Compound (COMP) Slides with Ongoing Reward Exploit
Compound (COMP) has entered a risky stretch, after a smart contract was found to be exploitable and distributed more rewards than previously intended. The last noted event where COMP was distributed happened this Sunday, taking away $12M in tokens.
The exploit, which was first noted in the middle of last week, caused a loss estimate of above $100M. The news caused COMP to slump by more than 7% overnight, despite the overall market recovery.
COMP traded at $317.11, a level about 14% lower compared to last week. COMP may be under pressure in the coming days, as more than $45M worth of tokens have been produced by the contract, and there are multiple eligible addresses that could access the outsized rewards.
Exploit Cannot be Stopped Immediately
The resolution of the flawed contract is still uncertain, and there is a conflict between Compound users wanting to protect the protocol, and those that want to profit from the unusual rewards. The latter may cause outsized selling, further depressing the COMP market price.
COMP is a deliberately scarce token, with a total supply of just 10M. Despite the exploit, there are just around 5.5M COMP in circulation. Most of the COMP activity remains within DeFi protocols, though some of the newly released tokens may be dumped on exchanges. Binance trading pairs against USDT are a significant liquidity boost for COMP.
Fixing Smart Contract Hinges on Community Vote
All decisions on the Compound protocol and smart contract activity are completed after voting. Right after a voting proposal changed the distribution of liquidity provider rewards, the potential for exploit was noticed.
The resolution of the bug hinges on accepting two more community proposals, which may take a few more hours.
During the last remaining hours, it is possible more funds are at risk. Analysis by an expert related to the Yield DeFi platform shows that the smart contract and a risky function are still active for Compound. As the problem becomes more known, new calls to distribute COMP may appear.
It is possible that the coming week may put even more pressure on Compound and its native token, as the public drip() function makes it possible for even more addresses to drain COMP reserves.
The function is now making calls on the Reservoir, where COMP for rewards is sitting, thus speeding up the schedule of distributing rewards.
The ability to drain the Reservoir through a smart contract extends the COMP at risk to an estimated 490,000 tokens. Distributing those rewards before schedule may limit the ability of COMP to incentivize liquidity providers in the future, thus undermining the attractiveness of the protocol.
The Compound Reservoir address has been drained of 204,305 COMP in the past seven days, of which some coins may be released based on the usual schedule, but also due to attempting to remove the coins faster.
The Reservoir address holds more than 2.9M COMP as of October 4. Records on the Ethereum blockchain show calls to the drip() function continue over the past few hours.
Can COMP Affect DeFi
The exact fallout of the Compound exploit is still being estimated. The Compound protocol locks in more than $9B in value, or above 10% of the total value locked in Ethereum-based DeFi.
Compound has lost some of its clout, falling down from its top position along with Maker (DAO).
Compound may also have to rethink its community approach to code updates, as currently there is no emergency mechanism to stop the smart contracts. The proposal to reverse the faulty functions is still in its community discussion and voting stage.
For now, the COMP market price is within its usual level of fluctuation, as well as usual trading volumes above $260M in 24 hours.
DeFi Exploits Hinge on Smart Contracts
The Compound token distribution is not a true hack, as the feature to call on the smart contract is entirely accessible. But in the past week, other protocols showed that smart contracts remain the weakest spot in DeFi.
One of the latest exploits was VeeFinance, which only days after its launch ran a smart contract with limited price discovery information, thus draining the deposited liquidity of BTC and ETH.
Exploits may seek to drain the deposited liquidity, exploit decentralized trading pairs or seek other flaws in smart contracts. In the case of VeeFinance, the smart contract was not open source, so the exact cause of the exploit was unknown.
DeFi Still Shakes Off Losses
The almost daily exploits of smaller and bigger DeFi protocols does not seem to affect the sector’s growth. The rise of ETH market prices closer to the $3,400 range is boosting all pools and protocols.
One of the sources of stability is the DeFi Saver protocol, which automates some of the collateral deposits to avoid liquidations during more significant price moves.
DeFi Saver is one of the factors protecting Maker DAO.
Despite the attempts to limit losses, DeFi remains one of the riskiest venues of holding digital assets. DeFi can be highly rewarding, but also lead to significant collateral losses, as well as unexpected exploits to steal coins and tokens.
Uphold makes buying crypto with popular currencies like USD, EUR and GBP very simple with its convenient options to swap between crypto, fiat, equities, and precious metals.
With over 50 coins and an obsession with security, Kraken is one of the safest places to buy and trade crypto.
Kraken has a good reputation for security and protection of your funds and operates across the USA (except NY), Canada, the EU and Japan
Based in Charleston, South Carolina. Serves over 184 countries and has done over $4 billion in transactions. Offers convenient options to swap between crypto, fiat, equities, and precious metals.
A review of the many options for crypto exchanges and what the main differences are
The basics of cryptocurrency portfolios and how to get started in tracking your crypto holdings
The leader in programmable money, smart contracts and decentralised applications. There have been many copycats but none have the community and level of adoption.
The first cryptocurrency. It has limitations for transactions but it is still the most popular being secure, trusted and independent from banks and governments.