DeFiPunk'd

Compound Finance

3 deployments · $1.3B aggregate TVL · Lending

Deployments

Each deployment is rated independently. Pick one to see its rating, risk analysis, and stage.
TVL $1.2B
Type Lending
Chains Ethereum, Arbitrum, Base, Optimism, Polygon +4
View on DeFiLlama ↗
Control — unknown Ability to exit — unknown Autonomy — unknown Open Access — unknown Verifiability — tentative green Control Exit Autonomy Open Access Verifiable
Control criteria
Upgradeability Upgradeable Bug bounty immunefi.com Governance forum comp.xyz Docs docs.compound.finance
About

Compound III (Comet) is a lending protocol where users supply crypto assets as collateral to borrow a single base asset (e.g., USDC, USDT, WETH) per market instance. Each market is deployed as an OpenZeppelin TransparentUpgradeableProxy backed by a Comet implementation contract, with protocol parameters managed via a Configurator contract and upgrades controlled by on-chain governance. The protocol operates across Ethereum, Arbitrum, Base, Optimism, Polygon, Mantle, Linea, Ronin, Scroll, and Unichain, with rewards distributed to suppliers and borrowers via a separate CometRewards contract.

Risk analysis

One card per dimension, sorted by severity. Only Verifiability and Autonomy carry automated signals in Phase 0. See methodology for scope.

Audit a dimension yourself · DEFI@home Contribute an LLM-run assessment — any model, any dimension. Three agreeing runs merge automatically into the public record.

DEFI@home is a distributed audit network modeled on SETI@home: instead of CPU cycles, it crowdsources LLM reasoning. Paste a slice prompt into Claude, ChatGPT, Gemini, or any browsing-capable model, and submit the JSON output as a pull request. The quorum bot merges it once ≥3 independent runs (from different models) reach the same grade — no single model, and no single contributor, can move the needle alone. How it works →

  • Address discovery 99 addresses on file · 1 run Submit run ↗
  • Verifiability Unverified Submit run ↗
  • Control Unverified Submit run ↗
  • Ability to exit Unverified Submit run ↗
  • Autonomy Unverified Submit run ↗
  • Open Access Unverified Submit run ↗
  • Audit all 5 dimensions · one prompt Submit run ↗
  1. Verifiability tentative
    Open source + 6 audits

    Protocol publishes a GitHub repository and has at least one audit on record. This is a coarse Phase-0 signal only: auditor reputation, scope, and post-audit review coverage are not yet weighted.

    Run your own prompt Submit run ↗
4 dimensions not yet assessed (Control, Ability to exit, Autonomy, Open Access)
  1. Control unknown Unverified
    Not yet assessed

    Who holds admin privileges, how contracts can be upgraded, and how quickly. No automated heuristic grades this at Phase 0; a real assessment arrives when onchain discovery reads roles, owners, and timelocks.

    No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

    Submit run ↗
  2. Ability to exit unknown Unverified
    Not yet assessed

    Whether users can exit on their own terms if the team disappears or acts adversarially. Requires per-protocol review; not available at Phase 0.

    No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

    Submit run ↗
  3. Autonomy unknown Unverified
    No Phase-0 autonomy signal

    Neither the category heuristic nor the forkedFrom signal fires for this protocol. A real autonomy graph (oracles, bridges, fallbacks, governance-mutable dependencies) arrives with Phase-2 onchain discovery.

    No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

    Submit run ↗
  4. Open Access unknown Unverified
    Not yet assessed

    Whether the protocol depends on privileged operators, whitelists, geo-restrictions, or off-chain infrastructure. This is not a signal DeFiLlama carries in a usable form; crawler-based detection lands in a later phase.

    No model has graded this dimension yet. Run the slice prompt through any LLM and submit the JSON — once ≥3 independent runs agree, the quorum bot merges the verdict here.

    Submit run ↗

Stage

Preview of the Phase-3 maturity framework. DeFiPunk'd will adopt DeFiScan v2's stages verbatim; the section is rendered below in its intended shape so the structure is visible today.

