A bug in a recent update of decentralized finance platform Compound sent users nearly $90-million-worth of cryptocurrency in error, leaving its creator's CEO begging users to voluntarily send it back.
The glitch is a black eye for cryptocurrency platforms hoping to upend the traditional finance system. DeFi platforms don't have banks or other middlemen administering funds, instead relying on “smart contracts” struck between users that are governed completely by computer code. Proponents say DeFi is more egalitarian in cutting out traditional firms, often using the mantra “Code is law” to emphasize that computer code, rather than fallible humans, governs the system.
But critics note that when the code has contained mistakes, it's led to disasters for users.
“There are reasons to criticize the existing banking system, but there are a lot of safeguards in place to prevent these kinds of things from happening,” said Andrew Park, a senior policy analyst for Americans for Financial Reform, an investor advocacy group that's been a critic of many crypto projects. “If I have my money in Compound, how much faith am I going to have in that system now?”
The Compound mistake is just the latest high-profile error. A closely watched crypto project blacked out for hours last month. In August, a hacker exploited a vulnerability in another DeFi project to take around $600-million worth of tokens which the hacker later returned.
This week's fiasco occurred on Compound, one of several DeFi platforms that allow users to lend out cryptocurrencies and earn interest. Unlike similar platforms run by companies such as BlockFi Inc., Compound isn't run by a central company but rather by a distributed network of users utilizing smart contracts. Compound also distributes a token, called COMP, that gives users a say in how the protocol works and whose price on Friday was about $319 per coin.
The trouble started Wednesday, when users approved an update to Compound's platform that contained a bug. Compound Labs Inc. Chief Executive Officer Robert Leshner on Twitter said the bug caused too much COMP to go to some users. But since the platform is decentralized and requires a waiting period, neither his company nor anyone else had the ability to pause distribution of the tokens.
A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol.— Robert Leshner (@rleshner) September 30, 2021
The new Comptroller contract contains a bug, causing some users to receive far too much COMP. https://t.co/Fy6nLgDqKy
Leshner said the impact was limited to 280,000 COMP tokens, which on Friday were worth about $89.3 million.
In an interview, Leshner said the mistake shows that Compound's protocol needs to have a lengthier review process and more community developers hunting for errors before changes are introduced.
“This is not an event that calls into question whether DeFi can be operated safely. It's a wake up call for decentralized, community-run protocols to improve the processes by which changes are introduced,” Leshner said.
After Compound users claimed the erroneous tokens, Leshner on Twitter threatened to reveal their identities to the Internal Revenue Service if they didn't return most of them. He later apologized for the threat.
“Open source, decentralized protocols are early & hard. But every hiccup leads to a more anti-fragile system,” Leshner wrote.
While this week's error apparently didn't endanger users' funds, it does show that DeFi probably needs to find a way to increase user protection before getting widespread adoption, said Kevin Werbach, director of the Blockchain and Digital Asset Project at the University of Pennsylvania's Wharton School.
“The vast majority of people in the world are not going to trust their money to something if they are told a bug will cause you immutably to lose everything,” Werbach said. “That's not satisfactory.”