Compound V2

Math Mistake Exploit

Estimated loss

$147.00M

VERDICT —AUDIT-CATCHABLE

A diff-focused review of the upgraded Comptroller against the prior implementation, plus invariant tests on reward indices (supplierIndex initialization paths), would have caught this. The migration branch is the classic place reviewers look during a governance upgrade; the operator typo is visible on the source line.

▰ METHOD

Math Mistake Exploit

LOGICBYTECODE CATCHABLE →AI SCANNABLE →

Root cause

Proposal 062 deployed a new Comptroller implementation that split COMP emissions between suppliers and borrowers. The regression sat in distributeSupplierComp / distributeBorrowerComp: the migration branch that bootstraps a supplier's index when a market is first switched on used `if (supplierIndex == 0 && supplyIndex > compInitialIndex)` instead of `>=`. For markets initialized at exactly supplyIndex == compInitialIndex (1e36) — cSUSHI, cMKR, cYFI, cAAVE, cTUSD, cSAI — the guard failed, supplierIndex remained 0, and the delta passed to mul_(deltaIndex, supplierTokens) became 1e36 × tokens, paying out astronomically inflated COMP. ~280K COMP (~$80–$160M at peak) was drained from the Comptroller reservoir to users with no economic claim. The root cause is a single-character operator bug (`>` vs `>=`) in reward-accounting arithmetic on a freshly upgraded governance proxy.

Forensic narrative

Classification: Protocol Logic. Technique: Math Mistake Exploit. Target type: DeFi Protocol. Affected chains: Ethereum. Implementation language: Solidity.

Primary source

https://blocksecteam.medium.com/the-butterfly-effect-the-compound-security-incident-caused-by-a-bugfix-8f2052e9a759 ↗

Sourced from

DefiLlama Hacks dataset · api.llama.fi/hacks

Technical record