Millions have been paid out incorrectly by Compound in liquidity mining rewards. The mistake followed an update to one of its smart contracts. In one contract, $27 million was claimed in a possible exploit that occurred on Wednesday night.
In the possible exploit, decentralized money market Compound was found to have been paying out millions of dollars in COMP tokens, intended as liquidity mining rewards.
The issue was first pointed out by Twitter user “napgener”, who claimed that Ethereum transactions were showing that users had received a total of $15 million in COMP tokens in exchange for borrowing and supplying tiny quantities of tokens including USDC, ETH and DAI.
Compound has a liquidity mining program that rewards its depositors and borrowers. The rewards are often at the rate of a single-digit APY. The botched payout that occurred indicate flaws in the comptroller contract, which disburses the COMP liquidity mining rewards that could possibly be related to a recent upgrade.
Observers have noted that Compound’s comptroller contract is not currently managed by a multi-sig controlled by the company’s labs. Any fix to the exploit that has occurred may require a governance vote among COMP holders.
Compound is the world’s fifth-largest decentralized finance protocol with a total value of $10.2 billion. The DeFi money market acknowledged the exploit on its official Twitter handle and assured users that no funds were at risk.
Compound founder Robert Leshner acknowledged the exploit in a Tweet which said that “at worst”, only 280,000 COMP tokens are at risk of being erroneously claimed. The founder also noted that “there are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production. Labs, and members of the community, are evaluating potential steps to patch the COMP distribution.”
Shortly after Leshner posted the Tweet, around 91,000 COMP tokens were claimed in a single transaction. The tokens were worth $27 million. The user who claimed the tokens seems to have supplied $0 in crypto assets to the platform. They did pay $154.77 in gas fees to take in the haul.
The same wallet that received the haul then swapped $140,000 in COMP for USDC via Uniswap.
Since the outbreak of the possible exploitation, the price of COMP has fallen from a 24-hour high of $334 to $290. Compound Labs have not yet commented on the current situation.
