Audit Into DeFi Project Compound Finance Discoveres Multiple Vulnerabilities

Michael LaVere
  • Smart contract security firm Zeppelin recently completed an audit on DeFi platform Compound Finance. 
  • Several vulnerabilities were discovered, which the platform is working to address. 

A new audit into one of the most popular decentralized finance (DeFi) projects is drawing concern over the vulnerabilities that were discovered. 

Compound Finance Audit

According to a report by The Defiant, an audit into the open-source, autonomous DeFi protocol Compound Finance discovered several vulnerabilities. Compound Finance is the second largest DeFi platform behind Maker, with over $40 million in loans outstanding. The audit was performed by smart contract security firm Zeppelin. 

While Zeppelin did not discover any critical vulnerabilities on the platform, it did find a number of threats that could potentially impact the protocol's decentralization.

The Defiant outlined the primary risks discovered in the audit, starting with the fact that a group of decentralized administrators are responsible for deciding how the protocol works. These administrators also control which assets can be loaned, the interest rate for individual assets and the collateral requirements. 

According to the report, 

In the hands of a malicious or compromised administrator, these privileges contain the ability to trivially freeze markets, censor transactions or steal all assets from the system.

In addition, the Compound Finance team maintains its own price feed, which Zeepplein claims could be used for malicious intent, 

Control of the price feed can be used to steal most, if not all, assets from the system.

Improving Autonomous Protocols

While Compound Finance and DeFi networks are designed to operate autonomously, the smart contract code is ultimately written by humans that are prone to mistakes, The Defiant notes. Until AI reaches a point of sophistication to replace human coders in this regard, DeFi platforms and users will ultimately be at the mercy of potential error. 

The report also points out a handful of ways users can manipulate the platform, such as,

It’s possible for a borrower to take out a small, short-term loan without having to pay any interest, which can be scaled up to a large loan by consolidating many small loans into a single account. This attack is only profitable for miners as it requires a large amount of gas.

The Compound team responded to the audit’s results with a plan to replace the existing administrator role and price feed operations with a more decentralized governance system. While none of the vulnerabilities discovered were critical to the platform’s operation, it does reveal the room left to grow for decentralized, autonomous protocols.