Compound Proposal 62 COMP Bug

On September 30, 2021, Compound Finance executed Proposal 62 — a governance vote intended to fine-tune how COMP rewards were distributed across the protocol's lending markets. The updated Comptroller contract shipped with a critical bug that caused some users to receive vastly more COMP than the rules allowed. The maximum theoretical exposure: up to ~$147 million of COMP at the prices of the day, depending on how aggressively users claimed.

What happened

The old Comptroller had distributed COMP rewards on a fixed 50:50 split between liquidity suppliers and borrowers. Proposal 62 introduced a more flexible scheme that let governance specify different ratios per market. The implementation contract — written by Compound Labs and approved by governance — contained a bug in the rewards-tracking logic: under certain claim sequences, the contract would calculate the user's accrued COMP based on stale or duplicate accounting, paying out far more than the actual reward schedule prescribed.

Within hours of Proposal 62 going live, users had already claimed 168,000 COMP ($50M at the time) they were not entitled to. The team's analysis showed the worst-case theoretical exposure — if users kept claiming through every accessible accounting path — was around 280,000 COMP (~$84M) from the immediate distribution contract, with additional exposure from Compound's broader reserve drawdowns potentially extending the loss to the range Rekt and others cite as ~$147M.

The mistake was not malicious from the team's side — it was a software bug in a governance-approved upgrade. But the contracts were non-upgradeable at the patch level, and the bug could only be addressed through another governance proposal.

Aftermath

• Compound governance passed Proposal 63 to halt further COMP distribution while a patch was prepared, and Proposal 64 ("Fix COMP Accrual Bug") to ship the patch.
• Robert Leshner, Compound's founder, publicly requested that users who had received excess COMP return it, noting that anyone who didn't would be reported to the IRS as receiving income.
• A meaningful fraction of the misappropriated COMP was returned voluntarily within weeks. Some users — particularly those who had claimed and immediately swapped to other assets — did not return funds.

Why it matters

The Compound Proposal 62 incident is one of the cleanest examples of how governance-approved upgrades inherit the same risk as any contract change — and often without the rigour of pre-deployment audit cycles. Voting against a buggy proposal requires governance voters to actually read the proposed contracts; in practice, most votes go through with cursory review.

The defensive response that emerged in the years following:

• Timelocks on all governance-controlled upgrades, giving white-hat reviewers a window to flag bugs before execution.
• OpenZeppelin Defender and similar tooling for governance-action simulation.
• Mandatory third-party audits of any proposal that touches reward distribution, share accounting, or other invariant-critical code paths.

Compound's bug is also one of a small number of incidents where the "attacker" is not really an attacker — it's a population of users who happened to be exposed to a bug and chose, individually, whether to keep the windfall or return it. The on-chain ethical question — what to do when a protocol pays you more than it intended — remains contested.