The developer known as KP took significant steps after discovering a security vulnerability in Compound’s V3 protocol. According to KP, this security flaw could have allowed a hacker to directly steal user funds, which could have resulted in high costs.
After discovering and confirming the security issue, KP reported it to the Compound team and the security partner OpenZeppelin, along with a repository containing a simulation of the potential attack. While the flaw was promptly fixed, KP humbly requested a reward of $125,000 from the Compound DAO. The Compound DAO has a maximum reward policy of $150,000 for reporting such errors.
In KP’s proposal, they mentioned that bug bounties would encourage security researchers and developers to identify and disclose future Compound errors and vulnerabilities. KP also added that they are developing an initiative on the Comet protocol and that the reward would enable them to continue their efforts to become a cornerstone of the ecosystem.
KP’s proposal received support from Compound Labs Protocol Lead Kevin Cheng and OpenZeppelin’s Head of Solution Architecture Michael Lewellen, who praised KP’s professionalism in the process of correcting the error.
Despite a two-thirds majority support among delegates for the reward, the vote failed, falling 15,000 votes short of the 400,000 required for approval. A last-minute vote from the Vice President of Andreesen-Horowitz brought in 256,000 votes in favor, but this was not enough for KP to reach the necessary threshold. Compound states that rewards for error reporting will be paid based on the severity and exploitability of the discovery, but that such rewards are entirely at Compound’s discretion. KP, taking a different approach, made another proposal, asking for a reduced reward of $100,000 instead of the original $125,000.