As one of the pioneers in the practice of decentralized governance model, this incident of Compound has exposed the B side of DAO governance to a certain extent.
Original title: “Compound misdistributed 80 million U.S. dollars of tokens, and it will take another seven days to fix the vulnerability”
Written by: Azuma
On September 30, the head decentralized lending agreement Compound Yu Guantui stated that after passing and implementing the “Governance Proposal 062” today, a bug was posted in the upgrade contract, which caused an abnormal distribution of COMP tokens.
Specifically, the vulnerability appeared in the upgraded “Compound: Comptroller” (0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B) contract. The COMP tokens that should have been slowly distributed to all liquidity providers (debits and lenders) through this contract were incorrectly released, and some users received them. A much higher than normal amount of COMP is reached. As shown in the figure below, only one address at the beginning of 0x2e4ae received nearly 30,000 COMP, tokens worth about 9 million US dollars from the “Compound: Comptroller” contract.
Vulnerability impact assessment
First of all, it needs to be emphasized that from the perspective of the impact of the vulnerability, this Compound incident will only directly affect the expected returns of all liquidity providers. In theory, users’ deposits, borrowings and positions will not be disturbed in theory, so there is no need to go too far. panic.
In addition, according to Compound founder Robert Leshner, the total amount of COMP in the “Compound: Comptroller” contract is limited, and more COMP tokens used for mining and distribution actually exist in another contract “Compound: Reservoir” (0x2775b1c75658Be0F640272CCb8c72ac986009e38) , The contract is still being distributed normally at a rate of 0.5 COMP per block. In the most extreme case, that is, when the tokens in the “Compound: Comptroller” contract are withdrawn, approximately 280,000 COMP will be affected, with a total value of approximately US$80 million.
Judging from the status of the chain, about 170,000 COMP has been withdrawn from the current “Compound: Comptroller” contract, and about 110,000 COMP is left, and the current operation of the “Compound: Reservoir” contract has not been abnormal. Leshner’s statement is consistent.
Cause of the incident
The cause of this loophole is the “Governance Proposal 062” mentioned above. The purpose of this proposal is to adjust the distribution ratio of COMP to different liquidity providers.
According to the protocol operation rules, Compound will distribute 2,880 COMP tokens to all liquidity providers every day. Half of these tokens will be distributed to borrowers and half to lenders. However, in daily operations, Compound found that this half-and-half distribution method did not fully take into account the market demand situation, resulting in some distortions in the market (such as negative interest rates). Therefore, on September 22, community member Tyler Loewen submitted an improvement proposal in the Compound governance module, intending to change this half-and-half distribution method to dynamic adjustment according to the interest rate situation.
The starting point of this proposal is obviously positive, and the community’s attitude towards the proposal is also mainly supportive. About a week or so, that is, this morning, the proposal was successfully passed and implemented.
Unfortunately, bugs at the code level are often so unpredictable. Although some other members of the community have also reviewed Tyler Loewen’s upgrade code, and all upgrade contracts have been running smoothly on the Ethereum Ropsten testnet for a month, BUG still appeared.
Solution measures and procedures
Regarding the remedial work, Leshner himself stated on Twitter: “There is no management control or community tool to interrupt the current abnormal distribution of COMP. Any changes to the protocol level will need to go through nearly a week of governance procedures before they can take effect. Compound Labs and Community members are currently evaluating possible ways to fix the release.”
As it says, Compound has an existing governance process:
- Any address can lock 100 COMP to initiate an autonomous proposal. When the proposal accumulates at least 65,000 COMP delegates, it will be upgraded to a governance proposal, and then enter the community referendum link;
- The community referendum lasts for 3 days. When the proposal has received at least 400,000 COMP (ie ≥4% of the supply) support, and the majority voted in favor, the referendum can be passed.
- Proposals that pass the referendum will be queued to enter the time lock and will be formally implemented after the 2 day time lock.
Summarizing the entire governance process, we can see that only the referendum and the time lock link require at least 5 days. Counting the initial proposal and the time required for the process transition, Leshner’s one week is not an exaggeration.
Regarding “there is no management control to interrupt the current abnormal distribution of COMP”, in fact, there is a guardian address (Set Pause Guardian, 0xbbf3f1421d886e9b2c5d716b5192ac998af2012c) used to handle extreme situations in the Compound protocol. This address has been held by Compound Labs before. Yes, but in August’s ” Governance Proposal 057 “, it has been converted to multi-signature control. However, the authority of the guardianship address temporarily only stipulates that the deposit, borrowing and liquidation of the agreement can be suspended in extreme cases, and it does not clearly mention whether it can be used in the current situation.
The process has been clarified so far, but no one has given a specific plan for what remedial measures should be taken. Community members have established a topic discussion thread in the Compound Governance Forum, and plan to implement the repair through “Governance Proposal 063”. Judging from the information that has been released, there is a high probability that the distribution of COMP will be suspended first (perhaps through the monitoring address?) until the complete repair patch can be tested.
Lessons learned
As one of the pioneers in the practice of the decentralized governance model, the cause and handling of this incident by Compound has exposed the B side of DAO governance to a certain extent.
In our inertial cognition, decentralization often means trading efficiency in exchange for fairness. In the DeFi field, when a protocol achieves complete decentralized governance, and no single subject can modify the contract at will, mobilizing the community as a whole to participate in governance decisions is often a huge organizational effort and time cost, which is why Compound needs seven days to fix a loophole that clearly has a significant negative impact on the protocol. In fact, among the leading DeFi agreements, Compound governance cycle of about seven days is not too slow. Uniswap takes the time cycle of complete governance process (opinion survey-consensus check-governance voting-time lock) It will take at least half a month.
Having said that, since it is known that the remediation after the event requires such a high cost, is it necessary to adopt more stringent evaluation standards for major contract upgrades before the incident? This is the first experience summary made by the Compound community after this incident-community member Phaze Jeff initiated a discussion post in the governance forum with the topic “Implementing stricter review of major code changes.”
Based on specific events, after community member Loewen submitted “Governance Proposal 062”, the number of community members participating in the test work was too small (it seems to be a common problem in most DeFi protocols), which eventually led to the omission of BUG and “release”. Therefore, Jeff believes that more detailed monitoring should be carried out when the agreement undergoes major updates and encourage more community members to participate in the community work before the mainnet deployment. In addition, Jeff also mentioned the need to further clarify the specific authority of the multi-signature guardianship address to allow it to respond quickly in the event of a similar emergency.
Source link: www.odaily.com
Disclaimer: As a blockchain information platform, the articles published on this site only represent the author’s personal views, and have nothing to do with the position of ChainNews. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.