MAINNETBETA

compound.finance

compound.finance
5.9MODERATEhigh
6 sectionsrun #1
Findings1 critical14 high15 medium
DEPGOVTKNAUDCTR
Last analyzed 16d ago runs

Summary

Compound V2 is a legacy Ethereum lending protocol with roughly $90M in deposits, operating since 2018 under COMP token-holder governance with a 2-day timelock. It has never suffered a direct drain of user collateral, but eight production contracts—including cUSDC—remain unverified on Etherscan, audits are roughly six years stale, and a 4% voting quorum enabled a demonstrated 2024 treasury capture attempt. Overall risk is moderate-high at 5.9/10, reflecting assurance gaps on a deprioritized product whose successor, Compound V3, now receives active development.

Trust Assumptions

Users trust that the 2-day Timelock and COMP governance process will not approve harmful Comptroller or cToken upgrades; that Chainlink price reporters and Uniswap V2 TWAP anchors will stay accurate and that USDC/USDT will remain pegged near $1 (prices are hardcoded for stables); that the 5-of-9 Community MultiSig will use pause, borrow-cap, and proposal-guardian powers only in genuine emergencies; and that the eight unverified market contracts behave identically to their audited delegator templates.

What Could Go Wrong

A whale accumulating ~400,000 COMP (4% quorum) could pass governance proposals to swap the oracle, change collateral factors, or redirect treasury assets—exactly what Proposal 289 attempted with 499,000 COMP (~$24M) in July 2024. A stablecoin depeg or stale Chainlink feed could leave collateral priced at $1 while real value falls, enabling undercollateralized borrowing or unfair liquidations, as seen in the $89M DAI liquidation event of November 2020. An unaudited Comptroller upgrade could repeat the September 2021 COMP distribution bug that over-issued ~280,000 COMP (~$147M), or an empty-market initialization attack—exploited for $30M+ across V2 forks—could surface if market conditions change on a long-tail asset.

Recommendation

Treat Compound V2 as a winding-down legacy deployment suitable only for modest, short-term positions with active monitoring—not for large or long-duration allocations. Favor Compound V3 for new exposure given its isolated-market design and active security focus. Watch governance proposals affecting the oracle, collateral factors, or Comptroller implementation; monitor stablecoin peg health and oracle freshness; and reduce exposure if another low-participation vote approaches quorum or if additional core contracts go unverified.

Key Findings (30)

critical
September 2021 COMP Distribution Bug (~$147M)incident
high
cUSDC Market Contract Unverifiedverification
high
cWBTC2 Market Contract Unverifiedverification
high
cAAVE and cMKR Market Contracts Unverifiedverification
high
Legacy Price Oracle (v1) Unverified but Still Referencedverification
high
GovernorBravoDelegate Listed Address Unverified and Staleverification
high
Demonstrated Governance Capture (Proposal 289)governance-attack
high
Low Quorum Enables Plutocratic Capturevoting-power
high
High COMP Holder and Governance Power Concentrationconcentration
high
2021 COMP Over-Distribution Bug and Partial Recoverydistribution-bug
high
Single Oracle Path With Governance-Replaceable Comptroller Oracleoracle
high
Last Third-Party Audit ~6 Years Stale vs Live Deploymentsaudit-staleness
high
Eight Unverified Production Contractsaudit-gap
high
July 2024 Golden Boys Governance Attack (Proposal 289)governance
high
Compound V2 Fork Empty-Market Exploit Patternfork-pattern
medium
COMP Reservoir Contract Unverifiedverification
medium
Unitroller Delegatecall Proxy with Comptroller Upgradesupgradability
medium
cToken Delegator Implementation Swapsupgradability
medium
Oracle Dependency with Multisig-Controlled Price Feedoracle
medium
Privileged Comptroller Risk Parameter Controlscomptroller
medium
COMP Reward Distribution Accounting Riskaccounting
medium
Empty-Market Initialization Pattern (Fork Risk Vector)architecture
medium
Dual Governor Architecture Adds Complexityarchitecture
medium
Borrow Cap Guardian Can Instantly Disable Marketsemergency-powers
medium
Pause Guardian Has Instant Pause, Timelock-Only Unpauseemergency-powers
medium
Team and Investor-Heavy Initial Allocation, Now Fully Vesteddistribution
medium
V2 COMP Emissions Fully Disabled On-Chainemission
medium
Mercenary Farming and Governance Token Sell Pressureincentive-misalignment
medium
DAO Treasury COMP Largely Depletedtreasury
medium
Chainlink Reporter + Uniswap V2 TWAP Anchor Architectureoracle

