The Compound developers convinced the community that the attack would stop after the Comptroller wallet, which had a balance of approximately $ 82 million at the time, was depleted, but the hackers were aware of another code problem.
The DeFi platform code works in such a way that the “affected” smart contract is constantly replenished with tokens. Future Farmer Rewards are accumulated in the Comptroller at a rate of 0.5 COMP in 15 seconds.
Calling the drip () function launches an accelerated replenishment of the smart contract balance. Compound developers have known about this bug for a long time, but were in no hurry to fix it, because hackers would not profit from exploiting this vulnerability.
After problems with the REP-062 update, the drip function allowed attackers to replenish the depleted Comptroller balance by another 202,472 COMP or $ 66.8 million and continue the unscheduled airdrop. According to analysts, the platform could lose another $ 162 million until the patch is released.
Against the background of a total token capitalization of $ 1.7 billion, Compound’s losses do not seem significant. The question is that these funds will not be received by users. The developers constantly insist that only the payment fund was damaged, and the creditors’ funds were safe, but the hackers used the decentralization mechanism to carry out the bug.
The REP-062 code was community-proposed, audited, and a voting process that the Compound founders could not influence. It is possible that the attackers prepared an attack in advance that would combine the two vulnerabilities into a successful combination of attacks on the user reward fund.
#Lingering #bug #Compound #platform #continues #unscheduled #airdrop