About $90.1 million has mistakenly gone out to users of popular decentralized finance, or DeFi, staking protocol Compound, after an upgrade gone epically wrong.
Now, the founder is making a plea — and issuing a few threats — to incentivize the voluntary return of the platform’s crypto tokens.
“If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it,” Robert Leshner, founder of Compound Labs, tweeted late Thursday.
“Keep 10% as a white-hat. Otherwise, it’s being reported as income to the IRS, and most of you are doxxed,” continued the tweet.
The price of Compound’s native token, comp, initially plunged nearly 13% in a day on news of the bug, but it’s since gained back ground.
Whether reward recipients choose to return many millions of dollars to the platform remains to be seen, though if history is any indication, it is certainly possible.
“Alchemix [another DeFi protocol] had a similar incident a few months back where they gave out more rewards than intended,” blockchain security researcher Mudit Gupta told CNBC. “Almost everyone who got the extra rewards refunded the extra.”
What is different here is that the Alchemix exchange lost just $4.8 million.
But Gupta remains hopeful.
“This makes me optimistic that people will refund most of COMP tokens, as well, but you can never be sure,” he said.
What went wrong
DeFi protocols such as Compound are designed to recreate traditional financial systems such as banks and exchanges using blockchains enriched with self-executing smart contracts.
On Wednesday, Compound rolled out what should have been a pretty standard upgrade. But soon after implementation, it was clear that something had gone seriously wrong.
“The new Comptroller contract contains a bug, causing some users to receive far too much COMP,” explained Leshner in a tweet.
“There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production,” he added, indicating that no fix could take effect for a week.
Gupta, a core developer at decentralized crypto exchange SushiSwap, said in a tweet that the entire episode could be blamed on a “one-letter bug” in the code.
Compound made clear that no supplied or borrowed funds were at risk, but that did little to soften the blow.
Protocol users en masse began reporting massive windfalls. Soon after Leshner’s tweet about the bug, $29 million worth of comp tokens were claimed in one transaction. Another claimed that they received 70 million comp tokens into their account, or about $20.8 million at the time of their post.
The list of comp token millionaires goes on.
For users accustomed to providing their crypto to borrowers at a set interest rate, which is typically a single-digit APY, the erroneous and sizable rewards were certainly a nice change of pace.
Leshner made clear, however, that there is a cap to the carnage. The Compound chief tweeted that the Comptroller contract address “contains a limited quantity of COMP.”
“The impact is bounded, at worst, 280,000 COMP tokens,” Leshner wrote.
Gupta told CNBC that this entire pool of tokens — worth about $90.1 million, as of the time of publication — has already been handed out.
Threats lack teeth
Newly minted comp token millionaires now have a few options.
Bitcoin developer Ben Carman points out that it isn’t really possible for the platform to reclaim the money.
“They shouldn’t be able to recall the money without rolling back the chain,” explained Carman. “They’d have to purposefully 51% attack the chain to get rid of some blocks.”
So, it is up to a user’s discretion to decide next steps
What went wrong
DeFi protocols such as Compound are designed to recreate traditional financial systems such as banks and exchanges using blockchains enriched with self-executing smart contracts.
On Wednesday, Compound rolled out what should have been a pretty standard upgrade. But soon after implementation, it was clear that something had gone seriously wrong.
“The new Comptroller contract contains a bug, causing some users to receive far too much COMP,” explained Leshner in a tweet.
“There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production,” he added, indicating that no fix could take effect for a week.
Gupta, a core developer at decentralized crypto exchange SushiSwap, said in a tweet that the entire episode could be blamed on a “one-letter bug” in the code.
Compound made clear that no supplied or borrowed funds were at risk, but that did little to soften the blow.
Protocol users en masse began reporting massive windfalls. Soon after Leshner’s tweet about the bug, $29 million worth of comp tokens were claimed in one transaction. Another claimed that they received 70 million comp tokens into their account, or about $20.8 million at the time of their post.
The list of comp token millionaires goes on.
For users accustomed to providing their crypto to borrowers at a set interest rate, which is typically a single-digit APY, the erroneous and sizable rewards were certainly a nice change of pace.
Leshner made clear, however, that there is a cap to the carnage. The Compound chief tweeted that the Comptroller contract address “contains a limited quantity of COMP.”
“The impact is bounded, at worst, 280,000 COMP tokens,” Leshner wrote.
Gupta told CNBC that this entire pool of tokens — worth about $90.1 million, as of the time of publication — has already been handed out.
Source: cnbc.com