Compound Finance’s smart contracts paid users an excess of millions of dollars in COMP tokens after a protocol update was deployed with a flaw in the code.
The impact of the bug is limited to 280K COMP tokens and does not affect user deposits or loans, founder Robert Leshner said in a tweet. Just over 110K COMP tokens remain in the contract at the time of writing.
COMP fell as much as 15% after news of the bug broke before recovering some losses.
The bug was introduced to the fifth-largest DeFi protocol by value locked after a community member wrote the proposal, and other community members reviewed and approved it. Any new changes to the protocol to fix this issue will require a seven-day governance process.
Still, the Compound team was quick to react to the issue and disabled the claim function on the website.
One user was able to claim 91K COMP tokens, worth $27M at the time of writing.
“This is the greatest opportunity, and greatest risk for a decentralized protocol–that an open development process allows a bug to enter production,” Leshner said in a tweet.
The affected part of the code was the Comptroller contract, which is responsible for distributing rewards to liquidity providers on the platform.
While the frontend remains disabled, users continue to claim COMP tokens by interacting directly with the contract. The remaining COMP tokens are likely to be claimed as more users learn of the bug. The compromised funds make up 2.8% of the total COMP supply.