$66M in Tokens Added to Not too long ago Hacked, Nonetheless Weak Compound Contract


  • A defective Compound Finance contract meant to disburse liquidity mining rewards over time has been topped off with $66 million – and counting – in tokens on Sunday morning.
  • Over 1 / 4 of these funds might have been exploited because of the identical bug that drained $80 million in tokens all through the latter half of final week, per one DeFi developer.

Learn extra: DeFi Cash Market Compound Overpays Thousands and thousands in COMP Rewards in Potential Exploit; Founder Says $80M at Threat

  • At roughly 9:30 AM EDT, one ETH handle claimed 37,504 of the tokens value $12 million, and one other claimed 14,995 value $4.9 million. The funds had been claimed by contracts from the MakerDAO DSProxy manufacturing unit, and at the moment are in two separate addresses.

MakerDAO representatives have been energetic in serving to to search out options to the bug, per Compound founder Robert Leshner. A MakerDAO rep didn’t return a request for remark by the point of publication.

  • In a tweet on Sunday morning, pseudonymous Yearn.Finance core contributor ‘banteg,’ who has additionally been weighing in on Compound governance boards within the wake of the bug, wrote that the power to high off the bugged contract has been “recognized for a number of days now” however that the group plan “was to maintain shush and hope no person discovers it for every week.” Banteg didn’t return a request for remark by the point of publication.
  • Compound’s contracts would not have a multi-signature scheme that permits for extra instant upgradability, and as an alternative modifications can solely be made after a seven-day governance course of designed to make the protocol extra resilient to hostile modifications. That safety structure is now serving as a barrier to a patch to the defective code.
  • A debate is underway in the neighborhood concerning what customers ought to do with the funds that they’ve obtained. Leshner cut up the talk broadly into two classes: DeFi “builders” who see protocols like Compound as public items and the faulty tokens as belonging to the group, and “revenue maximalists” extra inclined to say “haha, f*** you, that is your downside.”
  • Customers at the moment are repeatedly calling a perform so as to add funds to the Comptroller contract from the Compound Reservoir, probably placing further tokens in danger.


Please enter your comment!
Please enter your name here