Despite three separate audits, an update to crypto lending protocol Compound contained a software bug, freezing the protocol’s $800M Ether market when it took effect Tuesday.
Compound’s ether market, cETH, is its second-largest, after its market for dollar-pegged stablecoin USD Coin (USDC). Compound is the ninth-largest DeFi protocol with $2.68B in total value locked (TVL), according to The Defiant Terminal.
Withdrawals and liquidations in cETH will remain frozen for about a week, while the proposed solution – to undo the problematic upgrade – makes its way through Compound’s rigid governance process. Deposits remain unaffected, according to the protocol.
Users who deposited ETH in Compound have been warned to keep an eye on their leveraged positions and the price of Ether.
“They might get instantly liquidated whenever the fix proposal executes IF by that time the price of ETH has dropped significantly,” Michael Lewellen, of auditing firm OpenZeppelin, said in a summary of the issue shared in Compound’s governance forum. “These users can add collateral and repay borrowed assets normally to cover for eventual price drops by monitoring their borrow positions accordingly.”
Botched Oracle Upgrade
The upgrade was meant to improve Compound’s oracle, the mechanism by which the protocol retrieves pricing data for the many assets available to its users.
Oracle provider Chainlink, which had proposed the upgrade, incorrectly programmed the price of ETH, according to a person familiar with the matter. Insufficient testing and auditors’ failure to catch the error left users unable to withdraw their ETH after the upgrade took effect Tuesday afternoon, the person said.
In a series of tweets, Compound said that the upgrade had undergone three separate audits.
The proposed solution must be approved by holders of Compound’s governance token in a vote. But Compound’s governance structure – which includes a seven-day period designed to ensure stakeholders have sufficient time to review proposals – means users will have to wait until next Tuesday to access their frozen ETH.
The incident has had little effect on the price of COMP, Compound’s governance token, which was down about 1%, to $46.42, since the bug was discovered Tuesday.