If a decentralized finance (DeFi) protocol accidentally gave you millions of dollars in tokens, are you obligated to give it back?
In an interview with CoinDesk following an $80 million exploit, Compound Labs founder Robert Leshner is arguing users should do just that.
On Wednesday night, a bug in money market Compound’s code led to an erroneous disbursement of COMP tokens intended for long-term liquidity mining rewards.
The Compound Twitter handle acknowledged the bug shortly after, saying that no user funds were at risk. The bug only applied to Compound’s Comptroller Contract, which is responsible for distributing liquidity mining rewards earned over time.
Nearly the entirety of the Comptroller Contract has now been drained, with 280,000 COMP distributed to users incorrectly, according to Leshner.
Despite the eye-popping sums lost to the bug, however, the community is now captivated by a debate as to what users should be obligated to do with their funds.
“This has been, without a doubt, the worst day in the history of the Compound protocol,” Leshner told CoinDesk.
He went on:
In a Tweet on Thursday night, Leshner seemed to warn recipients of the erroneous tokens that there could be real-world consequences for keeping them – namely, that the U.S. Internal Revenue Service (IRS) might want to hear about it:
Some members of the DeFi community interpreted the comments to mean that Compound Labs was planning to report recipients to relevant tax authorities. Leshner apologized for the tweet shortly after.
Threats of “doxxing” have proven to be effective in dealing with exploits in the past – last month, a non-fungible token (NFT) team memorably threatened to call in the FBI and ordered soup to a hacker’s address. The hacker relented, returning stolen funds.
However, in this instance even if an organization wished to pursue claimants, in practicality it may be an empty threat.
Compound Labs is a real-world entity that is working on the protocol, but there’s no clear basis for it to pursue legal action – the structure of the decentralized autonomous organization (DAO) is such that it is now just another member of the community, according to a Compound Labs representative.
The representative also said the Compound interface is hosted on distributed file storage protocol InterPlanetary File System (IPFS) and there’s no reportable information about users collected in any way.
However, due to the nature of the bug, many of the recipients of the tokens are not sophisticated hackers – they just happened to hit the jackpot.
Their operational security, or opsec, isn’t hacker-grade. Some addresses that claimed large sums of the tokens have interacted with centralized exchanges where their real-world information is stored, and the claims could have an impact on their taxes.
Claiming the funds required no knowledge of the bug, and some users might not have been aware there was an exploit underway – they may have received millions while intending to harvest much smaller sums as rewards.
However, Compound has an “extremely rigid” and slow governance process by design – architecture intended to make the protocol more resilient is now acting as a barrier to a fix. It will take another five days before the community can approve any updates to the contract code.
Technical solutions to the initial bug aside, however, the protocol now faces an even bigger problem: trying to convince users who received tokens to return them to the community.
“In my opinion, this is a bank error in a couple people’s favor,” said Leshner.
He went on:
The question now turns to whether a moral obligation, rather than a legal one, can incite users to return funds – a question that has prompted significant debate in the crypto community.
One popular take is that “code is law” – regardless of intention, the protocol disbursed the funds and now users can spend them as they please.
However, others are appealing to the notion of “public goods” – that taking ill-gotten money from an on-chain bank, where anyone in the world can take out a loan regardless of who they are, is a violation of DeFi’s highest ideals.
In an interview with CoinDesk, Leshner said the moral dilemma can be split roughly into two camps.
“There’s a lot of members of the community that view protocols like Compound as benefitting the entire ecosystem,” he said. “And there are some users that don’t necessarily care. The builder mindset is, ‘This adds value, this is crucially important,’ and the trader mindset is ‘Money is money,’ and that’s the only ethos of crypto.”
He went on:
So far, two users have returned a total of 37,493 COMP tokens worth over $12 million at the time of writing.
“There are ideas to further incentivize people to return the COMP that they received,” Leshner said, but even with some incentive program “it’s still going to be relying on people doing the right thing.”
Read more: ‘Free Money’ Bug Hits DeFi Platform Alchemix
Some potential incentives have already been proposed, including non-fungible tokens (NFT) redeemable for a meeting with Leshner, to which he enthusiastically agreed:
“I want to hear other people’s views on this, because it’s not my decision,” he said. “This is a decision every user has to make themselves, and I think most of them are taking the view of, ‘Haha, f**k you guys, it’s your problem.’”
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is an award-winning media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. In November 2023, CoinDesk was acquired by Bullish group, owner of Bullish, a regulated, institutional digital assets exchange. Bullish group is majority owned by Block.one; both groups have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary, and an editorial committee, chaired by a former editor-in-chief of The Wall Street Journal, is being formed to support journalistic integrity.