The problems of the major money market aggregator DeFi are compounded by the fact that the $150 million worth of COMP is now at risk due to a buggy upgrade to the protocol that went live last week.
On September 30, Cointelegraph reported that a bug that resulted in between $70 million and $85 million in COMP tokens was mistakenly offered to users as rewards after an update aimed at fixing the bugs and the “segmentation of the COMP reward distribution” skewed.
Although the bonus distribution bug was quickly identified, Compound’s week-long delay in enacting new governance measures means the bug won’t be fixed until October 7.
On October 3, Compound founder Robert Leshner tweeted that 202,472.5 companies (worth approximately $65 million) were at risk after calling the protocol’s drip functionality for the first time in nearly two months.
The drip function makes the tokens in the collector tank available to users, with 0.5 COMP accumulated by the tank per block. Leshner noted that “the majority of COMPs are reserved for users” held in the tank.
This brings the total value of the companies at risk to about 490 thousand, of which 136 thousand are still in the controller, and 117 thousand have been returned to the community so far (thank you).
– Robert Lesnar (@rleshner) October 3, 2021
SushiSwap developer Mudit Gupta has taken to social media to criticize the use of time locks in governance, asserting that nearly 100 people have been aware of the threat posed by the drip functionality since the September 30 bug was discovered but were unable to act due to the time delay in updating the protocol.
Gupta also warned of the risks associated with scalable smart contracts, stressing that they are not a “big” fit [DeFi] primitives. ”
This is why locks on everything are not always the best option. About a hundred people knew about this possibility since day one but their hands were tied due to the time lock.
All of that 68.8 million could be drained, not just a quarter of it if there are malicious actors involved. https://t.co/xB5T1sjUQ8
– Mudit Gupta (@Mudit__Gupta) October 3, 2021
“I’ve come to see upgradeability as a bug rather than an advantage,” he added.
While Leshner’s tweet revealed that nearly 117,000 companies worth $37.6 million were brought back into the protocol after the initial incident, developer Yearn Finance Banteg estimated That a third of the money at risk due to the drip functionality had already been claimed by users around 3:30pm UTC on October 3.
Banteg has calculated the total value of COMP tokens that were compromised due to a protocol error, now amounting to $147 million.
RELATED: Hackers Exploit MFA Flaw to Steal 6,000 Coinbase Customers – Report
Despite the initial identification of an error that caused the COMP price to crash 3% from $330 to $286 on September 30, the coin quickly recovered and traded above $340 on October 2, according to CoinGecko.
COMP has shed 7% of its value since hitting a local high of $347.5 on Oct. 3, last changing hands at $322 at the time of writing.