Compound DAO vote to pay developer for major bugfix falls 15,000 votes short of quorum

Quick Take

  • A vote by Compound DAO to reward a blockchain developer who reported and fixed a vulnerability that would’ve allowed a hacker to unprofitably steal funds failed, falling 15,000 votes short of a necessary 400,000 supporting vote quorum.
  • Over 70% of votes cast were in favor of the proposal, which would have rewarded the developer with a payout of $125,000 for his work.  

By all appearances, pseudonymous developer 'KP' did everything right after discovering a vulnerability with Compound COMP +3.84% 's v3 protocol, also known as Comet. The vulnerability would've allowed a hacker to directly steal user funds, though at a massively unprofitable cost — it would cost an attacker billions in gas fees to steal $1 million in funds, KP estimated. 

After finding and validating the vulnerability, KP reported it to Compound and its security partner OpenZeppelin, along with a code repository containing a proof-of-concept simulation of the attack. The bug was promptly patched, and so KP made a "humble" request to Compound DAO: a reward of $125,000, a little over 80% of the $150,000 maximum Compound DAO rewards for bug bounties, a figure prominently displayed on the protocol's website

In his proposal, KP explained that a bug bounty would help in "greatly motivating security researchers and developers in identifying and disclosing Compound bugs and vulnerabilities in the future." KP added that he's developing a startup on the Comet protocol, and that the reward would "greatly prolong our runway and enable us to see through our efforts of providing value and becoming a mainstay of the ecosystem." 

KP's proposal brought with it endorsements from Kevin Cheng, head of protocol at Compound Labs, and Michael Lewellen, head of solutions architecture at OpenZeppelin, who praised KP's professionalism in fixing the bug during the DAO's discussion of the proposal

However, despite more than two-thirds support among delegates for the reward, the vote failed, falling just 15,000 votes of a necessary 400,000 vote quorum to pass. The vote appeared far from passing for most of the voting period, though a last-minute vote by VC Andreesen-Horowitz brought 256,000 votes in favor. Unfortunately for KP, it wasn't enough to reach quorum.

THE SCOOP

Keep up with the latest news, trends, charts and views on crypto and DeFi with a new biweekly newsletter from The Block's Frank Chaparro

By signing-up you agree to our Terms of Service and Privacy Policy
By signing-up you agree to our Terms of Service and Privacy Policy

Compound's guidelines for the bug bounty program state that the protocol intends to "pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery," though clarifies that such rewards are decided "at Compound’s sole discretion." 

KP's cause was also supported by Wintermute, though crypto VC firm Polychain failed to register any vote — even a vote abstaining — despite being the largest holder of COMP tokens, according to Tally.xyz. None of the parties involved could be immediately reached when asked for comment by The Block. 

KP has since resubmitted the proposal, asking for a reward of $100,000 instead. 


Disclaimer: The Block is an independent media outlet that delivers news, research, and data. As of November 2023, Foresight Ventures is a majority investor of The Block. Foresight Ventures invests in other companies in the crypto space. Crypto exchange Bitget is an anchor LP for Foresight Ventures. The Block continues to operate independently to deliver objective, impactful, and timely information about the crypto industry. Here are our current financial disclosures.

© 2023 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

About Author

Zack Abrams is a writer and editor based in Brooklyn, New York. Before coming to The Block, he was the Head Writer at Coinage, a Web3 media outlet covering the biggest stories in Web3. The story he co-reported on Do Kwon won a 2022 Best in Business Journalism award from SABEW. Other projects included a deep dive into SBF's defense based on exclusive documents and unveiling the identity of the hacker behind one of 2023's biggest crypto hacks — so far. He can be reached via X @zackdabrams or email, [email protected].