A bug in a recent update of decentralized finance platform Compound sent users nearly $90 million worth of cryptocurrency in error, leaving its creator’s CEO begging users to voluntarily send it back.
The glitch is a black eye for cryptocurrency platforms hoping to upend the traditional finance system. DeFi platforms don’t have banks or other middlemen administering funds, instead relying on “smart contracts” struck between users that are governed completely by computer code. Proponents say DeFi is more egalitarian in cutting out traditional firms, often using the mantra “Code is law” to emphasize that computer code, rather than fallible humans, governs the system.
But critics note that when the code has contained mistakes, it’s led to disasters for users.
“There are reasons to criticize the existing banking system, but there are a lot of safeguards in place to prevent these kinds of things from happening,” said Andrew Park, a senior policy analyst for Americans for Financial Reform, an investor advocacy group that’s been a critic of many crypto projects. “If I have my money in Compound, how much faith am I going to have in that system now?”
The Compound mistake is just the latest high-profile error. A closely watched crypto project blacked out for hours last month. In August, a hacker exploited a vulnerability in another DeFi project to take around $600-million worth of tokens which the hacker later returned.
This week’s fiasco occurred on Compound, one of several DeFi platforms that allow users to lend out cryptocurrencies and earn interest. Unlike similar platforms run by companies such as BlockFi Inc., Compound isn’t run by a central company but rather by a distributed network of users utilizing smart contracts. Compound also distributes a token, called COMP, that gives users a say in how the protocol works and whose price on Friday was about $319 per coin.
The trouble started Wednesday, when users approved an update to Compound’s platform that contained a bug. Compound Labs Chief Executive Officer Robert Leshner on Twitter said the bug caused too much COMP to go to some users. But since the platform is decentralized and requires a waiting period, neither his company nor anyone else had the ability to pause distribution of the tokens.
Leshner said the impact was limited to 280,000 COMP tokens, which on Friday were worth about $89.3 million.
After Compound users claimed the erroneous tokens, Leshner on Twitter threatened to reveal their identities to the Internal Revenue Service if they didn’t return most of them. He later apologized for the threat.
“Open source, decentralized protocols are early & hard. But every hiccup leads to a more anti-fragile system,” Leshner wrote.