Comet Vulnerability Disclosure (Patched)

NOTE: The vulnerability has been patched and no user funds are at risk.

This forum post was published with prior review from members of the Compound and OpenZeppelin teams.

Overview

A smart contract vulnerability allowed an attacker to withdraw funds from the contract, but the negative impact to users and the protocol was minimal since the gas costs to carry out the attack were far greater than the amount at risk.

Details

Your time is valuable so I will do my best to keep this brief.

On November 13th, I had disclosed a vulnerability for the Base Comet WETH market’s smart contracts which would have enabled an attacker to directly steal user funds via the withdraw and transfer methods.

The vulnerability was promptly validated with the help of Joey Santoro, and subsequently disclosed to the Compound and OpenZeppelin teams along with a GitHub repo containing code that simulated exploitation of the vulnerability.

To the best of my knowledge, and based on discussions with the notified parties:

• The vulnerability was highly unlikely to be exploited profitably (to steal $1 million, gas costs would have amounted to $5-10+ billion).
• Only the Base WETH market was vulnerable, which limited the potential damage to the protocol.
• My disclosure provided the Compound team with awareness regarding a previously unknown attack vector, enabling the DAO to protect user funds both in the present and the future.

My intent for writing this forum post is to: 1) responsibly disclose a vulnerability which I had collaborated with the Compound and OpenZeppelin teams in addressing, and 2) solicit community discussion prior to making a governance proposal for a bug bounty reward.

I was given the blessings of the individuals who were actively involved in this effort, and our collective belief is that a generous bug bounty reward will have the added effect of greatly motivating security researchers and developers in identifying and disclosing Compound bugs and vulnerabilities in the future. Additionally, I am the founder/core developer of a young startup, Brrito, that is building a new product on top of Comet, and your goodwill would greatly prolong our runway and enable us to see through our efforts of providing value and becoming a mainstay of the ecosystem.

To help in your decision making, and for your convenience, please see the following link for the full details of the Compound Bug Bounty Program: Compound v2 Docs | Security.

In addition to this disclosure post, it is my understanding that the OpenZeppelin team will be publishing a separate post detailing the vulnerability in-depth.

Special thanks to these individuals for their collaboration and advice regarding the above: Joey Santoro, Kevin C., Adam B., and Geoffrey H. from Compound, Michael L. and Jared B. from OpenZeppelin, and SamCZSun from Paradigm.

Thank you for reading, I’d appreciate your thoughts, feedback, and suggestions!

I can confirm that OpenZeppelin received the bug report from @brrito alongside Compound Labs and was able to patch the issue on Base WETH as a direct result of his report. He was clear and professional with his communications with our team and worked with us throughout the remediation process to ensure the issue was patched in production. I highly recommend awarding a generous bounty for his efforts at the higher end of the Compound bug bounty scale which tops out at $150K.

OpenZeppelin will post a full follow-up disclosure of the vulnerability and remediation steps we took to patch it.

Thank you for verifying and for your support, Michael - it was an honor working with you and the others from OZ and Compound, and I’m looking forward to our continued joint efforts.

I can also confirm that Compound Labs received the bug report from @brrito and worked together with OZ, Gauntlet, Joey, and samczsun to assess the impact of the vulnerability and get it patched in production.

We just want to re-iterate that user funds were never realistically at risk because the vulnerability was extremely unprofitable to exploit ($5-10+ billion in gas to steal $1 million).

That being said, we truly appreciate @brrito’s professional manner in reporting the bug and agree with OZ’s recommendation of awarding the higher end of the Compound bug bounty scale.

Thank you for confirming and for your vote of confidence, Kevin. It was an incredible experience collaborating with you all, and I’m looking forward to more of it in the near future!

Leaning on the support from the OpenZeppelin and Compound Labs teams above for guidance, I would like to make a humble ask for ~20% less than the maximum Compound Bug Bounty Program reward: $125,000 (denominated in various assets from the Compound Timelock, using Etherscan as the asset pricing source).

Please note that the amounts below have been rounded down to 2 decimal places for readability.

I did not include COMP in the compensation assets due to the fact that we are a small startup, with a low amount of personal and community funding and may need to liquidate some of the assets above to make ends meet. It did not feel right asking for the protocol’s governance token, knowing that it may be sold.

