DeFi Protocol Compound is mistakenly freely giving $ 90 million to customers


Zoom In Icon Arrows pointing outwards

Approximately $ 90.1 million was incorrectly spent on users of the popular DeFi staking protocol Compound after an upgrade went epically wrong. Now the founder is pleading – and issuing some threats – to incentivize the voluntary return of the platform’s crypto tokens.

“If you received a large, incorrect amount of COMP from the Compound Protocol Error, please send it back,” tweeted Robert Leshner, founder of Compound Labs, late Thursday.

“Keep 10% a white hat. Otherwise, it will be reported to the IRS as income and most of you will be doxxed,” the tweet continued.

The price of Compound’s native token, COMP, initially fell nearly 13% on news of the bug, but has since bounced back.

Whether the recipients of the reward will choose to return many millions of dollars to the platform remains to be seen, but if history is any clue, it is certainly possible.

“Alchemix [another decentralized finance, or DeFi, protocol] had a similar incident a few months ago where more rewards were given out than intended, “blockchain security researcher Mudit Gupta told CNBC.” Almost everyone who received the additional rewards reimbursed the additional ones. “

What’s different here is that the Alchemix exchange only lost $ 4.8 million.

But Gupta remains hopeful.

“That makes me optimistic that people will also refund most of the COMP tokens, but you can never be sure,” he said.

What went wrong

DeFi protocols like Compound were developed to emulate traditional financial systems like banks and stock exchanges using blockchains enriched with self-executing smart contracts.

On Wednesday, Compound released a pretty standard upgrade. But soon after implementation, it became clear that something had gone seriously wrong.

“The new Comptroller contract contains a bug that means that some users receive far too much COMP,” said Leshner in a tweet.

“There are no admin controls or community tools to disable COMP distribution; any changes to the protocol require a 7 day governance process to get into production, ”he added, indicating that there would be no fix for seven days.

Gupta, a core developer at the decentralized crypto exchange SushiSwap, said in a tweet that the entire episode could be due to a “one-letter error” in the code.

Compound made it clear that no funds provided or borrowed were at risk, but that did little to mitigate the blow.

Log users began to report massive slumps in profits en masse. Shortly after Leshner’s tweet about the bug, a transaction claimed COMP tokens worth $ 29 million. Another claimed that he received 70 million COMP tokens in his account, or about $ 20.8 million at the time of his post.

The list of COMP token millionaires goes on.

For users who are used to making their cryptocurrency available to borrowers at a set interest rate, which is usually a single digit APY, the bogus and sizeable rewards were certainly a nice change of pace.

However, Leshner made it clear that the carnage is over. The compound chief tweeted that the auditor’s contract address “contains a limited amount of COMP”.

“In the worst case, the impact is limited to 280,000 COMP tokens,” wrote Leshner. Gupta told CNBC that this entire pool of tokens – valued at about $ 90.1 million at the time of publication – has already been issued.

Threats lack teeth

Newly minted COMP token millionaires now have a few options.

Bitcoin developer Ben Carman points out that the platform is not really able to reclaim the money.

“You shouldn’t be able to call the money back without pulling the chain back,” Carman explained. “You would have to intentionally attack 51% of the chain to get rid of some blocks.”

So it is up to the user to decide what next steps to take.

Let’s hypothetically take the account holder who was accidentally gifted $ 29 million COMP tokens. That user could return the money and keep the $ 2.9 million white hat tip. But there’s nothing stopping them from holding onto their mistaken reward and risking being “doxxed”.

To doxx someone means to make public what is considered private information about a person, which in the cryptosphere amounts to a cardinal sin.

Doxxing their clients is the worst thing a crypto company can do from a PR perspective, “Mati Greenspan, portfolio manager and founder of Quantum Economics, told CNBC.

And it seems unlikely that Leshner would take that route. He quickly went back to his Thursday night tweet saying it was “a bony head-like tweet / approach”.

And then there is the threat related to the false reward being reported to the IRS.

“Section 61 of the IRS Code defines income very broadly. If you received a large sum from this mistake and chose to keep it, it would qualify as income,” explained Shehan Chandrasekera, CPA and director of tax strategy at a crypto tax software company

Users who were mistakenly awarded additional tokens could voluntarily return the money. In this scenario, Chandrasekera says that “technically the recipient should pay income tax based on the market value of the coins at the time they were received, but if he or she returns the money there is no need to report the income.”

Chandrasekera also makes it clear that nobody has to return the money. When their reward is reported to the IRS, they are simply subject to income tax on that amount.

The winner of the $ 29 million COMP token will take home the most in a scenario where he only pays to Uncle Sam instead of paying it back to Compound.

But as Greenspan points out, how things go with this bug is almost entirely irrelevant. “The bigger problem is – can it happen again?” he said.

Compound is the fifth largest DeFi protocol in the world valued at $ 9.65 billion, according to DeFi Llama, which provides ranking and metrics for DeFi protocols.

“The protocol can easily absorb a loss of $ 90 million, and much of that is likely to be returned, but the bigger problem would be if people lose confidence in the system’s ability to function properly,” Greenspan said.