The seemingly anonymous developer ‘KP’ did all the work immediately after discovering the vulnerability. compound COMP
+0.50%
It is the v3 protocol of , also known as Comet. This vulnerability would have allowed hackers to directly steal user funds. Although this is a very unprofitable cost, KP estimates that an attacker would need billions of dollars in gas fees to steal $1 million in funds.
After finding and validating the vulnerability, KP reported it to Compound and its security partner OpenZeppelin, along with a code repository containing a proof-of-concept simulation of the attack. The bug was immediately patched and KP made a “humble” request to the Compound DAO. The award is $125,000. This is just over 80% of the maximum Compound DAO reward for bug bounties of $150,000, a figure that is prominently displayed on the protocol website.
In his proposal, KP explained that bug bounties “will help provide a great incentive for security researchers and developers to identify and disclose complex bugs and vulnerabilities in the future.” KP added that he is developing a startup on the Comet protocol and that the rewards will “significantly extend our runway and validate our commitment to providing value and becoming the center of the ecosystem.”
KP’s proposal received support from Kevin Cheng, head of protocols at Compound Labs, and Michael Lewellen, head of solutions architecture at OpenZeppelin, who said the DAO would respond to the proposal. During our discussion, we praised KP’s expertise in fixing bugs.
But despite support from more than two-thirds of delegates for compensation, the vote failed, falling just 15,000 votes out of the 400,000-vote quorum needed for passage. A last-minute vote by VC Andreesen-Horowitz resulted in 256,000 votes in favor, but the vote appeared to not pass for most of the voting period. Unfortunately for KP, it wasn’t enough to reach a quorum.
Compound’s guidelines for its bug bounty program state that the protocol intends to “pay generous rewards for eligible discoveries based on the severity and exploitability of the discovery,” but such rewards are determined “at Compound’s sole discretion.” It was clearly stated that this would happen.
According to Tally.xyz, cryptocurrency VC firm Polychain failed to register a vote despite being the largest holder of COMP tokens. There wasn’t even a vote to abstain. None of the parties involved could immediately be reached when The Block requested comment.
KP then resubmitted its proposal, requesting $100,000 in compensation instead.
Disclaimer: The Block is an independent media outlet delivering news, research and data. As of November 2023, Foresight Ventures is a majority investor in The Block. Foresight Ventures invests in other companies in the cryptocurrency space. Cryptocurrency exchange Bitget is an anchor LP of Foresight Ventures. The Block continues to operate independently to provide objective, impactful and timely information about the cryptocurrency industry. Below are our current financial disclosures.
© 2023 The Block. All rights reserved. This article is provided for informational purposes only. It is not provided or intended to be used as legal, tax, investment, financial or other advice.