Robert Leshner, founder of decentralized finance biz Compound Labs, has asked for the return of roughly $90m worth of COMP tokens after a smart contract bug distributed more of the cryptocurrency than it should have.
COMP tokens get distributed on a daily basis to users of the Compound protocol. They grant holders a say in the communal governance of the protocol, which is used for financial transactions like borrowing and lending with cryptocurrencies.
Decentralized finance relies on smart contracts that don’t necessarily live up to their name to handle transactions. That is to say, the code controlling these smart contracts often contains dumb mistakes.
“A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol,” said Leshner on Wednesday, via Twitter. “The new Comptroller contract contains a bug, causing some users to receive far too much COMP.”
According to Leshner, at most 280,000 tokens were wrongly distributed. At the current COMP token value of about $322, that’s more than 90m US dollars.
On Thursday, Leshner pleaded for the tokens to be returned, offering to let Good Samaritans keep 10 per cent, and hinting at consequences for those who fail to comply.
He wrote:
Those discussing the incident on Compound’s Discord chat space note that recipients of the errant funds need to use the claimComp function manually to get the COMP tokens – the tokens won’t just show up in one’s account automatically. Some individuals have already done so – here’s a transaction claiming about $29m.
Discord chat participants also appear to be none too pleased with the doxxing threat. “Total clown show up in here,” one individual complained. “Protocol error and innocent people threatened w dox.”
- Single-line software bug causes fledgling YAM cryptocurrency to implode just two days after launch
- TITAN crypto-token does the opposite of zero to $60: Value plummets in hours
- Digi-dosh exchange Coinbase: Someone tried to pwn our staff via this week’s Firefox zero-day security hole
- Google sparks online outcry after its currency converter goes haywire for third time this year
Despite Leshner’s commitment to report windfall recipients to US tax authorities – as his company is presumably obligated to do under US tax law – some participants in the Compound community have already returned their accidental COMP riches. Others have suggested keeping the money and paying whatever tax is due on the COMP windfall would still be rather lucrative.
Meanwhile, Compound Proposition 63 is being reviewed and is scheduled to be voted on in a few days. It “disables the ability to claim COMP, until the correct distribution logic is restored.” That still leaves time for recipients of misdirected funds to cash in.
The bug, according to blockchain security researcher Mudit Gupta, consists of a single character: the Compound code update used a > operator where it should have used >=.
Compound Incident Analysis:
Compound upgraded their comptroller contract to https://t.co/mgLGKCywxf which had a one letter bug on L1217.
This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected. 🧵👇 pic.twitter.com/BskHIibsUJ
— Mudit Gupta (@Mudit__Gupta) September 30, 2021
“The bug happens when someone supplies tokens for a market with zero comp rewards like cSUSHI, and cTUSD before the market is initialized or migrated,” said Gupta via Twitter. “supplyIndex for such tokens remains equal to compInitialIndex which means that the if block on is not triggered.”
By using the > operator rather than the >= operator, the if code block is not called and the supplierIndex variable stays at 0 while supplyIndex is 1e36. The delta, or difference between the two values, becomes 1e36 and the Compound protocol then pays out a reward for 1e36 indexes instead of zero.
In the Compound forum, developers discussing the incident believe it would be a good idea to commit to rigorous testing and auditing prior to major code changes. ®
Note: This article have been indexed to our site. We do not claim ownership or copyright of any of the content above. To see the article at original source Click Here
NYX PROFESSIONAL MAKEUP Lip IV Hydrating Gloss Serum, Lip Stain with 12HR Hydration - Hydra Honey (Brown Lip Gloss)
$12.00 (as of December 22, 2024 19:05 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Onyx Storm (Deluxe Limited Edition) (The Empyrean, 3)
$23.09 (as of December 22, 2024 19:05 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Wind and Truth: Book Five of the Stormlight Archive (The Stormlight Archive, 5)
$24.09 (as of December 22, 2024 19:05 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
Hearth and Homestead: Handmade Whipped Tallow Balm (Unscented/Herb-Infused) - Organic Body Butter with Infused Olive Oil, for Eczema, Rosacea, Baby - 1.3 oz
$29.99 (as of December 22, 2024 19:33 GMT +00:00 - More infoProduct prices and availability are accurate as of the date/time indicated and are subject to change. Any price and availability information displayed on [relevant Amazon Site(s), as applicable] at the time of purchase will apply to the purchase of this product.)
/cdn.vox-cdn.com/uploads/chorus_asset/file/21947011/fVqGMEj8Yvvajhj6SqHF9HKKIraBP_VI.jpg)
