DeFi Bug Gives $90 Million; Founder Urges Return It

Image

Following a disastrous upgrade, users of the popular decentralized finance staking DeFi Compound have received approximately $90.1 million. Now, the entrepreneur is pleading — and threatening — for the restoration of the platform’s crypto tokens.

Robert Leshner, founder of Compound Labs, tweeted late Thursday that if you got a big quantity of COMP through the Compound protocol mistake, please return it.

“Keep 10% as white hat. Otherwise, the IRS reports it as income, and most of you get doxxed,” the tweet said.

The problem caused a nearly 13% drop in the price of Compound’s native token, comp, however it has since recovered.

It remains to be seen if reward winners choose to return millions of dollars to the platform, but it is certainly feasible.

“Alchemix [another DeFi technology] had a similar occurrence a few months back,” said blockchain security researcher Mudit Gupta. “Most people who obtained extra prizes refunded them.”

The Alchemix exchange, however, lost only $4.8 million.

But Gupta holds out hope.

In theory, he expects most COMP tokens will be refund, but nothing is certain.

Where did it go wrong?

Blockchains with self-executing smart contracts, like DeFi Compound, are designed to replicate existing financial structures like banks and exchanges.

Compound released a normal upgrade on Wednesday. That was before it became evident that something had gone severely wrong.

This is due to a problem in the new Comptroller contract that causes some users to receive significantly too much COMP.

He noted that “there are no admin or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process before going into production.”

SushiSwap core developer Amit Gupta blamed the entire incident on a “one-letter bug” in the code.

Compound made it plain that neither supplied or borrowed monies were in jeopardy, but that didn’t help much.

Protocol users began reporting huge gains. Soon after Leshner reported the problem, a single transaction claimed $29 million in comp tokens. Another claimed to have gotten 70 million comp tokens, or roughly $20.8 million at the time of posting.

The comp token millionaires list goes on.

A good change of pace for customers used to lending their crypto to borrowers at a fixed interest rate, often in the single-digit APY range.

Leshner made it apparent that the devastation limited. The Comptroller contract address “contains a limited quantity of COMP,” the Compound head tweeted.

Leshner wrote that the damage is 280,000 COMP tokens at worst.

As of this writing, Gupta told CNBC that the whole pool of tokens worth $90.1 million had been distributed.

Threats are toothless

Now comp token millionaires have options.

According to Bitcoin engineer Ben Carman, the platform cannot recover the funds.

“They shouldn’t be able to recall the money,” Carman added. Getting rid of blocks would require a 51 percent attack on the chain.

So, further measures left to the user’s decision.

As an example, consider the account holder who received $29 million in comp tokens by mistake. This user could refund the funds and keep the $2.9 million “white-hat” tip. But nothing prevents them from keeping their incorrect prize and risking being “doxxed.”

Doxxing someone involves making public what is considered private information about a someone, which is a criminal sin.

From a PR standpoint, doxxing clients is about the worst thing a crypto firm can do, says Quantum Economics founder and portfolio manager Mati Greenspan.

And Leshner is unlikely to choose that course. He quickly retracted his Thursday night tweet, calling it “a bone-headed tweet/approach.”

Then there’s the fear of the IRS reporting the incorrect award.

“Irs Section 61 defines income broadly. “If you keep a substantial sum from this miscalculation, it deemed income,” said Shehan Chandrasekera, CPA and tax strategy lead at crypto tax software business CoinTracker.io.

Might Return to Them?

Users who received excess tokens by mistake might return them. Technically, Chandrasekera explains, the recipient should pay income tax on the coins’ market value when received, but if they returned, there is no need to disclose it.

However, Chandrasekera makes it clear that no one must return the monies to him. If they declare their prize to the IRS, they will only taxed on the amount.

So the $29 million comp token winner stands to make the most if they pay Uncle Sam instead of Compound.

But, as Greenspan points out, the outcome of this bug is largely irrelevant. “Can it happen again?” he said.

According to DeFi Llama, which ranks and measures DeFi protocols, Compound has a total value locked of $9.65 billion.

According to Greenspan, “the protocol can easily withstand a $90 million loss and much of it will certainly be returned,” but “the bigger concern would be if individuals lose confidence in the system.”

Leave a Reply

5 × one =