Decentralized lending platform Compound has been plagued by a code bug in a recent governance proposal to update its price feeds.
The code error has “temporarily frozen” the Compound ETH (cETH) market, causing cETH transactions to revert, but Compound Labs stated that despite the front end not working, “funds are not immediately at risk.”
Compound Labs announced on Aug. 31 that the code bug came from Proposal 117: Compound Oracle Upgrade v3, which was implemented a couple of hours ago to update the oracle contracts on the Compound protocol to a new version that uses Uniswap V3 instead of V2 for price feeds.
An hour ago, Proposal 117 was executed, which updated the price feed that Compound v2 uses.
This price feed, while audited by three auditors, contained an error that is causing transactions for ETH suppliers and borrowers to revert.https://t.co/a2DFk7h0ET
— Compound Labs (@compoundfinance) August 30, 2022
In response to the cETH market temporarily freezing, Compound Labs said it aimed to revert to the previous price feed via Proposal 119: Oracle Update. The new proposal was created less than one hour after Proposal 117 had been executed, however it now needs to go through seven-day governance process before taking effect.
According to an update from Security Solutions Architect Michael Lewellen of OpenZeppelin, the code bug came from the “getUnderlyingPrice” function, which did not update the price of cETH tokens, which would return empty bytes and cause the call to be reverted.
Read the following post for details on a Compound incident we are working to resolve for the cETH market. A fix is already underway and no funds are at risk at this time. The rest of the cToken markets on Compound V2 and all of V3 remain functional.https://t.co/CiSE3a99Wa
— OpenZeppelin (@OpenZeppelin) August 30, 2022
Lewellen also reaffirmed that no funds are at risk:
“The primary issue right now is a temporary denial of service for the cETH market which will be resolved by the new governance proposal. No funds are at risk at this time. The rest of the cToken markets on Compound V2 and all of V3 remain functional.”
However, Lewellen added that “any users that deposited ETH and obtained cETH for opening borrow positions must be aware that they might get instantly liquidated whenever the fix proposal executes if by that time the price of ETH has dropped significantly.”
But the CEO of Compound Labs Robert Leshner also added that users can still repay any debt and add collateral to avoid liquidation.
Related: What is a smart contract security audit? A beginner’s guide
Compound Labs noted the code bug came despite the oracle contract being audited from three separate smart contract auditing companies, with OpenZeppelin and ChainSecurity among the recent firms to have audited Compound’s smart contracts.
Proposal 117 itself didn’t appear to be a controversial one, with all 696,665 votes from 245 different wallet addresses in favor of the price feed upgrade. Crypto investment firm Polychain Capital cast the most votes (306,146) in favor of the proposal.
According to DeFi Llama, Compound is the third largest decentralized lending platform, with $2.67 billion total value locked (TVL). The news has not affected the Compound token, COMP, so far which is currently priced at $48.27.