“Question of the day,” said analytics firm DeFiPrime, “claiming [COMP] from [the] bugged smart contract is illegal or unethical?”
The replies range from both, to neither, and to “economically rational.” Many more it seems would not have minded if they had a chance to get some of this money. Others are waiting to see what the team themselves will decide to do about this, and if they’ll be asking the users to return the funds. And there are opinions that people will exploit the bug and drain the contract as long as there’s anything to take.
More commenters argue that this can’t be seen as stealing, that those who took advantage of the exploit and sold the COMP they got should not be doxed or bullied, and that there is nothing wrong with that they’ve done, with some adding: “code is law.”
This comes after the team behind decentralized finance (DeFi) protocol Compound Finance passed and executed a proposal on Wednesday, but reported early today (UTC time) that “unusual activity has been reported regarding the distribution of COMP following the execution.” They noted that no borrowed/supplied funds are at risk.
However, a bug in a contract update has erroneously enabled some users to claim massive amounts of COMP. “Users don't have to worry about their funds; the only risk is that you (or another user) receives an unfairly large quantity of COMP,” said Robert Leshner, Founder of Compound Labs.
For example, one user claimed nearly USD 26.79m worth of COMP, and wasn’t the only one to get a substantial amount in rewards for borrowing and supplying smaller quantities of coins, such as ethereum (ETH), USD coin (USDC), DAI, and BAT.
About 240k COMP tokens (~$70m) have been given away already and another 40k (~$13m) will likely be given away soon. If you had supplied tokens before today, go try your luck.— Mudit Gupta (@Mudit__Gupta) September 30, 2021
It will be interesting to see if Compound requests users to return the extra tokens (like Alchemix did)
Leshner added that “The impact is bounded; at worst, 280k COMP tokens.” At 8:32 UTC, this is equal to over USD 82m. COMP trades at USD 294 and is down by almost 12% in a day and 15% in a week.
This bug is “a tragic case of ">" instead of ">=" (in two code locations). Two characters, tens of millions of value lost,” Kurt Barry, Smart Contract Specialist at Fixed Point Solutions, said, adding that smart contracts are “unforgiving of the tiniest errors.”
Yet, for Leshner, this incident is both the greatest opportunity and greatest risk for a decentralized protocol, “that an open development process allows a bug to enter production.”
There are no admin controls or community tools to disable the COMP distribution; any changes to the protocol require a 7-day governance process to make their way into production.— Robert Leshner (@rleshner) September 30, 2021
Labs, and members of the community, are evaluating potential steps to patch the COMP distribution.
More questions have been raised over timelocks and the tradeoff that comes with them and fully permissionless systems, with Kain Warwick, founder of Synthetix (SNX) and Aelin Protocol, arguing that “one of the planned features for the new synthetix governance module is the ability for token holders to override these time locks with sufficient votes.”