Compound V2 is a battle-scarred DeFi pioneer. While its code has been live since 2020 without a direct exploit of user funds, the $147M distribution bug and $24M governance attack demonstrate real risks. The shared pool architecture is fundamentally riskier than V3's isolated design. Users should seriously consider migrating to V3 or alternative lending protocols unless there is a specific reason to remain on V2.
Top Risks
1
2021 COMP distribution bug lost ~$147M in over-distributed rewards — the largest accounting error in DeFi history — demonstrating the risk of V2's aged, complex smart contracts
2
Empty pool attack vector in Compound V2 code when initiating new markets has been exploited in multiple forks (Hundred Finance, Onyx Protocol), and the vulnerability pattern originates from V2's architecture
3
2024 Golden Boys governance attack extracted $24M COMP from treasury via whale-coordinated voting, exposing structural governance capture vulnerability
Risk Breakdown
Frequently Asked Questions
Is Compound V2 safe to use?
Compound V2 receives a C+ risk grade (40/100) from Hindenrank, where lower scores indicate lower risk. Compound V2 is a battle-scarred DeFi pioneer. While its code has been live since 2020 without a direct exploit of user funds, the $147M distribution bug and $24M governance attack demonstrate real risks. The shared pool architecture is fundamentally riskier than V3's isolated design. Users should seriously consider migrating to V3 or alternative lending protocols unless there is a specific reason to remain on V2. Compound V2 is the original version of Compound Finance — one of DeFi's first lending protocols. It lets you supply crypto assets to earn interest or borrow against your deposits. While V3 (the newer version) has launched with improved design, V2 still holds $153M in deposits from users who haven't migrated. It uses a shared lending pool where all assets are mixed together.
What are the main risks of using Compound V2?
The key risks identified for Compound V2 are: (1) V2 is the older, riskier version of Compound — it had a $147M bug in 2021 that over-distributed rewards to the wrong people (2) V2's shared pool design means a problem with any one asset can affect ALL depositors, not just those in that asset (3) The Compound DAO was attacked in 2024 — a group extracted $24M by coordinating votes with few participants watching (4) V2 is a legacy system with declining development attention as the team focuses on V3
What is Compound V2's risk score breakdown?
Compound V2 scores 40/100 across eight risk dimensions: Mechanism Novelty: 0/15, Interaction Severity: 8/20, Oracle Surface: 3/10, Documentation Gaps: 1/10, Track Record: 14/15, Scale Exposure: 5/10, Regulatory Risk: 2/10, Vitality Risk: 7/10. The highest risk area is Track Record at 14/15.
How does Compound V2 compare to other Lending protocols?
Among 90 rated Lending protocols on Hindenrank, Compound V2 ranks #61 by safety (lowest risk score = safest). Its 40/100 risk score and C+ grade place it among the riskier Lending protocols.
Has Compound V2 ever been hacked or exploited?
Compound V2 scores 14/15 on the Track Record risk dimension, indicating some history of security incidents or exploits. Higher scores reflect more severe or frequent incidents. Review the full risk report for details.