Compound crisis averted? Securing exposed COMP could be just the start

Due to a time-lock restriction module used by Compound, the protocol has placed $150 million worth of COMP tokens at risk.
Due to a time-lock restriction module used by Compound, the protocol has placed $150 million worth of COMP tokens at risk.

As the decentralized finance (DeFi) market continues to pique the interest of investors across the globe, a few incidents have shone a major spotlight on the vulnerabilities various platforms operating within this space are continually exposed to. 

For example, it has recently been unveiled that due to a buggy system upgrade, prominent DeFi money market Compound had put approximately $150 million worth of the native COMP tokens at risk of a third-party hack.

Even though the error was recognized fairly early as Compound’s developers submitted a fix for the protocol’s bug soon after, it’s worth noting that the upgrade is governed by a seven-day time lock, as a result of which no tangible efforts to resolve the issue could have been enacted until Oct. 7. The proposal to fix the bug has since successfully passed and is set to be executed on Oct. 9, but that may not be the end of this story.

Taking to Twitter after the bug was uncovered, Compound founder Robert Leshner admitted that 202,472.5 COMP, worth approximately $64 million at the time of writing, was at risk due to the protocol’s “drip function” being called into action for the first time in over 60-days. The drip function is designed to make any tokens held in Compound’s Reservoir available to users, with 0.5 COMP being accumulated by the Reservoir per block.

Following the incident, Leshner noted that a vast majority of all COMP tokens in existence today — that are currently “reserved for users” — are held in the platform’s aforementioned reservoir system. This revelation may have had a large role to play in COMPs depreciating value, so much so that after the initial identification of the bug, the price of COMP quickly crashed from $330 to $286, only to make a strong recovery thereafter, according to data from Cointelegraph Markets Pro.

That said, since Oct. 3, the token has steadily declined with the digital asset’s value dropping from a price point of around $350, taking its 30-day losses to a staggering 40% from a local top of around $525.

When asked to provide his take on the severity of the problem and what he believes may happen to the platform’s native asset pool over the course of the coming few days, Leshner told Cointelegraph that all that needs to be said in relation to the matter had already been covered “sufficiently,” thus declining to comment on the matter any further.

The DeFi community has a say

To gain a better overview of what this entire incident means for the crypto ecosystem at large, Cointelegraph reached out to Winston, a pseudonymous moderator for DeFi yield farming aggregator Harvest Finance. In their view, even though for the most part, the community has been quite honest in returning a bulk of the funds, such reliance can not always be depended upon to bail platforms out all the time.

He further added: “This debacle could have, undoubtedly, been handled better by the team but it also goes to show how sometimes these ‘security features’ can hamper a project rather than helping it.” Winston continued on by saying that he hopes lessons will be learned:

“Many protocols will start to consider the advantages of having a shorter time lock to not only prevent things like this from happening but also to make them more flexible and able to move swiftly.”

SushiSwap developer Mudit Gupta criticized Compound’s use of time-locks for governance-related purposes, claiming that only around 100 people were aware of the threat posed by the drip function since the bug was discovered on Sept. 30, with no action having been taken since due to the time-delay function being in place.

Gupta went on to further warn DeFi users about the various risks associated with upgradable smart contracts, claiming that they are, by their very design, not meant for “large [DeFi] primitives.” Adding that he also views “upgradability as more of a bug than a feature.”

That being said, it should be noted that SushiSwap too was on the receiving end of a hack recently, that saw a nefarious third party agent compromising the supply chain of the platform’s token launchpad MISO to a tune of $3 million. Not only that but at the end of September, reports also surfaced that a hacker had identified a vulnerability that might have placed more than $1 billion worth of user funds held by SushiSwap under threat.

Technical bugs aren't new

George Harrap, the co-founder of Solana-based portfolio visualization platform Step Finance, told Cointelegraph that crypto bugs, exploits and hacks aren’t really anything new within this space, adding that such instances are just a part and parcel of an industry where everything is digitized.

Also, in a Tweet, Leshner issued a stern warning to the recipients of the erroneous tokens, stating that any wrongful acquisitions would potentially be met with real-world consequences — primarily in the form of action being taken by the United States Internal Revenue Service (IRS). On the matter, Harrap said:

“What's more interesting is the reaction of Compound's founder than the bug itself where he threatened to DOX users. That’s not a good example for anything in DeFi and I think is the cause for many to reconsider their involvement in Compound."

Providing a somewhat alternative take on the matter, Rotem Yakir, DeFi developer at Orbs, a public blockchain infrastructure designed for close integration with Ethereum Virtual Machine- (EVM)-based layer ones, told Cointelegraph that the Compound saga serves as a crucial reminder of the disadvantages of being a completely decentralized platform, failing to elaborate any further on the statement. However, he did add:

“Comp is one of the most prominent projects in the DeFi space and although this might hurt, it will not kill them and they will become stronger in the end."

It is worth noting that even though Leshner’s tweets stated that roughly 117,000 COMP — worth $37.6 million — had been returned to the protocol after the detection of the initial fault, Yearn.finance developer banteg noted that one-third of the funds that were placed at risk by the drip function had already been claimed by users at roughly 3:30 pm UTC on Sunday.

In banteg’s estimation, the total value of COMP tokens that were placed at risk as a result of the bug now stands at a whopping $147 million.

Related: DAOs can solve important dilemmas but more education is required

Thus, with all of this striking data now available for everyone to see, the incident is likely to set a precedent for how such incidents within the DeFi ecosystem could play out. DeFi enthusiasts are hoping that the situation will reach some sort of resolution, especially after the votes on the proposals to reverse the bug have succeeded — with the misplaced assets hopefully returning to where they rightfully belong — as it otherwise stands to potentially mar the image of the sector.