For your reference:

• Compound Timelock: Compound: Timelock | Address 0x6d903f6003cca6255d85cca4d3b5e5146dc33925 | Etherscan.
• Compound Timelock assets with price data: https://etherscan.io/tokenholdings?a=0x6d903f6003cca6255d85cca4d3b5e5146dc33925.

My understanding is that OpenZeppelin or Compound Labs will assist me in submitting a proposal onchain, and I will update the community via this thread as soon as I have more information.

Thank you!

Adam asked me to stop by and weigh in on the bounty as a neutral third party.

For context, I’m a security focused smart contract engineer. I’ve found multiple crits in protocols. I also run our company’s Immunefi bounty program, so I have experience on both sides of bug bounties.

The company I work for would pay out a minimum critical of $50,000 if an attacker were theoretically able to unprofitably steal a max of $1. However, in this case the potential theoretical impact is much higher than $1, so I would start with max bounty, then mark it down from there for being unprofitable and infeasible. In this case $100K would be my initial bounty guess, given that the bug bounty page doesn’t have any guidelines beyond the min and max payments.

That said, 125K is completely reasonable, and it is a good thing long term for a protocol to have a reputation for quickly and and generously compensating researchers.

(I have not read the bug report, so everything I know is based off this forum thread.)

Thanks for making the time to review and share your thoughts, dvf. Detailed takes such as yours (with payout figures, considerations and perspectives from the team, etc.), were invaluable as I did research on typical/industry-standard bug bounty rewards - I wish there were more of them. I have no doubt that what you’ve written here will be hugely beneficial to other software developer/security researchers who are trying to formulate fair payout figures in the future.

Thank you again (and thank you to Adam for getting you involved).

Hello everyone, I hope you had a great weekend. Thanks to the help from @cylon and the Compound governance multisig, I’ve just submitted the governance proposal for the bug bounty program reward onchain: Tally | Compound Proposal.

For your convenience, I’m sharing the proposal contents below:

Background

NOTE: The vulnerability has been patched and no user funds are at risk.

For the full details and context related to the vulnerability disclosure, as well as discourse between the OpenZeppelin and Compound Labs teams, and Compound community members, please see here.

On November 13th, I had disclosed a vulnerability for the Base Comet WETH market’s smart contracts which would have enabled an attacker to directly steal user funds via the withdraw and transfer methods. I was given the blessings from the OpenZeppelin and Compound Labs teams in making this proposal for the purposes of proposing a reward for my professionalism and collaboration in addressing the vulnerability (in line with the Compound Bug Bounty Program payout range).

Bug Bounty Program Reward

Leaning on the support from the OpenZeppelin and Compound Labs teams and other Compound community members (such as experienced security researcher Daniel Von Fange) for guidance and their assessment of reward fairness, I would like to make a humble ask for ~20% less than the maximum Compound Bug Bounty Program reward: $125,000 (denominated in various assets from the Compound Timelock, using Etherscan as a publicly-accessible pricing source for non-stable assets, as of 7:30pm EST, Monday, December 4, 2023). All stable assets prices are fixed at $1.00.

Asset	Units	Unit Price ($)	Value ($)
REPv2	515.49	$0.703079	$362.430194
USDT	500	$1.00	$500.00
DAI	740.40	$1.00	$740.40
BAT	3,505.14	$0.245071	$859.008165
FEI	6,324.34	$1.00	$6,324.34
UNI	2,245.19	$6.13	$13,763.01
USDC	50,000.00	$1.00	$50,000.00
ETH	23.50	$2,238.74	$52,610.39
		Total	$125,159.58

The table above has been verified to be formatted correctly on comp.xyz. If it is not displaying it correctly, please reference the following Google Docs spreadsheet (identical data).

I am sincerely appreciative of the opportunity to have collaborated alongside the best teams and individuals in discussing and remedying this vulnerability, and look forward to continuing my contributions both as a Compound builder and vigilant community member. Thank you very much for both your time and consideration.

I’d like to reiterate my sincerest gratitude to everyone who has been involved in this entire journey; your support and patience will not be forgotten.

I apologize for the broken formatting of the proposal at Compound | Governance. It seems that Tally’s formatting didn’t carry over, and the reward assets table didn’t render properly after publishing. For the proposal as it was intended to look (and appeared in “Preview”), please see my post directly above or Tally | Compound Proposal (may take a moment to load the proposal content which can be seen at the bottom).

