A $90 million bug now tests the goodwill of users of a popular decentralised finance (DeFi) protocol, after a technical glitch resulted in an erroneous disbursement of 280,000 COMP tokens worth around $342 each as of publishing.
The bug, triggered by a recent update, affected users of the “Compound” DeFi protocol, which allows users to lend out cryptocurrencies and earn interest payments on deposits. The bug in particular affected the Compound Comptroller Contract, which distributes liquidity mining rewards earned over time.
Compund Finance founder Robert Leshner called this the “worst day in the history of the Compound protocol”, after he was forced to ask users to return approximately $90 million worth of tokens.
Leshner’s approach has been based on the goodwill of Compound users, with a hint of generosity (users can keep 10 per cent of their gains) as well as a dash of implicit threat (he said he would report the transactions to the United States’ Internal Revenue Service, which would see such amounts as income and could audit and tax users).
If you received a large, incorrect amount of COMP from the Compound protocol error:
— Robert Leshner (@rleshner) October 1, 2021
Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.
Otherwise, it's being reported as income to the IRS, and most of you are doxxed.
Leshner swiftly apologised for the IRS “threat”. The Twitter user who pointed out the bug, @napgener, pointed out that Leshner had in the past criticised those who would take matters of decentralised finance to “meatspace” (a derogatory term for real-world affairs) courts.
Cancel this guy. send $COMP to 0 https://t.co/i0aFKxHDrR
— napgener 0xbullmarket.eth (@napgener) October 2, 2021
For Leshner, there appears little he can do. Since Compound is managed by a decentralised community, changes have to be approved by vote and can take time. He recently tweeting suggesting he would take up an idea by a Twitter user that he create a non-fungible token (a contract asserting ownership of a digital asset), distribute it between the first five users to return their accidentally-got COMP tokens, and allow the users to “summon” him if they combine their pieces.
Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear https://t.co/EZLb7g91Ew
— Robert Leshner (@rleshner) October 1, 2021
Several users have already started returning their tokens, with Leshner thanking them on Twitter. But some have already made use of the bug. One user appears to have gotten away with $27 million worth.
$27m by this guy.
— napgener 0xbullmarket.eth (@napgener) September 30, 2021
112k $comp left. 250k total $comp will be exploited at the end of this.https://t.co/OIFaoDtZVY
