Coming soon

← Back to the graveyard
Compound V2 logo

Compound V2

Hacked

DeFi · $COMP · born 2018 · ✝ 2021

A reward-math bug handed out ~$147M in free COMP.

Compound V2 was a leading Ethereum money market that let users earn COMP for supplying and borrowing assets. A September 2021 upgrade to its Comptroller contract contained a faulty distribution calculation that erroneously paid out roughly $147M worth of COMP to users.

Peak
~$147M stolen
Cause
Hacked
Year of death
2021

☠️ Cause of death

A math mistake in the new reward-distribution logic over-issued COMP tokens, and the bug could not be fixed quickly because the protocol's own timelock delayed any patch.

📓 Lessons left behind

  • Reward and accounting math needs invariant tests, not just code review.
  • Upgradable contracts can lock you out of fixing your own bug.
  • Free-money bugs are spent before anyone can react.

🌱 The idea that survived

Invariant testing

Pushed DeFi teams toward formal verification and property-based tests for token accounting.

#defi#lending#math-bug