A bug in a recent update to decentralized financial platform Compound caused users to mistakenly send around $90 million worth of cryptocurrency, leading the CEO of its creator to beg users to voluntarily send it back.
The glitch is a black eye for cryptocurrency platforms hoping to improve the traditional finance system. The DeFi platform does not have banks or other middlemen who manage the funds, instead relying solely on “smart contracts” between users controlled by computer code. Proponents say DeFi is more egalitarian in cutting off traditional firms, often using the “code is the law” mantra to emphasize that computer code, not the faulty human, controls the system.
But critics say that when there are mistakes in the code, it spells disaster for the users.
“There are reasons to criticize the current banking system, but there are a lot of safeguards in place to prevent things like this from happening,” said Andrew Park, a senior policy analyst at American for Financial Reform, an investor advocacy group. Critic of many crypto projects. “If I have my money in Compound, how much confidence will I have in that system now?”
Compound fault is just the latest high-profile error. The closely watched crypto project blacked out for hours last month. In August, a hacker exploited a vulnerability in another DeFi project to take about $600 million worth of tokens, which the hacker later retracted.
This week’s mess happened on Compound, one of several DeFi platforms that allow users to lend cryptocurrencies and earn interest. Unlike similar platforms run by companies such as Blockfi Inc., Compound is not run by a central company, but by a distributed network of users who use smart contracts. Compound also distributes a token called COMP, which gives users an overview of how the protocol works and which was priced at around $319 per coin on Friday.
The trouble began on Wednesday, after users approved an update to Compound’s platform that contained a bug. Compound Labs Inc. CEO Robert Leshner said on Twitter that the bug caused too much comp for some users. But since the platform is decentralized and requires a waiting period, neither his company nor anyone else has the ability to stop the distribution of the token.
A few hours ago, Proposition 62 went into effect, updating the Controller Agreement, which distributes comp to users of the protocol.
There is a bug in the new controller contract that can cause some users to get too many comps. https://t.co/Fy6nLgDqKy
— Robert Leshner (@rleshner) September 30, 2021
Leshner said the impact was limited to 280,000 comp tokens, which were valued at around $89.3 million on Friday.
In an interview, Leshner said that the mistake suggests that Compound’s protocol requires a lengthy review process and that more community developers are falling prey to errors before introducing changes.
“This is not a phenomenon that calls into question whether DeFi can be operated securely. It is a wake-up call for decentralized, community-driven protocols to improve the processes by which change is introduced. are,” Leshner said.
After Compound users claimed false coins, Leshner on Twitter threatened to reveal his identity to the Internal Revenue Service if they didn’t return most of them. He later apologized for the threat.
“Open source, decentralized protocols are early and difficult. But every hiccup leads to a more fragile adversarial system,” Leshner wrote.
While this week’s error didn’t explicitly put users’ funds at risk, it does show that DeFi needs to find a way to increase user security before widespread adoption, according to the Blockchain and Digital Asset Project at the University of Pennsylvania. Director Kevin Verbach said. Wharton School.
“Most people in the world are not going to trust their money to anything, if they are told a bug you will lose everything,” Werbach said. “It’s not satisfactory.”