This week Compound (COMP), the fifth largest Decentralized Finance (DeFi) protocol, mistakenly awarded users $90M. The bug causing this misallocation of funds was implemented in an otherwise minor system upgrade, with some DeFi developers saying it was a simple one-letter bug in their code. While the bug was found prior to issuing the entirety of the company’s assets, the nature of the Compound protocol prevents quick changes requisite to stopping the faulty distribution of millions. The founder, Rober Leshner, explained in a tweet “There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production.”
The only reason the issuance of funds stopped at $90M was because the affected contract address only had 280,000 COMP tokens. While $90M is a substantial sum, the protocol has $10.33B in locked assets, so losing these funds won’t be the end of Compound. The COMP token saw a crash of roughly 13% when the news broke, but it has largely recovered since that time.
DeFi bugs like this, while uncommon, are not unheard of. Earlier this year, Alchemix had a similar incident resulting in $4.8M of mistaken issuance. The bigger problem for Compound may be Leshner’s response: on Twitter, he asked Compound users who received these accidental payouts to return the funds, stating “ . . . otherwise, it’s being reported as income to the IRS, and most of you are doxxed.” To his credit, he apologized shortly thereafter.
In previous situations of this nature, large amounts of money have been returned with reasonable rewards given in exchange. Leshner suggested Compound users keep 10% of what they received and return the rest, but his threat of doxxing seems to have soured the public’s view of the situation.
UPDATE: This story is still ongoing, as Leshner said the amount of tokens at risk has risen to $162M.