Compound discovers bug in new update, freezes cETH market
Compound said users' funds are not at risk and it will take seven days to execute a fix proposal.
DeFi protocol Compound (COMP) discovered a bug in governance proposal 117 designed to upgrade its price feeds, forcing it to temporarily freeze the Compound ETH (cETH) market.
An hour ago, Proposal 117 was executed, which updated the price feed that Compound v2 uses.
This price feed, while audited by three auditors, contained an error that is causing transactions for ETH suppliers and borrowers to revert.https://t.co/a2DFk7h0ET
— Compound Labs (@compoundfinance) August 30, 2022
According to an August 30 Twitter thread, the bug made “transactions for ETH suppliers and borrowers revert.”
The team said that its users’ “funds are not immediately at risk” and added that its interface is currently not accessible due to the “price discrepancy.”
According to Compound Lab’s CEO Robert Leshner, users at liquidation risk can still add Ether collateral. He said:
“No users should be at risk of liquidation or at risk of losing funds.”
Proposal 117 was designed to update the oracle contracts on the lending protocol to a new version that uses Uniswap V3 instead of V2 for price feeds. GFX Labs proposed it on behalf of ChainLink.
The proposal was audited by OpenZeppelin, Dedaub, and ABDK, who all missed the bug.
An OpenZeppelin update revealed that the “getUnderlyingPrice” function caused the bug. It continued that the cETH market did not have this function as assumed by the oracle upgrade.
The function returns empty bytes whenever it is called, thereby reverting transactions.
OpenZeppelin wrote that:
“The primary issue right now is a temporary denial of service for the cETH market which will be resolved by the new governance proposal. No funds are at risk at this time. The rest of the cToken markets on Compound V2 and all of V3 remain functional.”
Proposal 119 to revert the upgrade
According to available information, GFX Labs submitted proposal 119 to revert the upgrade less than an hour after noticing the bug.
The proposal would be passed and executed after a seven-day governance process.
Meanwhile, the bug appears not to have had any immediate impact on the price performance of Compound’s COMP token. The token has been on a red candle run for the last 30 days. Its value declined by around 4% to trade at $48 over the previous 24 hours.