defirisk.co
rubric v1.7.0

Compound Finance: Governance-introduced bug — updated Comptroller vault incorrectly distributed COMP rewards; any user could call `drip()` to refill the vulnerable vault from the Reservoir

Compound's Proposal 62 governance upgrade contained a bug that let any user claim excess COMP rewards, and the protocol's own `drip()` function let anyone keep refilling the vulnerable vault while the fix waited 7 days to pass governance.

Occurred 2021-09-29 Loss $147M Status closed

Summary #

Compound Finance suffered a Lending / Money Market on 2021-09-29, resulting in a loss of approximately $147M.

What happened #

Compound's Proposal 62 governance upgrade contained a bug that let any user claim excess COMP rewards, and the protocol's own `drip()` function let anyone keep refilling the vulnerable vault while the fix waited 7 days to pass governance.

Linked factors #

  • RD-F-001 — related : ★ Direct: Audit scope mismatch (report commit ≠ deployed bytecode) [via cross-hack: Factor 1: Audit Scope Mismatch]
  • RD-F-004 — related : Audit count likely 0; floor display [via dashboard_risk_factors/Vulnerability in audited or unaudited code: Unaudited upgrade (new governance proposal code)]
  • RD-F-006 — related : Audit-deploy gap (RD-F-006 time between audit and deploy) [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — bug was introduced by Proposal 62, a fresh Comptroller upgrade] || Audit-deploy gap — alternate field name [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — bug was introduced by Proposal 62, a fresh Comptroller upgrade] || Time between audit end and deploy [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-013 — related : Arbitrary call with user-controlled args [via cross-hack: Factor 14: Public Permissionless Functions That Can Re-Trigger Vulnerable State]
  • RD-F-014 — illustrative : Reentrancy guard absence [via cross-hack: Factor 14: Public Permissionless Functions That Can Re-Trigger Vulnerable State]
  • RD-F-101 — illustrative : Large governance proposal queued — RT signal would have fired [via realtime_signals/Governance/admin action: Y — **this is the exploit itself**: Proposal 62 execution introduced the bug; Proposal 64 was the remediation]
  • RD-F-126 — related : Is-a-fork-of (Cat 8 anchor) [via dashboard_risk_factors/Forked: N — Compound is the original; many others forked from it]
  • RD-F-127 — illustrative : Upstream Compound has patches that may not be merged here [via dashboard_risk_factors/Forked: N — Compound is the original; many others forked from it]
  • RD-F-141 — illustrative : Test-mode parameters left on in deploy (possibly related) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract]
  • RD-F-146 — illustrative : New deploys in last 30 days (fresh attack surface) [via cross-hack: Factor 4: Newly Deployed or Unannounced Contract] || New deploys in last 30 days — fresh attack surface [via dashboard_risk_factors/Exploited code newly deployed/upgraded: Y — bug was introduced by Proposal 62, a fresh Comptroller upgrade]