Compound unanimously passes proposal to repair bug
Proposal 064 seeks to repair the token distribution bug introduced during Proposal 062 once and for all.
Compound Finance announced the passing of Proposal 064 on Thursday, titled the “Fix COMP Accrual Bug.” The proposal states that this update will attempt to “patch the bug introduced in Proposal 62 and pessimistically allow COMP reward withdrawals until the bad COMP accruals can be fixed.”
The proposal, which was written primarily by the same community members who proposed the original upgrade, received unanimous COMP votes of 1,037,107 for and 0 against from 27 key addresses including CEO Robert Leshner, Andreessen Horowitz’s A16z, Gauntlet and Pantera Capital. The proposal is now expected to execute on Saturday.
Users who interacted with the six affected markets — cTUSD, cMKR, cSUSHI, cYFI, cAAVE, and cSAI — will not be able to claim rewards from their entitled staked COMP tokens until after the issue is fully resolved.
Proposal 064 passed, and can be executed in two days:
1,037,107 COMP ✅
0 COMP ⛔️
For the majority of users, the COMP Distribution will return to normal after execution.
Certain users (that hit the 62 bug) will be unable to claim COMP until after a future patch.
— Compound Labs (@compoundfinance) October 7, 2021
This last Friday, Cointelegraph reported that a token distribution bug within the community-written Proposal 062 exposed a potentially devastating financial distribution flaw in which users of the protocol were mistakenly able to claim COMP tokens to the sum of $70 million.
If exploited to the fullest, the bug would threaten to drain all COMP tokens held within the Comptroller contract, leaving only those left in the Reservoir contract.
Attempts to rectify the crisis were immediately instigated through Proposal 063, which took seven days to reach production due to the protocol’s governance procedure of reviewing, voting and time lock. This lasted two, three and a further two days, respectively.
However, the seven-day delay enabled a malicious entity to exploit the drip() functionality, transferring $68.8m from the reservoir to the Comptroller, which increases the pool for incorrectly distributed COMP rewards.
The website’s governance reveals the reason for a further proposal iteration:
“Proposal 63 prevents further COMP from being distributed until the correct logic is restored but causes issues for protocols that integrated with Compound and required the claim functionality.”
Proposal 064 is expected to resolve Compound’s accrual issues, but the lost funds can only be reclaimed on a individual basis — a decision the protocol said is down to each user’s moral discretion.