Compound Finance announced the passing of Proposal 064 on Oct. 7, titled the “Fix COMP Accrual Bug.” The proposal states that this update will attempt to “patch the bug introduced in Proposal 62 and pessimistically allow COMP reward withdrawals until the bad COMP accruals can be fixed.”
The proposal, which was primarily written by the same community members who proposed the original upgrade, received unanimous COMP votes of 1,037,107 for and 0 against from 27 key addresses including CEO Robert Leshner, Andreessen Horowitz’s A16z, Gauntlet and Pantera Capital. The proposal is now expected to execute on Oct. 9th.
Users who interacted with the six affected markets — cTUSD, cMKR, cSUSHI, cYFI, cAAVE, and cSAI — will not be able to claim rewards from their entitled staked COMP tokens until after the issue is fully resolved.
On Sept. 30th, Cointelegraph reported that a token distribution bug within the community-written Proposal 062 exposed a potentially devastating financial distribution flaw in which users of the protocol were mistakenly able to claim COMP token to the sum of $70 million.
If exploited to the fullest, the bug threatened to drain all COMP tokens held within the Comptroller contract, leaving only those left in the Reservoir contract.
Attempts to rectify the crisis were immediately instigated through Proposal 063 which took 7-days to reach production due to the protocol’s governance procedure of reviewing, voting and time lock. This lasted 2, 3 and a further 2 days respectively.
However, the seven-day delay enabled a malicious entity to exploit the drip() functionality, transferring $68.8m from the reservoir to the Comptroller which increases the pool for incorrectly distributed COMP rewards.
The website’s governance revealed the reason for a further proposal iteration:
“Proposal 63 prevents further COMP from being distributed until the correct logic is restored but causes issues for protocols that integrated with Compound and required the claim functionality.”
Proposal 064 is expected to resolve Compound’s accrual issues, but the lost funds can only be reclaimed on a individual basis — a decision the protocol said is down to each user’s moral discretion.
Source: Read Full Article