NOTE: The vulnerability has been patched and no user funds are at risk.
This forum post was published with prior review from members of the Compound and OpenZeppelin teams.
Overview
A smart contract vulnerability allowed an attacker to withdraw funds from the contract, but the negative impact to users and the protocol was minimal since the gas costs to carry out the attack were far greater than the amount at risk.
Details
Your time is valuable so I will do my best to keep this brief.
On November 13th, I had disclosed a vulnerability for the Base Comet WETH market’s smart contracts which would have enabled an attacker to directly steal user funds via the withdraw and transfer methods.
The vulnerability was promptly validated with the help of Joey Santoro, and subsequently disclosed to the Compound and OpenZeppelin teams along with a GitHub repo containing code that simulated exploitation of the vulnerability.
To the best of my knowledge, and based on discussions with the notified parties:
- The vulnerability was highly unlikely to be exploited profitably (to steal $1 million, gas costs would have amounted to $5-10+ billion).
- Only the Base WETH market was vulnerable, which limited the potential damage to the protocol.
- My disclosure provided the Compound team with awareness regarding a previously unknown attack vector, enabling the DAO to protect user funds both in the present and the future.
My intent for writing this forum post is to: 1) responsibly disclose a vulnerability which I had collaborated with the Compound and OpenZeppelin teams in addressing, and 2) solicit community discussion prior to making a governance proposal for a bug bounty reward.
I was given the blessings of the individuals who were actively involved in this effort, and our collective belief is that a generous bug bounty reward will have the added effect of greatly motivating security researchers and developers in identifying and disclosing Compound bugs and vulnerabilities in the future. Additionally, I am the founder/core developer of a young startup, Brrito, that is building a new product on top of Comet, and your goodwill would greatly prolong our runway and enable us to see through our efforts of providing value and becoming a mainstay of the ecosystem.
To help in your decision making, and for your convenience, please see the following link for the full details of the Compound Bug Bounty Program: Compound v2 Docs | Security.
In addition to this disclosure post, it is my understanding that the OpenZeppelin team will be publishing a separate post detailing the vulnerability in-depth.
Special thanks to these individuals for their collaboration and advice regarding the above: Joey Santoro, Kevin C., Adam B., and Geoffrey H. from Compound, Michael L. and Jared B. from OpenZeppelin, and SamCZSun from Paradigm.
Thank you for reading, I’d appreciate your thoughts, feedback, and suggestions!