This really disappoints me, I don’t think I will use Compound again. Nothing has been done to address the exploit, and there’s just no accountability from Compound after providing an unsafe platform and causing folks to get liquidated even when using the “safe borrow percentage” recommended by Compound. Lending a stable and borrowing the “safe amount” of another stable should never lead to liquidation in the manner that occurred here.
I find it totally ridiculous that much smaller, less successful platforms like Harvest and Pickle fully or partially compensate users who experienced an exploit, while Compound, a leader in this space, chose to do nothing and ignore the issue. It would not have been that hard to issue vCOMP that vests over time. Or providing some other kind of restitution (I liked 0xb1’s proposal here https://twitter.com/0x_b1/status/1356328468284387331)
Considering how successful Compound has been, purely based off of the historical activity & support of the user base, this really just feels like a HUGE let down. I’m extremely disappointed.
I agree, users are not liquidated through their own fault, the error is by the protocol. Honestly, I am patiently waiting for the repair of the price feed oracle and next prosposal. If the losses of users (which have become very large with the increase in Ethereum prices) are not compensated, I will certainly transfer my funds elsewhere.
It is a shame that Coinbase gives a statement that everything worked properly and most WC funds (which have a protocol) support that.
was just reading this thread, it seems like in all the discussions here including this thread, we are just talking to our selves? There seem to be zero input or response from dev, even when it’s crystal clear what a fix/solution is in this case and the serious nature of the issue. Do devs just not read this forum? Where can i find dev discussing the ongoing issues/fixes.
Bumping this thread again as it is imperative that the huge security hole in the protocol is fixed and that the users who were falsely liquidated receive adequate compensation.
Personally I’m surprised to see it remain unsolved for 5 months but it does seem there is ongoing discussion on addressing the faulty oracle system. Hopefully it is soon safe to use the protocol once more and we do not see the first billion dollar DeFi exploit.
agreed- we need a response from those folks. Can’t believe it’s been months and this still hasn’t been fixed
Randomly saw this posted- clearly everyone seems to be aware of this issue. Seems like the only people putting large amounts of funds on Compound are huge whales that don’t borrow anything, or people that don’t realize the risk they are taking.
This needs a fix, and I think 0xb1’s proposal is totally fair
I agree, this has become a peripetia. First because the exploit happened when the price of Ethereum was around 400, so the losses to damaged users are very high when the price is 2100.
Second, we have not received an explanation or statement from individuals who are large holders or founders of the protocol. They are wisely silent and play a political game with users. I think all users should ask themselves what to expect when a similar exploit or hack occurs (both those that are damaged and those that are not).
Smaller DeFi protocols were much more transparent and open to users when a protocol failure occurred.
Unfortunately, the Compound.finance strategy is focused on the interests of early investors and is constantly patched up with Coinbase.
I am personally considering other options and am waiting for a cheaper gas fee to move away from this CeFi project.
Looks like the ball is rolling in terms of fixing the oracle in another thread. Hopefully Compound can step up and do the same. These protocols took responsibility the day of, yet here we are 7 months later.
This is just laughable that the Compound team are still ignoring this issue when it cost many users tens of thousands of dollars of losses, and that no fix has even been put in place preventing this from happening again.
I can’t believe anyone (let alone billions of dollars) trust Compound with their assets when there are such obvious flaws that could cause anyone using the platform safely to get liquidated even if they are using it safely, and paying attention to what’s going on in terms of asset prices in the general market. Especially now that they know the team will ignore the issue and not do anything to make it right.
tens of Millions. 10% of user funds were falsely liquidated ($100 Million of $1 Billion) and that is not accounting for the fact that it was right before the bullrun kicked off, so liquidations may have been at prices a fraction what of what those assets are valued at now.
No report was made about that event. Ignoring this exploitation is a political decision of several VC funds while Gauntlet and founder wash their hands and talk fairy tales about decentralization.
I am very likely going to end up suing Compound due to the losses here and failure to protect user funds. If anyone wants to join the suit feel free to message me.
If the Compound team had done something at all to make this right, even if not fully rectifying the loss, I would have been fine with it. Reimbursing the 8% liquidation fees would have been totally reasonable in my opinion, despite “the longer term losses” folks suffered due to the rapid increase of the non stable assets since these liquidations took place.
But doing nothing and saying that things worked as designed, when there were clearly problems with the platform, and now making the changes that we requested many months later while basically ignoring the damages we incurred that led to the changes is just infuriating and rubbing salt in the wound.
Not to mention the Compound community furiously applauding the guy who put the proposal together and giving him $150k for his hard work to “improve the platform”.
This is a total slap in the face to anyone who lost funds during this attack and was just “using the platform as designed”. I myself was borrowing DAI against other stables because I didn’t want to pay to swap them. It would have been (and still is) cheap to address this issue with:
any of the various proposals put forth in this long thread (my preference is this one)
an apology to the people who were affected
and a thank you for bringing this serious problem to light that helped make the platform stronger & better in the long run
Instead they just ignore it. Not sure why that is the chosen approach, when the negative publicity of a lawsuit far outweighs reimbursing the non-farming addresses in the list. Indeed, the largest wallet in this list of affected people seems to have stopped using it entirely. Reimbursing the rest is a tiny cost to Compound at this point.
I am quite serious about this and hope that my comments bring this discussion back online so we can get a resolution in the near future and I don’t have to take any additional action to get reimbursed for my stolen funds.
This was not ignored what so ever. Proposal 32 was made to reimburse users who lost funds and the proposal failed. The Compound protocol is run by a community not by an individual point of contact.
It is totally possible to revive this thread and get it done now that the oracle has been changed. @kybx86 have anything to say now?
I would not agree with that. The redesign of the oracle price feed indicates that damaged users are not to blame for being liquidated (as some members have argued). What about users with liquidated Ethereum positions? The difference between the current ETH price and the price from 7 months ago is quite large.
While it sucks that some of the assets that got liquidated went up in value that isn’t really Compound’s fault. You could have taken the DAI you ended up with and rebought your other token if you so chose to.
Conversely, if they had gone down in value after, would you reimburse Compound for it?
I think reimbursing the liquidation fees at a bare minimum would go a long way towards appeasing people. Ideally they’d reimburse the liquidation fees + the amount of DAI that people got shorted since we “bought” it at 30% above market value. I’m sure there is enough in the treasury to do that, and if not they ought to do it with COMP.
How anyone continues to have faith in a protocol that doesn’t protect it’s users and doesn’t take responsibility for it’s mistakes is beyond me