Analysis Sections

Compound V2 is controlled by COMP token-holder DAO governance routed through a 2-day Timelock. On-chain verification confirms Unitroller and cToken admin is the Timelock (0x6d903f...), while Timelock admin is an upgradeable CompoundGovernor proxy (0x309a862...). Emergency powers sit with a 5/9 Community MultiSig (pause, borrow-cap, and proposal guardian). A 4% quorum (400k COMP) and demonstrated 2024 governance attack (Proposal 289) create meaningful plutocratic capture risk, partially mitigated by timelock delays and post-attack guardian additions.

Findings (8)

highDemonstrated Governance Capture (Proposal 289)

In July 2024, the Golden Boys delegate group (whale Humpy) narrowly passed Proposal 289 to allocate 499,000 COMP (~$24M) from the DAO treasury to a goldCOMP vault they controlled. Community and OpenZeppelin characterized it as a governance attack. The proposal was later cancelled in exchange for a COMP staking agreement, but the incident proves that concentrated COMP voting power can extract treasury value through standard governance mechanics.

discovery.jsonGolden Boys delegate group narrowly passed Proposal 289 to allocate 499,000 COMP from DAO treasury
highLow Quorum Enables Plutocratic Capture

GovernorBravo requires only 400,000 COMP (4% of 10M total supply) for quorum, verified as a constant in GovernorBravoDelegate. With proposal threshold at 25,000 COMP (0.25% of supply, verified on-chain), a well-capitalized actor can propose and pass treasury or parameter changes with a relatively small fraction of total COMP. Flash-loan proposal creation is blocked (votes checked at prior block), but vote buying, delegation concentration, and OTC COMP accumulation remain viable attack paths.

on-chain RPC via Etherscan/publicnodeproposalThreshold() = 25000000000000000000000 (25,000 COMP); COMP.totalSupply() = 10000000000000000000000000 (10M COMP)
Etherscan verified source (GovernorBravoDelegate)uint public constant quorumVotes = 400000e18; // 400,000 = 4% of Comp
mediumDual Governor Architecture Adds Complexity

Compound V2 operates with two governance contracts: legacy GovernorBravoDelegator (0xc0da02939e1441f497fd74f78ce7decb17b66529) and a newer upgradeable CompoundGovernor proxy (0x309a862bbc1a00e45506cb8a802d1ff10004c8c0 → CompoundGovernor 0x501eb63a2120418c581b3bd31cf190b0a0616752). On-chain verification shows Timelock.admin is the CompoundGovernor proxy, not GovernorBravo directly. This split increases operational and audit complexity and makes it harder for users to track which governor is authoritative for new proposals.

on-chain RPC via publicnodeTimelock.admin() = 0x309a862bbc1a00e45506cb8a802d1ff10004c8c0 (TransparentUpgradeableProxy); proxy implementation = CompoundGovernor 0x501eb63a2120418c581b3bd31cf190b0a0616752
on-chain RPC via publicnodeGovernorBravoDelegator.admin() = 0x6d903f6003cca6255d85cca4d3b5e5146dc33925 (Timelock)
mediumBorrow Cap Guardian Can Instantly Disable Markets

BorrowCapGuardian (verified on-chain as Community MultiSig 0xbbf3f1421D886E9b2c5D716B5192aC998af2012c) can set borrow caps on any market without timelock delay, including lowering caps to zero to disable borrowing. While intended as a safety valve, a compromised multisig signer set could grief borrowers across all markets instantly. Only admin (Timelock) or borrowCapGuardian may call _setMarketBorrowCaps per Comptroller source.

on-chain RPC via publicnodeUnitroller.borrowCapGuardian() = 0xbbf3f1421d886e9b2c5d716b5192ac998af2012c
contract source (StdComptrollerG5)require(msg.sender == admin || msg.sender == borrowCapGuardian, "only admin or borrow cap guardian can set borrow caps")
mediumPause Guardian Has Instant Pause, Timelock-Only Unpause