Sorry for posting this only once the proposal was posted.

I would like to thank @brrito for finding and safely disclosing this bug to the compound community. It was a medium bug in production and therefore is deserving of a paying from the bug bounty. It would be very generous of the dao to payout $50k for a bug of this type paid out in COMP. That said, $120k is absolutely absurd considering the severity of the bug. I find this proposal to be preying on dao apathy in a way and encourage all delegates to vote no. I hope that brrito is granted a fair bounty in the near future.

Thank you for taking the time to share your thoughts @arr00. The proposed bounty reward figure was derived from my research of typical industry payouts (@dvf echoed the fact that it was reasonable - I’d also be happy to provide additional supporting resources), and, more importantly, lengthy discussions with those involved in the vulnerability remediation effort; security researchers/developers who are key Compound stakeholders (e.g. OpenZeppelin, and Compound Labs).

I’d like to tag @cylon and @kevin in order to gather their thoughts on the matter since OpenZeppelin and Compound Labs both supported my proposed bounty reward by whitelisting my ability to post it and have guided me in structuring the proposal from day 1.

I’d be happy to see sources supporting this.

The Compound governance multisig whitelisting you to propose was not an explicit endorsement.

I don’t have a strong opinion on the amount to be paid for the bug bounty, however, I strongly disagree that the protocol should pay anything from reserves. Reserves were never intended to be used this way. The community should follow the same payment process for service providers of the DAO (e.g. Gauntlet, OZ, etc.) –– which is never via reserves.

I am curious how deeply you looked into the issue to come to the conclusion that it is a medium severity bug. The vulnerability breaks the solvency invariant by a nontrivial and arbitrarily large margin depending on the configuration of the market. I could easily deploy a Comet instance today with 100% of TVL at risk by using a higher value, higher precision base asset (this would be contrived but still possible to illustrate the severity more clearly).

Compound is extremely lucky that this issue was not worse and that there are in fact no funds at risk in production today.

My personal operator and non-security focused developer assessment on the severity is minimum high severity, possibly a low tier critical.

The sentiment around both the severity and bounty level are highlighted by security researchers and organizations if you scroll up in this thread.

This is a surprisingly negative sentiment towards an earnest security researcher who privately disclosed a serious bug with a PoC and collaborated with the teams to resolve the issue. Not to mention that he is willing to receive numerous illiquid assets from protocol reserves and is actively building a useful integration on Compound.

You as a respected delegate and builder in the Compound community can do better to err on the side of generosity, rather than encourage COMP holders to waste time on deliberating and revoting an issue like this.

I believe the bounty amount is certainly in a reasonable range and voting affirmatively for this proposal sets a strong positive precedent.

I have been helping @brrito with the submission of this proposal and I do personally recommend that the community consider a payout on the higher-end of the scale. However, I ultimately defer to the community.

I also need to clarify that the whitelisting of this proposal doesn’t imply endorsement of the payout amount by the Pause Guardian multi-sig. It just means the Pause Guardian recognizes that @brrito deserves the opportunity to put his payout request forward for community approval.

Hi Jayson, the proposed bug bounty reward is paid out in various assets from the Compound Timelock which can be verified by checking my proposal here (I’ve confirmed they are not the reserves *by asking Compound Labs team members).

Good morning everyone, I hope you’re having a great weekend, I’ve just resubmitted the governance proposal with a lower reward amount and wanted to share it here for transparency and discussion: Tally | Compound Proposal.

In addition to the lower reward amount, the proposal sources COMP from the Comptroller for the reward, as suggested by @jayson above.

Hey, still waiting on some additional supporting sources. Thanks

I’d like to echo @jayson’s sentiment and point out that Labs doesn’t have a strong opinion on the amount paid out, as long as it is not paid out using protocol reserves. That being said, we are not against a payout on the higher-end of the scale. Here are a few reasons why:

• Even though the current market configurations make the bug unprofitable to exploit, @brrito’s bug report will prevent the community from deploying new markets that could be susceptible to this bug
• Compound’s current bug bounty program does not have a clear rubric for classifying severity and payout ranges, so rounding up on the payout can set a good example for future bug reporters looking at the Compound codebase

We appreciate everyone providing their thoughts on this matter. This is a learning lesson for Labs and the community. We will work with OZ to modernize Compound’s bug bounty program, making it easier in the future for the community to classify the severity and payout of disclosures.