The Tally Newsletter, Issue 47
October 6, 2021
Welcome back for issue 47 of the Tally Newsletter, a publication focused on all things decentralized governance. We’ll keep you updated on key proposals, procedural changes, newly launched voting systems, shifting power dynamics, and anything else you need to know to be an informed citizen.
This week, we offer a deep dive into the recent Compound bug impacting rewards distributions, including scope of the incident and potential impact on protocol governance design.
Bug in Proposal 62 Results in Loss of 280,000 COMP Tokens
TL;DR: While some funds may be returned by users, the rewards bug currently represents the largest loss of funds for a defi protocol.
Compound’s proposal 62 was meant to improve the COMP rewards distribution mechanism to better align incentives and reduce parasitic farming. It allows governance to set separate reward rates for borrowers versus suppliers of each asset, which would have supported better reward targeting and potentially lower emissions. It was vetted by several community members and received broad support.
But due to a critical bug, some users were able to claim far more than the intended amount of rewards, effectively draining the rewards issuing Comptroller contract and causing the protocol (but not users) to suffer a significant loss.
Initially, the bug was thought to affect a maximum of 280,000 COMP tokens (the amount held in the Comptroller contract at the time of proposal 62). But it became apparent that additional funds were at risk, due to a continuous flow of funds from the main COMP reservoir contract into the comptroller.
With all of the funds put together, this Compound incident became the largest single loss of funds in defi history (noting that all funds from the Poly Network hack were returned by the attacker), with a total loss of up to $140 million.
This bug has some key differences versus other notable hacks, as many of the users receiving extra rewards may have had no ill intentions and simply gotten lucky. Without an element of mens rea (guilty intentions), it’s unclear if this incident even meets the criteria to be called a hack or what obligations users may have to return excess funds.
Compound founder Robert Leshner’s initial threats of legal action were met with resistance by many in the community, and he quickly changed course to a more constructive approach to requesting the return of funds. This seems to have paid off, with over 160,000 COMP returned out of the ~480,000 at risk.
Open Questions for Governance Design
Should protocol governance rely on external legal mechanisms?
Without accounting for this properly up front (with clear and enforceable contractual mechanisms), it may not be possible to seek legal redress for issues after the fact. Sentiment in the defi community generally favors a “code is law” approach that eschews legal mechanisms, but this incident along with other hacks show potential benefits of clearly spelled out rights and responsibilities for protocol users.
Do the benefits of timelock mechanisms outweigh the risks?
Compound’s response to the incident was significantly hampered by the long period required to pass governance proposals. Including the pre vote review period, voting period, and post approval timelock, it takes 7 days to enact changes to the protocol. During this time additional funds were able to be drained by users.
While delays give users time to safeguard themselves against malicious actions or opt out of proposals they disagree with, it also hamstrings disaster recovery efforts. With defi still so young and many protocols’ voting bodies still fairly centralized (theoretically lowering risk of hostile governance attacks), one could argue that shorter proposal delays make sense.
Can centralized governance bypass mechanisms help mitigate risk?
Certain protocols, including Compound competitor Aave, feature a semi centralized mechanism for emergency protocol changes or proposal vetos that can bypass the standard governance process.
While there is often aversion to more centralized mechanisms such as multisigs, they offer a way to resolve critical bugs quickly and minimize collateral damage. Other options include introducing new fast track proposal types within the standard token voting system; for example allowing a new proposal type that would use much shorter delay periods while requiring a higher approval threshold.
How should protocols balance the interests of token holders versus integrators?
Proposal 63, which temporarily disables COMP claiming to stem losses from the bug, would also impact certain Compound integrations that automatically claim accrued rewards as part of user interactions - the proposal would make their users’ transactions fail leading to temporary loss of service.
Some community members chose to vote against proposal 63, reasoning that consistent uptime for users and integrators was more important than the remaining funds at risk.
At the time of writing, over 163,000 COMP has been returned with 126,000 remaining unclaimed in the Comptroller contract 18 hours before the rewards bug is patched with proposal 63’s execution. So the current impact is roughly 190,000 COMP tokens lost, with a market value of around $60 million.
Anything we missed? New developments or protocols you’d like to see covered? Drop us a line at email@example.com