DeFi bug accidentally gives $90 million to users, founder begs them to return it

  • About $90 million has mistakenly gone out to users of popular DeFi staking protocol Compound and the founder is begging users to voluntary return the tokens.
  • "Keep 10% as a white-hat. Otherwise, it's being reported as income to the IRS, and most of you are doxxed," Robert Leshner, founder of Compound Labs, tweeted late Thursday.

About $90.1 million has mistakenly gone out to users of popular DeFi staking protocol Compound after an upgrade gone epically wrong. Now, the founder is making a plea — and issuing a few threats — to incentivize the voluntary return of the platform's crypto tokens.

"If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it," Robert Leshner, founder of Compound Labs, tweeted late Thursday.

"Keep 10% as a white-hat. Otherwise, it's being reported as income to the IRS, and most of you are doxxed," continued the tweet.

The price of Compound's native token, COMP, initially plunged nearly 13% in a day on news of the bug, but it's since gained back ground.

Whether reward recipients choose to return many millions of dollars to the platform remains to be seen, though if history is any indication, it is certainly possible.

"Alchemix [another decentralized finance, or DeFi, protocol] had a similar incident a few months back where they gave out more rewards than intended," blockchain security researcher Mudit Gupta told CNBC. "Almost everyone who got the extra rewards refunded the extra."

What is different here is that the Alchemix exchange lost just $4.8 million.

But Gupta remains hopeful.

"This makes me optimistic that people will refund most of COMP tokens, as well, but you can never be sure," he said.

What went wrong

DeFi protocols like Compound are designed to recreate traditional financial systems such as banks and exchanges using blockchains enriched with self-executing smart contracts.

On Wednesday, Compound rolled out what should have been a pretty standard upgrade. But soon after implementation, it was clear that something had gone seriously wrong.

"The new Comptroller contract contains a bug, causing some users to receive far too much COMP," explained Leshner in a tweet.

"There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production," he added, indicating that no fix could take effect for seven days.

Gupta, a core developer at decentralized crypto exchange SushiSwap, said in a tweet that the entire episode could be blamed on a "one-letter bug" in the code.

Compound made clear that no supplied or borrowed funds were at risk, but that did little to soften the blow.

Protocol users en masse began reporting massive windfalls. Soon after Leshner's tweet about the bug, $29 million worth of COMP tokens were claimed in one transaction. Another claimed that they received 70 million COMP tokens into their account, or about $20.8 million at the time of their post.

The list of COMP token millionaires goes on.

For users accustomed to providing their crypto to borrowers at a set interest rate, which is typically a single-digit APY, the erroneous and sizable rewards were certainly a nice change in pace.

Leshner made clear, however, that there is a cap to the carnage. The Compound chief tweeted that the Comptroller contract address "contains a limited quantity of COMP."

"The impact is bounded, at worst, 280,000 COMP tokens," Leshner wrote. Gupta told CNBC that this entire pool of tokens — worth about $90.1 million, as of the time of publication — has already been handed out.

Threats lack teeth

Newly-minted COMP token millionaires now have a few options.

Bitcoin developer Ben Carman points out that it isn't really possible for the platform to reclaim the money.

"They shouldn't be able to recall the money without rolling back the chain," explained Carman. "They'd have to purposefully 51% attack the chain to get rid of some blocks."

So, it is up to a user's discretion to decide next steps.

As a hypothetical, let's take the account holder who was accidentally gifted $29 million in COMP tokens in error. This user could return the funds and hold onto the $2.9 million "white-hat" tip. But there is also nothing to keep them from holding their mistaken reward and risk being "doxxed."

Doxxing someone means making public what is considered private information about an individual, which in the cryptosphere, is tantamount to committing a cardinal sin.

"Doxxing their customers is about the worst thing a crypto company can do from a PR perspective," Mati Greenspan, portfolio manager and Quantum Economics founder, told CNBC.

And it seems unlikely Leshner would pursue that route. He was quick to walk back his Thursday evening tweet, saying that, it "was a bone-headed tweet/approach."

And then there's the threat related to the mistaken reward being reported to the IRS.

"Section 61 of the IRS code defines income very broadly. If you received a large sum from this error and decide to keep it, that would be considered income," explained Shehan Chandrasekera, a CPA and head of tax strategy at crypto tax software company CoinTracker.io.

Users who were mistakenly awarded extra tokens could voluntarily return the funds. In that scenario, Chandrasekera says that "technically the recipient is supposed to pay income tax based on the market value of the coins at the time of receipt, but if he or she returns the funds, there's no reason to report the income."

But Chandrasekera also makes clear that no one has to return the funds. If their reward is reported to the IRS, they would simply be subject to income taxes on that amount.

So that $29 million COMP token winner stands to take the most home in a scenario where they just pay up to Uncle Sam, rather than pay it back to Compound.

But as Greenspan points out, how things play out with this bug is almost entirely beside the point. "The bigger issue is – can it happen again?" he said.

Compound is the world's fifth-largest DeFi protocol with a total value locked of $9.65 billion, according to DeFi Llama, which provides ranking and metrics for DeFi protocols.

"The protocol can easily absorb a loss of $90 million and a lot of it will likely be returned, but the larger issue would be if people lose confidence in the system's ability to function properly," said Greenspan.

Source: Read Full Article