Compound V3 has not yet been assessed under the DeFiScan v2 stage framework.
The walkaway test is the central criterion. Once stages land, protocols reach Stage 1 only if users can exit in the presence of malicious operators even when the emergency council disappears.
Scope of assessment
Stages are assessed per-protocol against DeFiScan v2's criteria: governance structure, upgradeability path, timelock durations, emergency-council scope, and the walkaway test. The analysis depends on onchain discovery (roles, owners, timelocks) and deeper review of deployed contracts — neither of which DeFiPunk'd automates at Phase 0.
Stage 0 requirements pending
Governance is largely off-chain, contracts are upgradeable with short or no timelock, and the protocol depends on a multisig or team with full discretion. At Phase 0 DeFiPunk'd does not automatically evaluate these; the assessment lands with crawler-based onchain discovery.
Stage 1 requirements pending
Users can exit or opt out on their own terms even if the team disappears. Upgrades run through a meaningful timelock with an emergency security council clearly scoped. The walkaway test is the headline criterion.
Stage 2 requirements pending
Protocol is fully permissionless and immutable, or upgrades require a supermajority of token holders with a long timelock and no emergency override. This is the terminal stage of the DeFiScan v2 framework.
Learn more about DeFiScan v2 stages →
Stages are an opinionated assessment of maturity, not a rating of security or safety. A protocol can sit at Stage 2 and still carry substantial technical or economic risk; the framework exists to incentivize decentralization, not to rank protocols.

Contract surface

Every contract in scope for this protocol — pooled from DeFiLlama's TVL adapter (mechanical) and DEFI@home discovery submissions (LLM-curated). Verified-source flags come from Etherscan + Sourcify; owner / multisig metadata is read on-chain when available. Reviewer audit context, not a slice score. A lending protocol's adapter set will list third-party collateral tokens alongside its own contracts; attribution is the grader's job.

  • 98addresses
  • 0verified source
  • 0proxies

TVL adapter pinned at 683d369. Sourcecode fetched 2026-05-06. Control fetched 2026-05-07.

