An upgrade to DeFi lending protocol Compound Finance has introduced a bug, “causing transactions for ETH suppliers and borrowers to revert” and leaving the platform’s ~$830 million cETH market unusable until a fix is implemented.
Compound announced the incident an hour after the upgrade was executed, stating: “Funds are not immediately at risk, but this is a developing situation.”
While the issue was quickly identified, the fix (simply reverting the smart contract in question to the previous version) cannot be implemented for seven days.
This is due to Compound’s decentralized governance process, which ensures that any changes to the functionality of the protocol can only be made by passing a proposal, voted on by COMP token holders. Any proposed changes face a two-day review followed by a three-day voting period. Successful proposals then pass into a two-day “timelock” queue, where they can be canceled if any last-minute errors are found.
In return for deposits on Compound, users receive interest-bearing cTokens that can be held, accumulating interest, or used as collateral to take out over-collateralized loans.
However, due to the differences between ETH and other (ERC-20) tokens on the Ethereum blockchain, Compound uses two types of deposit tokens, CEther and CErc20. The error, introduced in Proposal 117, was in a price calculation which assumed all cTokens functioned as CErc20, leading to the reverted transactions.
According to Compound, the proposed code change had been audited by three separate smart contract auditors, though the most recent report linked in the proposal is dated April 1, 2022.
Proposal 119 will revert to the former price oracle once it passes next week, reactivating the cETH market. In the meantime, users with outstanding debt are still able to deposit ETH to avoid liquidation when the market reopens, if necessary.
This is not the first time that Compound has been unable to fix a live bug due to its slow-moving governance. Last September, $80 million in excess rewards was accidentally distributed to depositors, and a further $68.8 million was released while the fix was pending.