This article is more than 1 year old
One-character bug gives away $90m in COMP tokens – recipients can keep 10% or consider themselves doxxed
Hand back the money or I'm letting the IRS know, says DeFi biz boss
Robert Leshner, founder of decentralized finance biz Compound Labs, has asked for the return of roughly $90m worth of COMP tokens after a smart contract bug distributed more of the cryptocurrency than it should have.
COMP tokens get distributed on a daily basis to users of the Compound protocol. They grant holders a say in the communal governance of the protocol, which is used for financial transactions like borrowing and lending with cryptocurrencies.
Decentralized finance relies on smart contracts that don't necessarily live up to their name to handle transactions. That is to say, the code controlling these smart contracts often contains dumb mistakes.
"A few hours ago, Proposal 62 went into effect, updating the Comptroller contract, which distributes COMP to users of the protocol," said Leshner on Wednesday, via Twitter. "The new Comptroller contract contains a bug, causing some users to receive far too much COMP."
According to Leshner, at most 280,000 tokens were wrongly distributed. At the current COMP token value of about $322, that's more than 90m US dollars.
On Thursday, Leshner pleaded for the tokens to be returned, offering to let Good Samaritans keep 10 per cent, and hinting at consequences for those who fail to comply.
He wrote:
If you received a large, incorrect amount of COMP from the Compound protocol error:
Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.
Otherwise, it's being reported as income to the IRS, and most of you are doxxed.
Those discussing the incident on Compound's Discord chat space note that recipients of the errant funds need to use the claimComp
function manually to get the COMP tokens – the tokens won't just show up in one's account automatically. Some individuals have already done so – here's a transaction claiming about $29m.
Discord chat participants also appear to be none too pleased with the doxxing threat. "Total clown show up in here," one individual complained. "Protocol error and innocent people threatened w dox."
- Single-line software bug causes fledgling YAM cryptocurrency to implode just two days after launch
- TITAN crypto-token does the opposite of zero to $60: Value plummets in hours
- Digi-dosh exchange Coinbase: Someone tried to pwn our staff via this week's Firefox zero-day security hole
- Google sparks online outcry after its currency converter goes haywire for third time this year
Despite Leshner's commitment to report windfall recipients to US tax authorities – as his company is presumably obligated to do under US tax law – some participants in the Compound community have already returned their accidental COMP riches. Others have suggested keeping the money and paying whatever tax is due on the COMP windfall would still be rather lucrative.
Meanwhile, Compound Proposition 63 is being reviewed and is scheduled to be voted on in a few days. It "disables the ability to claim COMP, until the correct distribution logic is restored." That still leaves time for recipients of misdirected funds to cash in.
The bug, according to blockchain security researcher Mudit Gupta, consists of a single character: the Compound code update used a >
operator where it should have used >=
.
Compound Incident Analysis:
— Mudit Gupta (@Mudit__Gupta) September 30, 2021
Compound upgraded their comptroller contract to https://t.co/mgLGKCywxf which had a one letter bug on L1217.
This led to a reverse rug pull in which Comptroller is giving away more rewards to (past) Suppliers than expected. 🧵👇 pic.twitter.com/BskHIibsUJ
"The bug happens when someone supplies tokens for a market with zero comp rewards like cSUSHI, and cTUSD before the market is initialized or migrated," said Gupta via Twitter. "supplyIndex
for such tokens remains equal to compInitialIndex
which means that the if
block on [Line 1217] is not triggered."
By using the >
operator rather than the >=
operator, the if
code block is not called and the supplierIndex
variable stays at 0 while supplyIndex
is 1e36. The delta, or difference between the two values, becomes 1e36 and the Compound protocol then pays out a reward for 1e36 indexes instead of zero.
In the Compound forum, developers discussing the incident believe it would be a good idea to commit to rigorous testing and auditing prior to major code changes. ®