Arbitrumfactory (CometFactory)0x7de3…4228discoveryfactory
Arbitrumgovernor0x4248…8068discoverygovernance
Arbitrumoracle (Rewards)0x8873…7faediscoveryoracle
Arbitrumother (Bulker)0xbde8…372ddiscovery
Arbitrumpool (cUSDCev3 proxy)0xa5ed…5dcadiscovery
Arbitrumpool (cUSDCv3 proxy)0x9c4e…58bfdiscovery
Arbitrumpool (cUSDTv3 proxy)0xd98b…7d07discovery
Arbitrumpool (cWETHv3 proxy)0x6f7d…e486discovery
Arbitrumproxy_admin (Comet admin)0xd10b…715ediscovery
Arbitrumproxy_admin (Configurator)0xb21b…3775discovery
Arbitrumtimelock0x3fb4…f88adiscoverytimelock
Basefactory (CometFactory)0x3d0b…afe3discoveryfactory
Basegovernor0x1828…468adiscoverygovernance
Baseoracle (Rewards)0x1239…a6b1discoveryoracle
Baseother (Bulker)0x78d0…2a8cdiscovery
Basepool (cAEROv3 proxy)0x784e…ce89discovery
Basepool (cUSDbCv3 proxy)0x9c4e…58bfdiscovery
Basepool (cUSDCv3 proxy)0xb125…eb2fdiscovery
Basepool (cUSDSv3 proxy)0x2c77…a518discovery
Basepool (cWETHv3 proxy)0x46e6…70bfdiscovery
Baseproxy_admin (Comet admin)0xbde8…372ddiscovery
Baseproxy_admin (Configurator)0x4593…e581discovery
Basetimelock0xcc3e…4a02discoverytimelock
Ethereumfactory (CometFactory)0x1fa4…c958discoveryfactory
Ethereumgovernor0x309a…c8c0discoverygovernance
Ethereumoracle (Rewards)0x1b0e…5a40discoveryoracle
Ethereumother (Bulker)0xa397…00c7discovery
Ethereumpool (cUSDCv3 proxy)0xc3d6…cdc3discovery
Ethereumpool (cUSDSv3 proxy)0x5d40…7b56discovery
Ethereumpool (cUSDTv3 proxy)0x3afd…0840discovery
Ethereumpool (cWBTCv3 proxy)0xe85d…9293discovery
Ethereumpool (cWETHv3 proxy)0xa175…ae94discovery
Ethereumpool (cWstETHv3 proxy)0x3d0b…afe3discovery
Ethereumproxy_admin (Comet admin)0x1ec6…8779discovery
Ethereumproxy_admin (Configurator)0x316f…36e3discovery
Ethereumtimelock0x6d90…3925discoverytimelock
Lineafactory (CometFactory)0xaeb3…9a07discoveryfactory
Lineagovernor0x1f71…6856discoverygovernance
Lineaoracle (Rewards)0x2c71…2921discoveryoracle
Lineaother (Bulker)0x023e…5f1bdiscovery
Lineapool (cUSDCv3 proxy)0x8d38…c991discovery
Lineapool (cWETHv3 proxy)0x60f2…2194discovery
Lineaproxy_admin (Comet admin)0x4b5d…8118discovery
Lineaproxy_admin (Configurator)0x970f…5dc3discovery
Lineatimelock0x4a90…f6f3discoverytimelock
Mantlefactory (CometFactory)0x5a1d…3285discoveryfactory
Mantlegovernor0xc91e…b604discoverygovernance
Mantleoracle (Rewards)0xcd83…25abdiscoveryoracle
Mantleother (Bulker)0x67df…9baadiscovery
Mantlepool (cUSDev3 proxy)0x6061…786ediscovery
Mantleproxy_admin (Comet admin)0xe268…a0c7discovery
Mantleproxy_admin (Configurator)0xb77c…f7dbdiscovery
Mantletimelock0x16c7…8107discoverytimelock
Optimismfactory (CometFactory)0xd187…f434discoveryfactory
Optimismgovernor0xc3a7…4dafdiscoverygovernance
Optimismoracle (Rewards)0x443e…c2e9discoveryoracle
Optimismother (Bulker)0xcb36…4ba3discovery
Optimismpool (cUSDCv3 proxy)0x2e44…5bcbdiscovery
Optimismpool (cUSDTv3 proxy)0x995e…b214discovery
Optimismpool (cWETHv3 proxy)0xe36a…b6fddiscovery
Optimismproxy_admin (Comet admin)0x24d8…97afdiscovery
Optimismproxy_admin (Configurator)0x84e9…2713discovery
Optimismtimelock0xd98b…7d07discoverytimelock
Polygonfactory (CometFactory)0x2f9e…125bdiscoveryfactory
Polygongovernor0x1828…468adiscoverygovernance
Polygonoracle (Rewards)0x4593…e581discoveryoracle
Polygonother (Bulker)0x59e2…7cd6discovery
Polygonpool (cUSDCv3 proxy)0xf252…6445discovery
Polygonpool (cUSDTv3 proxy)0xaeb3…9a07discovery
Polygonproxy_admin (Comet admin)0xd712…75f9discovery
Polygonproxy_admin (Configurator)0x83e0…e738discovery
Polygontimelock0xcc3e…4a02discoverytimelock
Roninfactory (CometFactory)0x4df9…e4c6discoveryfactory
Roningovernor0x2c7e…f3f9discoverygovernance
Roninoracle (Rewards)0x31cd…1e59discoveryoracle
Roninother (Bulker)0x8402…ecc6discovery
Roninpool (cWETHv3 proxy)0x4006…6dfediscovery
Roninpool (cWRONv3 proxy)0xc0af…c0c0discovery
Roninproxy_admin (Comet admin)0xfa64…c3f6discovery
Roninproxy_admin (Configurator)0x966c…15f2discovery
Ronintimelock0xbbb0…ac2cdiscoverytimelock
Scrollfactory (CometFactory)0x6f7d…e486discoveryfactory
Scrollgovernor0xc6bf…610ddiscoverygovernance
Scrolloracle (Rewards)0x7016…c5eediscoveryoracle
Scrollother (Bulker)0x53c6…56fadiscovery
Scrollpool (cUSDCv3 proxy)0xb2f9…ce44discovery
Scrollproxy_admin (Comet admin)0x87a2…ac50discovery
Scrollproxy_admin (Configurator)0xecab…32d7discovery
Scrolltimelock0xf601…73e4discoverytimelock
Unichainfactory (CometFactory)0xdb7e…676cdiscoveryfactory
Unichaingovernor0x4b5d…8118discoverygovernance
Unichainoracle (Rewards)0x6f7d…e486discoveryoracle
Unichainother (Bulker)0x58eb…b514discovery
Unichainpool (cUSDCv3 proxy)0x2c71…2921discovery
Unichainpool (cWETHv3 proxy)0x6c98…8e2adiscovery
Unichainproxy_admin (Comet admin)0xaeb3…9a07discovery
Unichainproxy_admin (Configurator)0x8df3…03e9discovery
Unichaintimelock0x2f4e…4ed0discoverytimelock

Protocol Info

Links

[defillama] Source: DeFiLlama [:] Source: DEFI@home quorum
Website
https://compound.finance
Twitter
@compoundfinance
GitHub
compound-finance
Docs
https://docs.compound.finance/
Governance forum
https://www.comp.xyz
DefiScan
DefiScan · Stage 0

Security

[defillama] Source: DeFiLlama [:] Source: DEFI@home quorum
Audits
4 audits
Bug bounty
https://immunefi.com/bug-bounty/compoundfinance/information/
Security contact
security@compound.finance

Technical

[:] Source: DEFI@home quorum
Voting token
COMP Ethereum: 0xc00e94cb662c3520282e6f5717214004a7f26888
Deployed contracts
https://docs.compound.finance/
Upgradeability
Upgradeable

Provenance

[defillama] Source: DeFiLlama
Review status
listed
Updated
2026-06-01 11:27 UTC

Hallmarks

  1. Jun '20COMP distribution begins