To summarize samczsun’s report: The Compound Protocol is designed to be able to be upgraded in place by a central administrator. The important contracts are proxies which simply point to a separate contract address which holds their implementation logic, and the administrator has the privilege of changing these address pointers at will. Because all cTokens use the same administrator, if the administrator key is compromised, all assets deposited in Compound can be trivially drained.

There are a few other more sneaky attacks that sam mentions above as well, but chances are an attacker would—given the option—sooner run away with all the funds than pursue more complex attacks.

OpenZeppelin helpfully covered this in their Compound Audit Summary.

However, in the hands of a malicious or compromised administrator, these privileges contain the ability to trivially freeze markets, censor transactions or steal all assets from the system. Similarly, control of the price feed can be used to steal most, if not all, assets from the system. Currently, the same externally owned account is the administrator for all live markets.

Interestingly, no mention of this was made in any of the materials produced by the Trail of Bits team. Furthermore, the Compound FAQ also casually understates the privileges of the admin and provides no warning of its ability to drain all funds:

Compound Labs, Inc., the developer of the protocol, currently controls the Ethereum address 0x8b8592e9570e96166336603a1b4bd1e8db20fa20 , which is the protocol admin. The admin address has the right to support additional assets, upgrade the price feed oracle, upgrade the interest rate models, and upgrade the risk model of the protocol.

Another thing to note is that Compound’s current custodial setup does not by itself make their system insecure. They are highly motivated to keep the admin key safe, and probably (hopefully) are working with the best custody providers their $8.2M a16z led seed round can buy. It certainly is, however, something I’m keeping in mind when deciding to deposit half a million DAI.

Bank Run Risk

This tweet from the COO of Dharma, a formerly competing lending platform led me down a rabbit hole to figure out what the bank run risk looks like in Compound.

The utilization rate in the quoted tweet is 98.62%, which meant that at the time, 98.62% of the DAI deposited by lenders was being loaned out to borrowers. Only 1.38% of the DAI was available for withdrawals, so only a small fraction of the lenders would be able to recover their DAI if they wanted to.

If enough DAI lenders (cDAI holders) wanted their DAI back at the same time, their withdrawals might exhaust the available DAI, increasing the utilization rate to 100% and preventing any further withdrawals. Lenders attempting to withdraw would simply see their transactions fail, and would be forced to wait until more borrowers paid back their loans before they could withdraw.

Because the possibility of getting stuck with cDAI exists, people will worry about it, and their worrying could be self-fulfilling. That is, the bank run scenario where a bunch of cDAI holders try to claim their DAI all at once may happen just because enough cDAI holders are worried about it happening.

Lenders caught in a cDAI bank run can either choose to wait to receive their DAI, or sell their cDAI for DAI, incurring exchange fees and possibly getting a worse price if many other lenders are also selling cDAI for DAI. Should lenders choose to wait it out and hodl cDAI, they will still generate interest in the meantime.

How does Compound address this?

The Compound team is straightforward about this liquidity risk and covers it in their whitepaper:

The protocol does not guarantee liquidity; instead, it relies on the interest rate model to incentivize it. In periods of extreme demand for an asset, the liquidity of the protocol (the tokens available to withdraw or borrow) will decline; when this occur, interest rates rise, incentivizing supply, and disincentivizing borrowing.

Compound determines the interest rate for borrowers for each cToken based on a cToken-specific “interest rate contract”. This contract currently implements the interest rate model for cDAI. The formula is:

Borrower Annual Interest = Base Rate + (Multiplier * Utilization Rate)

For cDAI, the Base Rate = 5% and the Multiplier = 15% (the values are hardcoded into the contract). At a 100% utilization rate the interest paid by borrowers would be 20%. This means that when DAI is maximally utilized, the borrowers are only incentivized to repay their loan from the 20% interest rate — if they believe that ETH (which is used as collateral for the loan) will rise more than 20% over the course of the year, they have no incentive to repay the loan. That could leave a lot of cDAI holders…holding cDAI for a long time.

The only tool that Compound has at their disposal to address this is to use the centralized administrator to upgrade their interest rate model, which is exactly what they did 6 weeks ago when the utilization rate increased to ~99% (same time as the quoted tweet above).

So to summarize, if the utilization rate ever reaches maximum and there is a liquidity crisis and looming bank run, all lenders can do is hope that Compound uses their power to update and increase the interest rate for borrowers to incentivize them to repay their loans and provide liquidity for lenders who want out.

Conclusion

Protocols like Compound perform a delicate dance between centralization and decentralization, trading off between the ability to upgrade quickly and the centralized points of failure that they necessarily introduce in order to do so.

I don’t fault Compound for choosing to bootstrap their product in a centralized way (it has clearly worked or else I wouldn’t be writing this), but I do hope that we hold projects with $10–100M+ in their smart contracts to the highest of standards, especially when it comes to communicating risks to their users and providing warnings.

Basically, we should encourage projects to do the opposite of what Robert Leshner (CEO of Compound) does here:

This might be *technically* correct, but we both know the admin can be abused in other ways…

I’m still undecided about depositing my DAI in Compound. Maybe I’ll start with just 100,000 DAI? What could go wrong… In Compound We Trust!