DeFi platform mistakenly sends $89 million, CEO begs its return

A bug in a recent update of the decentralized finance platform Compound sent users nearly $90 million worth of cryptocurrency in error, leaving its creator’s CEO begging users to voluntarily send it back.

The glitch is a black eye for cryptocurrency platforms hoping to upend the traditional finance system. DeFi platforms don’t have banks or other middlemen administering funds, instead relying on “smart contracts” struck between users that are governed completely by computer code. Proponents say DeFi is more egalitarian in cutting out traditional firms, often using the mantra “Code is law” to emphasize that computer code, rather than fallible humans, governs the system.

But critics note that when the code has contained mistakes, it’s led to disasters for users.

Crypto Loans On DeFi Increased 7.6% This Week To $29.40 Billion
Dai cryptocurrency market data on the Compound website on a smartphone arranged in the Brooklyn Borough of New York, U.S., on Thursday, July 29, 2021. Lending on cryptocurrency platforms rose 7.6% from last week to $29.40 billion, according to data compiled by DeFi Pulse. Photographer: Gabby Jones/Bloomberg
Gabby Jones/Bloomberg

“There are reasons to criticize the existing banking system, but there are a lot of safeguards in place to prevent these kinds of things from happening,” said Andrew Park, a senior policy analyst for Americans for Financial Reform, an investor advocacy group that’s been a critic of many crypto projects. “If I have my money in Compound, how much faith am I going to have in that system now?”

The Compound mistake is just the latest high-profile error. A closely watched crypto project blacked out for hours last month. In August, a hacker exploited a vulnerability in another DeFi project to take around $600 million worth of tokens which the hacker later returned. 

This week’s fiasco occurred on Compound, one of several DeFi platforms that allow users to lend out cryptocurrencies and earn interest. Unlike similar platforms run by companies such as BlockFi, Compound isn’t run by a central company but rather by a distributed network of users utilizing smart contracts. Compound also distributes a token, called COMP, that gives users a say in how the protocol works and whose price on Friday was about $319 per coin.

The trouble started Wednesday, when users approved an update to Compound’s platform that contained a bug. Compound Labs Chief Executive Robert Leshner on Twitter said the bug caused too much COMP to go to some users. But since the platform is decentralized and requires a waiting period, neither his company nor anyone else had the ability to pause distribution of the tokens.

A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol.

The new Comptroller contract contains a bug, causing some users to receive far too much COMP. https://t.co/Fy6nLgDqKy— Robert Leshner (@rleshner) September 30, 2021 

Leshner said the impact was limited to 280,000 COMP tokens, which on Friday were worth about $89.3 million.

After Compound users claimed the erroneous tokens, Leshner on Twitter threatened to reveal their identities to the Internal Revenue Service if they didn’t return most of them. He later apologized for the threat.

“Open source, decentralized protocols are early & hard. But every hiccup leads to a more anti-fragile system,” Leshner wrote.

Bloomberg News
Cyber security Cryptocurrency
MORE FROM AMERICAN BANKER