The decentralized finance (DeFi) protocol Compound Finance faced further problems over the weekend, when on Sunday, nearly $ 65 million in COMP was entered into the bug-ridden contract.
According to Etherscan, on October 3, COMP 202,472.5 worth $ 64.67 million was transferred from the composite field contract to the protocol.
What this means is that the newly infused funds are also at risk of being exploited. Yesterday, one address showed a transfer of about 4.8 million and another almost USD 12 million.
It turns out that this ability to add funds to the compromised contract was known, but apparently it was decided to keep it a secret. Yearn.finance (YFI) lead contributor “banteg” claimed that “this has been known for a few days, but there is no possible mitigation, so the plan was to shut up and hope no one found out for a week” .
The Compound Lab tweet on October 2 announced a new proposal that “fixes the error introduced” by the proposal that caused it and “resumes COMP distribution for most users.” It appears that the team behind the protocol was hoping that no one would use this ability until the two proposals that followed the flawed one have been implemented on October 7th.
In response, Robert Leshner, founder of Compound Labs, said that the reservoir contract has the majority of COMP reserved for users and that it drips 0.50 COMP / block into the protocol. “No one had called the feature in weeks, and community developers were hopeful that Proposition 63 or 64 (on governance) could go into effect before it was called.”
So what had happened, according to the founder, is that when someone called this “drip function” on Sunday morning, they sent the entire accumulation of COMP 202,472.5, or about two months of COMP since it was last called. to the function, to the distribution protocol to the users.
And while c. 117,000 COMP (37.28 million US dollars) have been returned as of the time of shipment, in total some 490,000 COMP (156.12 million) were reported as vulnerable.