Compound bug leaves $80 million in COMP at risk of being misrewarded

A newly introduced upgrade to the DeFi interest rate protocol Compound Finance has contained a bug that leaves some users with unusual amounts of COMP token as rewards to be claimed.

"Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062," Compound Labs, the team behind the Compound protocol, tweeted on Wednesday night.

"No supplied/borrowed funds are at risk -- Compound Labs and members of the community are investigating discrepancies in the COMP distribution," it added.

The purpose of the Proposal 62, which went into effective a few hours ago, was to split the COMP distribution to liquidity suppliers and borrowers based on governance-set ratios instead of the previous 50/50 share model. Minor bugs are also to be patched in the new upgrade.

But a new bug contained in the upgraded Comptroller Contract has mistakenly allowed some users to claim as much as about 168,000 COMP tokens already, worth around $50 million. 

Robert Leshner, founder of Compound Labs, said in follow-up tweets that the Comptroller contract address "contains a limited quantity of COMP" while the majority of the reward sits in a different Reservoir contract address.

Hence "the impact is bounded, at worst, 280,000 COMP tokens," Leshner said. That is worth about $80 million as of press time.

The Comptroller contract address now has 112,000 COMP tokens left.

"There are no admin controls or community tools to disable the COMP distribution," Leshner said "Any changes to the protocol require a 7-day governance process to make their way into production."

Meanwhile, Compound Labs and members of the community are "evaluating potential steps to patch the COMP distribution.”