Composite cETH market bricked by update – 7 days waiting for vote to fix the issue

The decentralized lending platform Compound has been plagued by a code flaw in a recent governance proposal to update its price feeds.

The code bug “temporarily froze” the Compound ETH (cETH) market, causing cETH transactions to be rolled back, but Compound Labs stated that despite the non-functioning front end, “funds are not immediately at risk.”

Compound Labs announced on August 31st that the code error is from Proposal 117: Compound Oracle Upgrade v3 implemented a few hours ago to upgrade the Oracle contracts on the Compound protocol to a new version that uses Uniswap V3 instead of V2 for price feeds.

In response to the temporary cETH market freeze, Compound Labs said it intends to return to the previous price feed via Proposal 119: Oracle Update. The new proposal was created less than an hour after Proposal 117 was executed, but now has to go through a seven-day governance process before it becomes effective.

According to an update from OpenZeppelin security solutions architect Michael Lewellen, the code error came from the getUnderlyingPrice function, which failed to update the price of cETH tokens, which would return empty bytes and cause the call to roll back.

Lewellen also reiterated that no funds are at risk:

“The main issue right now is a temporary denial of service for the cETH market, which the new governance proposal will resolve. No funds are currently at risk. The remaining cToken markets on Compound V2 and V3 remain operational.”

However, Lewellen added that “all users who have deposited ETH and received cETH for opening loan positions must be aware that they could be liquidated immediately if the fix proposal is executed if the price of ETH dropped significantly at that point”.

But Compound Labs CEO Robert Leshner added that users can still pay off debt and add collateral to avoid liquidation.

Related: What is a Smart Contract Security Audit? A Beginner’s Guide

Compound Labs determined that the code bug occurred even though the Oracle contract was audited by three separate smart contract auditing companies, with OpenZeppelin and ChainSecurity being among the most recent companies to audit Compound’s smart contracts.

Proposal 117 itself did not appear to be controversial, with all 696,665 votes from 245 different wallet addresses in favor of the price feed upgrade. Crypto investment firm Polychain Capital cast the most votes (306,146) for the proposal.

According to DeFi Llama, Compound is the third largest decentralized lending platform with a total value of $2.67 billion (TVL). The news has not impacted compound token COMP, which is currently priced at $48.27.