Technical woes continue to beset decentralized finance (DeFi) protocol Compound this week as a hack resulted in 202,472 COMP, or US$68 million at the time, being transferred from its reservoir to its Comptroller where the funds remain vulnerable to being drained by subsequent transactions.

Fast facts

  • Yearn.Finance developer Banteg tweeted about the hack late Sunday night Asia time. Since then four separate users were able to drain US$21.5 million from the account, with Banteg saying the remaining US$46 million could be claimed by a further five separate addresses.
  • This hack is a continuation of Compound’s troubles with its Comptroller contract — the part of the protocol responsible for allocating yield farming rewards. After an update called Proposal 062 last week, the Comptroller distributed 280,000 COMP, or about US$90 million at the time, to the wrong people, forcing Compound founder Robert Leshner to ask users to simply return the funds.
  • To sweeten the deal, Leshner offered any user who to do so would be welcome to keep 10% as a white-hat fee for their honesty, while simultaneously threatening users who did not do so that their information would be lodged with the U.S. Internal Revenue Service. Leshner later revealed that 117,000 COMP had been returned by early this morning, Asia time.
  • The native governance token of Compound, COMP, slumped more than 10% after news broke on Friday of the initial bug with Proposal 062, but quickly began to recover over the weekend to reach US$349 early Sunday morning. The news of this subsequent hack has once again sent its price tumbling more than 10%, and was trading at US$311.33 at press time.