Compound (COMP) Vulnerabilities
When using DeFi protocols, users must account for all kinds of risk: technical, smart contract, centralization, exploit/hack, etc. The smart contracts underpinning the projects are oftentimes extremely new and unaudited. Because of this, hackers have time and again exploited and drained the funds held within the smart contracts. If a user is non-technical and unable to audit the code themselves, it is usually best to wait a bit once the project is launched and see how it performs until it can be trusted. Even then, beginning with only small amounts invested is usually advised.
In September 2021, the Compound protocol suffered a bug stemming from a governance proposal that attempted to change the distribution ratios in the code. Due to the bug, ~500K COMP tokens (~$160,000,000) are available in the vulnerable contract and have been distributed out to users that normally would not, and should not, have received them. Compound has acknowledged the bug and even took to Twitter to ask users to return the funds. Robert Leshner, Compound’s founder, even took to Twitter to threaten to dox the community members who did not return the funds over to the IRS. Leshner later revoked the threat but not before many in the DeFi community criticized his actions. Since then, ~120K of the ~500K COMP has been returned by the community.
While Compound quickly discovered the bug and developers already have prepared a patch, it cannot go live until October 7the due to Compound’s 7-day time-lock on code updates. Any changes to the protocol require a 7-day governance process to make their way into production.
Prior to the bug, Compound was having a strong September. On August 1st, the community voted to add four new assets to the borrowing and lending markets: MKR, SUSHI, YFI, and AAVE. Since the addition, these markets added ~$17M of liquidity to the protocol while also attracting new users and developers from each project. Compound regularly sees strong (relative) daily usage when compared to other DeFi projects, with nearly 600 transactions, $360M of assets being supplied, and $170M of assets being borrowed daily.
Beyond just the protocol itself, many lending protocols rely on oracles to provide on-chain price data. Price oracles and price manipulation represent another attack vector for DeFi protocols and can be exploited. In November 2020, Compound’s price oracle was exploited (table above) by driving up the price of DAI by 30% on Coinbase Pro, resulting in $89 million worth of loans being liquidated.
Another typical vector of attack on DeFi projects is a flash loan attack. Flash loan attacks are when a cyber thief takes out a flash loan from a lending protocol, like Compound, and tricks the lender into thinking that the loan has been repaid in full. The way this happens is by temporarily pushing up the price of the stablecoin used to repay the loan with market manipulation.
Compound takes security very seriously and has invested in a solid development team and third-party auditors who review the contract code and balances. Security researchers are eligible for a bug bounty for reporting undiscovered vulnerabilities within the code. Companies like Trail of Bits, OpenZeppelin, and Gauntlet have been hired to review the protocol security.
Compound offers a reward of $500 to $150,000 for vulnerability discoveries, depending on the magnitude of security hazard found. These security programs can discover any attempt to freeze assets and also prevent the loss of them. The primary scope of the bug bounty program includes vulnerabilities affecting on-chain Compound Protocol as well as Interface problems or tests contracts that could exploit user funds.
Bug bounty disclosures are to be submitted to email@example.com, in which the whitehacker must provide a logical explanation of the vulnerabilities in a written or video format. The Compound team then follows up with an acknowledgment of the discovery.