Welcome back for issue 47 of the Tally Newsletter, a publication focused on all things decentralized governance. We’ll keep you updated on key proposals, procedural changes, newly launched voting systems, shifting power dynamics, and anything else you need to know to be an informed citizen. 

This week, we offer a deep dive into the recent Compound bug impacting rewards distributions, including scope of the incident and potential impact on protocol governance design.

Bug in Proposal 62 Results in Loss of 280,000 COMP Tokens

TL;DR: While some funds may be returned by users, the rewards bug currently represents the largest loss of funds for a defi protocol.

Compound’s proposal 62 was meant to improve the COMP rewards distribution mechanism to better align incentives and reduce parasitic farming. It allows governance to set separate reward rates for borrowers versus suppliers of each asset, which would have supported better reward targeting and potentially lower emissions. It was vetted by several community members and received broad support.

But due to a critical bug, some users were able to claim far more than the intended amount of rewards, effectively draining the rewards issuing Comptroller contract and causing the protocol (but not users) to suffer a significant loss. 

Robert Leshner @rleshner

A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol. The new Comptroller contract contains a bug, causing some users to receive far too much COMP.

Compound Labs @compoundfinance

🚨 Unusual activity has been reported regarding the distribution of COMP following the execution of Proposal 062. No supplied/borrowed funds are at risk -- Compound Labs and members of the community are investigating discrepancies in the COMP distribution.

September 30th 2021

157 Retweets470 Likes

Robert Leshner @rleshner

The Comptroller contract (0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B) contains a limited quantity of COMP; the majority sits in the Reservoir contract (0x2775b1c75658Be0F640272CCb8c72ac986009e38) which releases 0.50 COMP/block. The impact is bounded; at worst, 280k COMP tokens.

September 30th 2021

12 Retweets82 Likes

 Initially, the bug was thought to affect a maximum of 280,000 COMP tokens (the amount held in the Comptroller contract at the time of proposal 62). But it became apparent that additional funds were at risk, due to a continuous flow of funds from the main COMP reservoir contract into the comptroller.

banteg @bantg

The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller. I've run the numbers and it seems about 1/4 of that could be drained. etherscan.io/tx/0x02ba168f4…

October 3rd 2021

350 Retweets1,292 Likes

 With all of the funds put together, this Compound incident became the largest single loss of funds in defi history (noting that all funds from the Poly Network hack were returned by the attacker), with a total loss of up to $140 million.

Source: Rekt

This bug has some key differences versus other notable hacks, as many of the users receiving extra rewards may have had no ill intentions and simply gotten lucky. Without an element of mens rea (guilty intentions), it’s unclear if this incident even meets the criteria to be called a hack or what obligations users may have to return excess funds. 

Robert Leshner @rleshner

If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat. Otherwise, it's being reported as income to the IRS, and most of you are doxxed.

October 1st 2021

307 Retweets1,987 Likes

Compound founder Robert Leshner’s initial threats of legal action were met with resistance by many in the community, and he quickly changed course to a more constructive approach to requesting the return of funds. This seems to have paid off, with over 160,000 COMP returned out of the ~480,000 at risk. 

Robert Leshner @rleshner

Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear

John Sterlacci 🏝 @JohnSterlacci

the first 5 people to return COMP get 1/5 pieces of leshner NFT that can be combined exodia style to summon robert IRL

October 1st 2021

9 Retweets239 Likes

Open Questions for Governance Design

• Should protocol governance rely on external legal mechanisms?

_gabrielShapir0 @lex_node

@MonetSupply Give me a legal opinion from a reputable law firm that the COMP in question was clearly owned by someone else prior to this event, and I'll agree with you. Want clear legal remedies? Define clear legal rights & obligations. Can't have & eat cake.

October 1st 2021

3 Retweets27 Likes

Without accounting for this properly up front (with clear and enforceable contractual mechanisms), it may not be possible to seek legal redress for issues after the fact. Sentiment in the defi community generally favors a “code is law” approach that eschews legal mechanisms, but this incident along with other hacks show potential benefits of clearly spelled out rights and responsibilities for protocol users.

• Do the benefits of timelock mechanisms outweigh the risks?

Compound’s response to the incident was significantly hampered by the long period required to pass governance proposals. Including the pre vote review period, voting period, and post approval timelock, it takes 7 days to enact changes to the protocol. During this time additional funds were able to be drained by users.

banteg @bantg

Compound issue shows there is a really hard trade-off between permissionlessness and the ability to quickly and discreetly patch up vulns. The community always demands things like timelocks, but they can do a lot of harm when things go south.

September 30th 2021

29 Retweets274 Likes

While delays give users time to safeguard themselves against malicious actions or opt out of proposals they disagree with, it also hamstrings disaster recovery efforts. With defi still so young and many protocols’ voting bodies still fairly centralized (theoretically lowering risk of hostile governance attacks), one could argue that shorter proposal delays make sense. 

• Can centralized governance bypass mechanisms help mitigate risk?

Certain protocols, including Compound competitor Aave, feature a semi centralized mechanism for emergency protocol changes or proposal vetos that can bypass the standard governance process.

Figue (🛡️,🛡️) - Paladin @Figue_me

As explained in AIP-04 the Guardian is a community multisig created to veto malicious governance attacks. It's existance is one of the reasons why we feel vote lending can be experimented on Aave governance Aave Protocol Governance V2 has been activated!The Aave Protocol V2 launched just over a week ago, and has rapidly grown in market size, now reaching over $98M. The V1 → V2 migration tool has not even been released yet (Soon™), so this growth is…medium.com

September 23rd 2021

4 Likes

While there is often aversion to more centralized mechanisms such as multisigs, they offer a way to resolve critical bugs quickly and minimize collateral damage. Other options include introducing new fast track proposal types within the standard token voting system; for example allowing a new proposal type that would use much shorter delay periods while requiring a higher approval threshold.

• How should protocols balance the interests of token holders versus integrators?

Proposal 63, which temporarily disables COMP claiming to stem losses from the bug, would also impact certain Compound integrations that automatically claim accrued rewards as part of user interactions - the proposal would make their users’ transactions fail leading to temporary loss of service. 

Getty Hill | Hiring @getty_hill

Compound Proposal 63: For. If funds at-risk drop below $20m, I'll be pushing hard to cancel (via community multisig) the proposal before execution. If not canceled, some integrators will be hurt until 64 is executed. Tough situation the protocol is in. A lot of debate over this

October 5th 2021

12 Likes

Some community members chose to vote against proposal 63, reasoning that consistent uptime for users and integrators was more important than the remaining funds at risk.

At the time of writing, over 163,000 COMP has been returned with 126,000 remaining unclaimed in the Comptroller contract 18 hours before the rewards bug is patched with proposal 63’s execution. So the current impact is roughly 190,000 COMP tokens lost, with a market value of around $60 million. 

Thanks for joining us for issue 47 of the Tally Newsletter. Be sure to check out the Tally governance app and join us on Discord for the latest updates!

Anything we missed? New developments or protocols you’d like to see covered? Drop us a line at newsletter@withtally.com 

Best,

Nate, Tally