The mechanism was aimed to prevent malicious code from being quickly rammed through and to move the company out of a primary decision-making role, but in this case, it also meant that any attempt to fix the bug would take at least seven days.

So, is decentralization partly to blame? The founder of Compound, Robert Leshner, doesn’t think so:

“This is not an event that calls into question whether DeFi can be operated safely. It’s a wake-up call for decentralized, community-run protocols to improve the processes by which changes are introduced,” Leshner told Bloomberg.

Leshner was quick to downplay the consequences of the bug on Twitter:

A fix was passed through governance on October 7, and was executed on Saturday, stopping the COMP bleed.

In a typically DeFi twist, Leshner announced that 163,000 COMP tokens that were incorrectly claimed had been returned to the Compound community. That’s about $50 million worth of windfall tokens not taken. A further 130,000 — or roughly $40 million — that could have been expropriated, were left untouched. It’s as though the code to your front door security system was sent to everyone in your address book, along with a picture of the suitcase full of cash just inside, but no one wanted to turn the handle.

For now, there remain 200,000 COMP tokens that were in fact claimed and which have not been returned. That has the effect of diluting all holders of COMP.

Despite the slip-up, the COMP price has remained around $300 per token, without seeing a marked adverse reaction to its price.