Lenders on DeFi protocol Compound (COMP) have once again fallen victim to another flash loan exploit, this time to the tune of over $100 million.
Opportunistic profiteering using flash loans have been at the heart of many losses in the DeFi space in 2020.
DAI/USD Peg on Coinbase Malfunctions
According to DeFi lending analytics provider LoanScan, about $103 million has been liquidated from the Compound protocol.
Data from TradingView shows the DAI-dollar peg on Coinbase climbing to $1.34, a 34% premium on the actual value of the stablecoin. An inspection of the DAI price across the market shows the issue occurred only on Coinbase.
In all, the DAI peg deviation reportedly lasted between 7:45 AM (UTC) and 8:55 PM (UTC). At the height of the problem, DAI remained at $1.34 on Coinbase for a full four minutes.
Due to the incorrect price feed from the Coinbase oracle, some Compound users became under-collateralized. Based on the baked-in protocol rules, this meant a forced liquidation of their positions.
With numerous flash loan arbitrage bots scouring the market for such opportunities, it’s perhaps unsurprising that some entities benefitted from the situation. The third-largest COMP farmer was reportedly one of the affected users, losing about $49 million in the process.
Details of the Compound Attack
Commenting on the loss, DeFi trader Sam Priestley identified the victim as a leveraged COMP farmer who failed to keep his DAI and USDC stash in separate wallets.
Thus, the liquidator was able to take the DAI balance to offset the debt occasioned by the under-collateralized loan while earning a cool $3.7 million from the token swap process.
In summary, the attacker took a 46 million DAI flash loan and swapped the same for 2.4 billion cDAI. Converting the 2.4 billion cDAI yielded 46.2 million DAI.
The attacker then repaid the flash loan of 46 million DAI and was left with 170.9 million cDAI which is equivalent to $3.5 million in profits. In another tweet by Alex Savenik, the CEO of on-chain data analytics outfit Nansen, one other COMP farmer lost $17.5 million in the exploit.
Earlier in November, the Origin Dollar project lost about $7 million in another flash loan “attack.” Entities continue to leverage vulnerabilities in contract codes, liquidity pools, and even oracle data to score millions of dollars from DeFi platforms.
Indeed, Thursday’s Compound flash loan exploit highlights the dangers of relying on centralized price oracles.