Compound - REKT Post-Mortem
Date: October 4, 2021
What Happened
Compound suffered a significant distribution error in its Comptroller vault. An initial vulnerability resulted in approximately $80 million in excess COMP tokens being incorrectly distributed to users.
Technical Root Cause
A vulnerability existed in an updated Comptroller vault that allowed improper COMP token distribution calculations.
Attack Vector/Exploit Steps
1. Any user could call the drip() function on Compound's Reservoir vault
2. This action refilled the Comptroller, enabling continued incorrect COMP distribution
3. The Reservoir accumulates 0.5 COMP per block and had accumulated over 200,000 COMP (~$68M) over approximately 2 months without being drained
4. A user discovered and exploited this continued vulnerability 3.5 days after the initial incident
Financial Impact
Initial loss: ~$80 million
Secondary incident: ~$68.8 million additional COMP sent to the vulnerable vault
Total exposure: Approximately $147 million across all tranches
Remediation
"Proposal 64 contained a fix for the original bug."
Fund Recovery Attempts
Robert Leshner appealed for users to return funds, offering a 10% white-hat bounty. Recovery was unsuccessful—unlike Alchemix's 55% recovery rate, Compound achieved minimal returns.