A faulty Compound Finance contract intended to disburse liquidity mining rewards over time has been topped off with $66 million – and counting – in tokens on Sunday morning.
About $22 million of those funds were then exploited due to the same bug that drained $80 million in tokens throughout the latter half of last week, per one DeFi developer, who told CoinDesk that the remaining $44 million has now been determined to be at risk.
Read more: DeFi Money Market Compound Overpays Millions in COMP Rewards in Possible Exploit; Founder Says $80M at Risk
At approximately 9:30 AM EDT, one ETH address claimed 37,504 of the tokens worth $12 million, and another claimed 14,995 worth $4.9 million. The funds were claimed by contracts from the MakerDAO DSProxy factory, and are now in two separate addresses.
Additional claims of 9499, 1699, and 2999 COMP have brought the total drained to $22 million.
MakerDAO representatives have been active in helping to find solutions to the bug, per Compound founder Robert Leshner. A MakerDAO rep did not return a request for comment by the time of publication.
In a tweet on Sunday morning, pseudonymous Yearn.Finance core contributor ‘banteg,’ who has also been weighing in on Compound governance forums in the wake of the bug, wrote that the ability to top off the bugged contract has been “known for a few days now” but that the community plan “was to keep shush and hope nobody discovers it for a week.”
Compound’s contracts do not have a multi-signature scheme that allows for more immediate upgradability, and instead changes can only be made after a seven-day governance process designed to make the protocol more resilient to hostile changes. That security architecture is now serving as a barrier to a patch to the faulty code.
A debate is underway in the community regarding what users should do with the funds that they’ve received. Leshner split the debate broadly into two categories: DeFi “builders” who see protocols like Compound as public goods and the erroneous tokens as belonging to the community, and “profit maximalists” more inclined to say “haha, f*** you, this is your problem.”
The adding of new funds to the contract is still underway. Users are now continuously calling a function to add funds to the Comptroller contract from the Compound Reservoir, potentially putting the added funds at risk.
In a statement to CoinDesk, banteg said that while it was initially estimated that the impact of the exploit was just 1/4 of the $66 million recently added funds, more addresses were found that could make claims that would empty the comptroller.
The price of COMP has lost more than 5% in the last 24 hours and in recent trading was at $330.53.
UPDATE (Oct. 3, 16:32 UTC): Increases amount of exploit to $22 million, updates to say entire $66 million is now considered vulnerable.