Compound Exploit Drains $21M From Lending Protocol

By Robert Stevens

A week ago, Compound founder Robert Leshner called a bug in his lending protocol’s smart contract a “moral dilemma.” Perhaps for some, but for others today the smart contracts became a vending machine full of free cash.

Today, someone exploited a bug in Compound’s Controller contract, which is the part of the protocol that distributes yield farming rewards to users. By calling Compound’s drip() function, they transferred $68 million, or 202,472 COMP, from Compound’s reservoir to its Comptroller.

Since Banteg, a core developer at Yearn.Finance, tweeted about the exploit earlier this afternoon, four major transactions have drained the pool of 64,997 COMP, or $21.4 million. One of those transactions withdrew 37,504 COMP, or $12.3 million. Banteg said that only “addresses with the buggy state can drain” and that there are another five addresses that could claim $45m, “emptying the Comptroller.”

It appears my estimate was low because of stale data in accruedComp. Four users managed to claim $21.5m so far, so maybe there are more funds at risk. I don’t know of a quick way to check all addresses. pic.twitter.com/IOHRby8nni

— banteg (@bantg) October 3, 2021

Banteg called the exploit “the best-kept secret in DeFi.” Commenting on his post, crypto trader Christopher Mooney said, “I’m honestly impressed it took this long with the number of people that knew. Restores my faith in humanity a little, but in the end one of you chose chaotic neutral.”

The same contract went awry last week, dishing out 280,000 COMP to the wrong users. Leshner asked users to give the funds back and thanked anyone who did. Decrypt has reached out to Leshner about today’s drain and will update this story should we hear back.

Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear https://t.co/EZLb7g91Ew

— Robert Leshner (@rleshner) October 1, 2021

The bug is difficult to fix because Compound’s protocol has a seven-day grace period on updates. COMP has fallen by 3.2% in the past 24 hours.