Pages

Compound Founder Says $80M Bug Presents ‘Moral Dilemma’ for DeFi Users




While Robert Leshner seemed to briefly threaten users with the IRS, the reality is that he – and the rest of the Compound Labs community – are now relying on the goodwill of users.

If a decentralized finance (DeFi) protocol accidentally gave you millions of dollars in tokens, are you obligated to give it back?

In an interview with CoinDesk following an $80 million exploit, Compound Labs founder Robert Leshner is arguing users should do just that.

On Wednesday night, a bug in money market Compound's code led to an erroneous disbursement of COMP tokens intended for long-term liquidity mining rewards.

The Compound Twitter handle acknowledged the bug shortly after, saying that no user funds were at risk. The bug only applied to Compound's Comptroller Contract, which is responsible for distributing liquidity mining rewards earned over time.

Nearly the entirety of the Comptroller Contract has now been drained, with 280,000 COMP distributed to users incorrectly, according to Leshner.

Despite the eye-popping sums lost to the bug, however, the community is now captivated by a debate as to what users should be obligated to do with their funds.

"This has been, without a doubt, the worst day in the history of the Compound protocol," Leshner told CoinDesk.

He went on:
"What makes it way worse is that I and most folks are completely powerless to do anything besides sit back and watch this moral dilemma play out."
IRS threats
In a Tweet on Thursday night, Leshner seemed to warn recipients of the erroneous tokens that there could be real-world consequences for keeping them – namely, that the U.S. Internal Revenue Service (IRS) might want to hear about it:


Some members of the DeFi community interpreted the comments to mean that Compound Labs was planning to report recipients to relevant tax authorities. Leshner apologized for the tweet shortly after.

Threats of "doxxing" have proven to be effective in dealing with exploits in the past – last month, a non-fungible token (NFT) team memorably threatened to call in the FBI and ordered soup to a hacker's address. The hacker relented, returning stolen funds.

However, in this instance even if an organization wished to pursue claimants, in practicality it may be an empty threat.

Compound Labs is a real-world entity that is working on the protocol, but there's no clear basis for it to pursue legal action – the structure of the decentralized autonomous organization (DAO) is such that it is now just another member of the community, according to a Compound Labs representative.

The representative also said the Compound interface is hosted on distributed file storage protocol InterPlanetary File System (IPFS) and there's no reportable information about users collected in any way.

However, due to the nature of the bug, many of the recipients of the tokens are not sophisticated hackers – they just happened to hit the jackpot.

Their operational security, or opsec, isn't hacker-grade. Some addresses that claimed large sums of the tokens have interacted with centralized exchanges where their real-world information is stored, and the claims could have an impact on their taxes.

Claiming the funds required no knowledge of the bug, and some users might not have been aware there was an exploit underway – they may have received millions while intending to harvest much smaller sums as rewards.

Leshner said the DeFi community has rallied around the protocol in an effort to find solutions. Yearn.Finance and MakerDAO representatives have been active in community channels in finding short- and long-term solutions.

However, Compound has an "extremely rigid" and slow governance process by design – architecture intended to make the protocol more resilient is now acting as a barrier to a fix. It will take another five days before the community can approve any updates to the contract code.

Technical solutions to the initial bug aside, however, the protocol now faces an even bigger problem: trying to convince users who received tokens to return them to the community.

"In my opinion, this is a bank error in a couple people's favor," said Leshner.