It was a very difficult weekend for Compound, one of the largest decentralized finance platforms in the world.
According to Compound founder Robert Lescher, a routine network update went badly wrong, risking $160 million worth of cryptocurrencies in a pool that could ultimately be drained by experts who knew how to exploit the bug.
Over the weekend, Lescher has asked users to return any cryptocurrency they have received or requested from the pool. More than $30 million was returned on Sunday, he said. Here are the details.
First on Thursday, around $90 million worth of tokens were accidentally sent to users of DeFi protocol Compound. Things went wrong in an update and it turned out that the new Comptroller contract had a bug that caused some users to get too much COMP.
Compound’s problems escalated on Sunday when users realized they could exploit this glitch to pull more money from Compound’s repository into the Comptroller pool.
A user exploited the bug to send $69 million worth of Comp tokens to Comptroller. Some users were then able to withdraw large sums from the pool. Lescher announced on Sunday that 490,000 Comps worth $160 million were at risk. Comp was down 6.1% to $318.22 on Monday.
Users take advantage of massive Compound glitch
In fact, after the turmoil on Thursday, Compound took action to resolve the huge amount of money being sent to users. However, due to the management model, it takes seven days for any change to pass through the system.
The delay meant that the glitch could be exploited. Knowledgeable users have added more coins to the Comptroller pool using a function called “drip”. A user figured this out Sunday night and sent $68.8 million worth of Comp into the pool. After the Compound community noticed this, users started withdrawing millions of dollars from Comptroller.
As of Monday, there was $43.4 million in the pool. Crypto expert Banteg said on Twitter that Compound faced the biggest loss in a smart contract incident.
How did the founder of Compound follow?
Lescher’s first reaction to Thursday’s failed update was to threaten users, saying that users who did the action would be reported to the authorities and their details would be shared online. He later apologized and said the threat was the wrong approach. “I try to do everything I can to help the community get some of their COMP back,” he said.
Over the weekend, Lescher thanked users who returned the money and stepped up calls for the rest to be returned. Lescher said 117,000 Comps worth approximately $37 million were returned on Sunday.