Compound (COMP) Slides with Ongoing Reward Exploit

Compound (COMP) has entered a risky stretch, after a smart contract was found to be exploitable and distributed more rewards than previously intended. The last noted event where COMP was distributed happened this Sunday, taking away $12M in tokens. 

The exploit, which was first noted in the middle of last week, caused a loss estimate of above $100M. The news caused COMP to slump by more than 7% overnight, despite the overall market recovery. 

COMP traded at $317.11, a level about 14% lower compared to last week. COMP may be under pressure in the coming days, as more than $45M worth of tokens have been produced by the contract, and there are multiple eligible addresses that could access the outsized rewards. 

Exploit Cannot be Stopped Immediately

The resolution of the flawed contract is still uncertain, and there is a conflict between Compound users wanting to protect the protocol, and those that want to profit from the unusual rewards. The latter may cause outsized selling, further depressing the COMP market price. 

COMP is a deliberately scarce token, with a total supply of just 10M. Despite the exploit, there are just around 5.5M COMP in circulation. Most of the COMP activity remains within DeFi protocols, though some of the newly released tokens may be dumped on exchanges. Binance trading pairs against USDT are a significant liquidity boost for COMP.

Fixing Smart Contract Hinges on Community Vote

All decisions on the Compound protocol and smart contract activity are completed after voting. Right after a voting proposal changed the distribution of liquidity provider rewards, the potential for exploit was noticed. 

🚨 Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062.

No supplied/borrowed funds are at risk — Compound Labs and members of the community are investigating discrepancies in the COMP distribution.

— Compound Labs (@compoundfinance) September 29, 2021

The resolution of the bug hinges on accepting two more community proposals, which may take a few more hours. 

During the last remaining hours, it is possible more funds are at risk. Analysis by an expert related to the Yield DeFi platform shows that the smart contract and a risky function are still active for Compound. As the problem becomes more known, new calls to distribute COMP may appear. 

Update: with some numbers on the $COMP at risk and numbers on the returned amounts (quite a lot!). drip() hadn’t been called in weeks, but now.. https://t.co/gKBY7z1Gpr pic.twitter.com/ue9GIpjDZE

— drnick (@DrNickA) October 3, 2021

It is possible that the coming week may put even more pressure on Compound and its native token, as the public drip() function makes it possible for even more addresses to drain COMP reserves.

The function is now making calls on the Reservoir, where COMP for rewards is sitting, thus speeding up the schedule of distributing rewards. 

The Reservoir contract holds the majority of COMP reserved for users, and drips 0.50 COMP/block into the protocol.

Nobody had called the function in weeks, and community developers were hopeful that Proposal 63 or 64 (in governance) could go into effect before it was called. https://t.co/FK3sew2W0b

— Robert Leshner (@rleshner) October 3, 2021

The ability to drain the Reservoir through a smart contract extends the COMP at risk to an estimated 490,000 tokens. Distributing those rewards before schedule may limit the ability of COMP to incentivize liquidity providers in the future, thus undermining the attractiveness of the protocol.

The Compound Reservoir address has been drained of 204,305 COMP in the past seven days, of which some coins may be released based on the usual schedule, but also due to attempting to remove the coins faster. 

The Reservoir address holds more than 2.9M COMP as of October 4. Records on the Ethereum blockchain show calls to the drip() function continue over the past few hours.

Can COMP Affect DeFi

The exact fallout of the Compound exploit is still being estimated. The Compound protocol locks in more than $9B in value, or above 10% of the total value locked in Ethereum-based DeFi. 

Compound has lost some of its clout, falling down from its top position along with Maker (DAO).

Compound may also have to rethink its community approach to code updates, as currently there is no emergency mechanism to stop the smart contracts. The proposal to reverse the faulty functions is still in its community discussion and voting stage. 

Proposal 064 by @Arr00c @tylerether and other community members patches the bug introduced in Proposal 062, and resumes the COMP distribution for the majority of users.

Discussion: https://t.co/xgMp2fB3pb
Proposal: https://t.co/yo4I0zed8e

— Compound Labs (@compoundfinance) October 2, 2021

For now, the COMP market price is within its usual level of fluctuation, as well as usual trading volumes above $260M in 24 hours. 

DeFi Exploits Hinge on Smart Contracts

The Compound token distribution is not a true hack, as the feature to call on the smart contract is entirely accessible. But in the past week, other protocols showed that smart contracts remain the weakest spot in DeFi. 

One of the latest exploits was VeeFinance, which only days after its launch ran a smart contract with limited price discovery information, thus draining the deposited liquidity of BTC and ETH. 

Exploits may seek to drain the deposited liquidity, exploit decentralized trading pairs or seek other flaws in smart contracts. In the case of VeeFinance, the smart contract was not open source, so the exact cause of the exploit was unknown. 

DeFi Still Shakes Off Losses

The almost daily exploits of smaller and bigger DeFi protocols does not seem to affect the sector’s growth. The rise of ETH market prices closer to the $3,400 range is boosting all pools and protocols. 

One of the sources of stability is the DeFi Saver protocol, which automates some of the collateral deposits to avoid liquidations during more significant price moves. 

DeFi Saver is one of the factors protecting Maker DAO. 

The @MakerDAO Risk Core Unit published an analysis of vault risk levels and we're happy and honoured to see that all DFS Automation users and their vaults are rated as low risk.🙏

In their own words: "Vaults being protected by DeFi Saver show a strong indication of security."🛡️ https://t.co/mzHeFbfokF

— DeFi Saver (@DeFiSaver) September 27, 2021

Despite the attempts to limit losses, DeFi remains one of the riskiest venues of holding digital assets. DeFi can be highly rewarding, but also lead to significant collateral losses, as well as unexpected exploits to steal coins and tokens.