The vulnerability comes on the back of a bug in the protocol’s contract that saw over $80 million worth of COMP erroneously distributed to Compound Finance users
Compound (COMP) tokens worth about $162 million were at risk of being drained from the decentralised finance (DeFi) platform’s reward Reservoir following a faulty contract.
The bug resulted from a call to the “drip function”, with malicious actors able to exploit the vulnerability to siphon thousands of COMP tokens.
The Compound protocol adds COMP to the Reservoir contract at a rate of 0.50 COMP every block, but a bug meant thousands of tokens were sent at once.
According to Compound founder Robert Leshner, the drip function had not been called in weeks and developers hoped the next call would follow changes to the protocol meant to effectively prevent such exploits from occurring again.
Over 202,000 COMP were released after the drip function call, with 490,000 COMP tokens at risk, according to an update Leshner tweeted on 3 October.
As per the COMP/USD exchange value at the time of the exploit, nearly $162 million worth of the token was at risk of being drained from the Reservoir.
Although about 117,000 COMP tokens have been returned to the community after the initial error, there are 136,000 tokens still at risk of being claimed by savvy users. DeFi developer Banteg noted early Monday morning that four users had managed to take $21.5 million out of the liquidity reward pool while another five could exploit the bug for over $45 million worth of COMP.
The price of COMP has declined 5% in the past 24 hours to trade around $320 after dipping on the news of the hack. While bulls are looking to reclaim intraday highs of $341, the possibility of going towards support around $310 remains high.
COMP/USD traded as high as $367 over the weekend.