DeFi is a fascinating tech allowing everyone to participate in an independent financial ecosystem that does not answer to any central authority. However, it is still in its early age and bugs in smart contracts’ code are all too common, even in the long-established protocols, especially when they undergo updates.
Yesterday the interest rate protocol Compound erroneously paid $15M in COMP tokens to its users who otherwise should have received much smaller amounts.
This unexpected Christmas day was caused by a flaw in the recently updated distribution smart contract.
Token distribution being decentralized, Compound Labs cannot fix the bug by itself: any changes to the protocol require a 7-day governance process to be approved. This is a bummer, but on the other hand it shows the protocol decentralization, which is one of the greatest values in the DeFi world.
Whether the bug in the update was put intentionally or not, it could have led to some real exploits: shortly after the Compound Labs CEO announced the incident, $27M worth of tokens were claimed in a single transaction for what appears to be the borrowing of $0.
As the fifth-big DeFi protocol with over $9Bn of total value locked, Compound is now going through hard times.