Compound Exploit Drains $21M from Lending Protocol

A week ago, Compound founder Robert Leshner called a bug in his lending protocol’s smart contract a “moral dilemma.” Perhaps for some, but for others today the smart contracts became a vending machine full of free cash.

Today, someone exploited a bug in Compound’s Controller contract, which is the part of the protocol that distributes yield farming rewards to users. By calling Compound’s drip() function, they transferred $68 million, or 202,472 COMP, from Compound’s reservoir to its Comptroller. 

Since Banteg, a core developer at Yearn.Finance, tweeted about the exploit earlier this afternoon, four major transactions have drained the pool of 64,997 COMP, or $21.4 million. One of those transactions withdrew 37,504 COMP, or $12.3 million. Banteg said that only “addresses with the buggy state can drain” and that there are another five addresses that could claim $45m, “emptying the Comptroller.”

Banteg called the exploit “the best-kept secret in DeFi.” Commenting on his post, crypto trader Christopher Mooney said, “I’m honestly impressed it took this long with the number of people that knew.  Restores my faith in humanity a little, but in the end one of you chose chaotic neutral.”

The same contract went awry last week, dishing out 280,000 COMP to the wrong users. Leshner asked users to give the funds back and thanked anyone who did. Decrypt has reached out to Leshner about today’s drain and will update this story should we hear back. 

The bug is difficult to fix because Compound’s protocol has a seven-day grace period on updates. COMP has fallen by 3.2% in the past 24 hours.

3 October 2021 15:19

Prefer comparing real-time prices for all crypto's and providers?