Pause Guardian (5/9 Gnosis Safe at 0xbbf3f1421D886E9b2c5D716B5192aC998af2012c, verified on-chain) can instantly pause mint, borrow, transfer, and seize (liquidation) per Comptroller source. Unpausing requires admin (Timelock), incurring the 2-day delay. Users can always redeem and repay during pauses. This is a reasonable emergency design but concentrates fast-response power in a 5/9 multisig.

on-chain RPC via publicnodeUnitroller.pauseGuardian() = 0xbbf3f1421d886e9b2c5d716b5192ac998af2012c; Safe getThreshold()=5, getOwners()=9 signers
contract source (StdComptrollerG5)require(msg.sender == pauseGuardian || msg.sender == admin, "only pause guardian and admin can pause"); require(msg.sender == admin || state == true, "only admin can unpause")
lowTimelock Provides 2-Day Execution Delay

Timelock delay is 172,800 seconds (2 days), verified via storage slot 2 on 0x6d903f6003cca6255D85CcA4D3B5E5146dC33925. GRACE_PERIOD is 14 days per Timelock.sol source. All protocol admin actions (comptroller upgrades, market listings, reserve changes, oracle updates) must queue through Timelock, giving users an opt-out window. MINIMUM_DELAY=2 days and MAXIMUM_DELAY=30 days are hardcoded bounds.

on-chain RPC via publicnodeTimelock storage slot 2 = 0x2a300 = 172800 seconds (2 days)
contract source (Timelock.sol)uint public constant GRACE_PERIOD = 14 days; uint public constant MINIMUM_DELAY = 2 days;
lowProposal Guardian Added Post-Attack

CompoundGovernor (current Timelock admin) has proposalGuardian set to the Community MultiSig (0xbbf3f1421D886E9b2c5D716B5192aC998af2012c), verified on-chain. This guardian can cancel proposals that have passed voting, acting as a veto against malicious governance outcomes like Proposal 289. This is a centralized backstop that partially offsets low quorum risk but reintroduces trusted-party dependency.

on-chain RPC via publicnodeCompoundGovernor.proposalGuardian() = 0xbbf3f1421d886e9b2c5d716b5192ac998af2012c
Tally Proposal 304Proposal Guardian would consist of Community Multi-sig (0xbbf3f142...) able to veto proposals awaiting execution
infoNo EOA Admin on Core Protocol Contracts

Unitroller admin, GovernorBravo admin, and cToken admin (verified on cUSDC) all resolve to the Timelock contract. No pending admin transfer is queued (pendingAdmin = zero address). Core protocol changes require DAO governance plus timelock delay rather than single-key control. Compound V2 is Ethereum-only with no cross-chain governance asymmetry.

on-chain RPC via publicnodeUnitroller.admin() = Timelock; GovernorBravo.admin() = Timelock; cUSDC.admin() = Timelock; Unitroller.pendingAdmin() = 0x0
discovery.jsonCompound V2 is deployed only on Ethereum mainnet. No V2 bridge or L2 deployment.

Governance Checklist

DAO token voting (COMP)GovernorBravo + CompoundGovernor; COMP delegation-based votes
Timelock on protocol upgrades2-day delay verified on-chain (172,800s)
Multisig (not EOA) for emergency roles5/9 Gnosis Safe Community MultiSig for pause/borrow-cap/proposal guardian
On-chain governance (not Snapshot-only)GovernorBravo + CompoundGovernor with on-chain propose/vote/queue/execute
Quorum resistant to whale capture400k COMP quorum = 4% of supply; Proposal 289 attack demonstrated
Post-attack guardian mitigationsProposal guardian (Community MultiSig) on CompoundGovernor

Governance Parameters (On-Chain Verified)

Proposal Threshold
25,000COMP
Quorum
400,000COMP (4% of supply)
Voting Delay
13,140blocks (~1.8 days)
Voting Period
19,710blocks (~2.7 days)
Timelock Delay
2days
Timelock Grace Period
14days
COMP Total Supply
10,000,000COMP

Governance Control Map

timelockethereumTimelock (Protocol Admin)
governorethereumGovernorBravoDelegator (Legacy)
governorethereumCompoundGovernor (Timelock Admin)
multisigethereumCommunity MultiSig (Pause/Borrow-Cap/Proposal Guardian)
comptrollerethereumUnitroller (Comptroller Proxy)

Analysis History

#1completed5.916d agocurrent