Is Compound V2 Safe?
Risk Grade: C+ (40/100)
Compound V2 is rated as elevated risk — multiple novel mechanisms and notable interaction risks.
Compound V2 is a battle-scarred DeFi pioneer. While its code has been live since 2020 without a direct exploit of user funds, the $147M distribution bug and $24M governance attack demonstrate real risks. The shared pool architecture is fundamentally riskier than V3's isolated design. Users should seriously consider migrating to V3 or alternative lending protocols unless there is a specific reason to remain on V2.
Compound V2 is the original version of Compound Finance — one of DeFi's first lending protocols. It lets you supply crypto assets to earn interest or borrow against your deposits. While V3 (the newer version) has launched with improved design, V2 still holds $153M in deposits from users who haven't migrated. It uses a shared lending pool where all assets are mixed together.
TVL
$139M
Mechanisms
7
Interactions
5
Value Grade
C-
Key Risks for Compound V2 Users
V2 is the older, riskier version of Compound — it had a $147M bug in 2021 that over-distributed rewards to the wrong people
V2's shared pool design means a problem with any one asset can affect ALL depositors, not just those in that asset
The Compound DAO was attacked in 2024 — a group extracted $24M by coordinating votes with few participants watching
V2 is a legacy system with declining development attention as the team focuses on V3
Top Risk Factors
- •2021 COMP distribution bug lost ~$147M in over-distributed rewards — the largest accounting error in DeFi history — demonstrating the risk of V2's aged, complex smart contracts
- •Empty pool attack vector in Compound V2 code when initiating new markets has been exploited in multiple forks (Hundred Finance, Onyx Protocol), and the vulnerability pattern originates from V2's architecture
- •2024 Golden Boys governance attack extracted $24M COMP from treasury via whale-coordinated voting, exposing structural governance capture vulnerability
How Compound V2 Compares to Peers
Compound V2 ranks #62 of 90 Lending protocols (below-median — riskier than average). At a risk score of 40/100, it's 3 points riskier than the sector average of 37/100.
Adjacent peers: Vesu (C+, 39/100) is ranked just safer, and TermMax (C+, 40/100) is ranked just riskier.
See the full Lending sector leaderboard or the Compound V2 vs TermMax comparison.
Common Questions about Compound V2
Plain-English answers based on Compound V2's scores across Hindenrank's 8 risk dimensions. The highest-scoring (riskiest) dimension is Track Record (14/15).
Has Compound V2 ever been hacked or exploited?
Compound V2 has a documented incident history that materially raised its risk grade — the track record dimension scored 14/15, near the high end of the scale. Past exploits, governance failures, or contract issues are baked into this rating. Anyone considering deposits should review the incident details before allocating capital.
How much money is at stake in Compound V2?
Compound V2 currently holds more than $139M in user deposits. A protocol of this size typically has deeper liquidity, more eyes on the code, and more attention from auditors — but it also means a single failure has a much larger blast radius.
What's the worst-case scenario for Compound V2?
Hindenrank has identified specific collapse scenarios for Compound V2. The most prominent: "Cross-Collateral Cascade Liquidation in Shared Pool". The trigger condition is Multi-asset market crash of 30%+ within 24 hours triggers simultaneous liquidations across all collateral types in the V2 shared pool. Reading through the full scenario list on the protocol page is the single best way to understand the actual failure modes — generic "smart contract risk" is rarely the thing that takes a protocol down.
Is Compound V2 regulated or insured?
Compound V2 has low regulatory exposure on Hindenrank's framework (2/10). The protocol is structured in a way that minimizes counterparty and jurisdiction concentration, though regulatory risk in crypto can change rapidly. No DeFi protocol carries FDIC-style insurance — even with low regulatory risk, depositors are not protected in the way bank customers are.
What are the biggest red flags for Compound V2?
Hindenrank's retail-focused risk audit flagged: V2 is the older, riskier version of Compound — it had a $147M bug in 2021 that over-distributed rewards to the wrong people V2's shared pool design means a problem with any one asset can affect ALL depositors, not just those in that asset The Compound DAO was attacked in 2024 — a group extracted $24M by coordinating votes with few participants watching
Should beginners deposit into Compound V2?
Compound V2's C+ grade puts it in the elevated-risk band. This is not a beginner-friendly protocol. Anyone depositing here should treat the position as speculative and avoid concentrating significant savings in it.
How does Compound V2 compare to safer Lending alternatives?
Compound V2 is one protocol in Hindenrank's Lending coverage. The safest Lending protocols on the leaderboard tend to share three traits: a long incident-free track record, conservative mechanism design, and high-quality public documentation. Compare Compound V2 against the full Lending ranking before committing capital.
For the full 8-dimension score breakdown, the radar chart, and dependency graph, see the Compound V2 risk report.
Read the Full Compound V2 Risk Report
This protocol has 2 collapse scenarios. 3 high-severity interaction risks identified. See the full mechanism classification, interaction matrix, and deep-dive recommendations.
View Full Report →Get risk alerts before it's too late
Weekly grade changes, downgrade alerts, and new protocol risk findings. Free.