DeFi bug accidentally gives $162 million to users; founder is now begging and threatening users to return the tokens
What started last Friday as one of the largest Decentralized Finance (DeFi) bugs in history is now turning out to be bigger than what everyone had originally anticipated. Last Friday, Compound Labs, a popular decentralized-finance staking protocol, reported that about $90 million in tokens mistakenly gone out to its users.
But as it turns out, the loss is more millions more than we thought are at risk. About $162 million is up for grabs after an upgrade gone very wrong. On Sunday morning, Compound Labs founder Robert Leshner revealed that the pool of cash that had already been emptied once had been replenished – exposing another 202,472.5 comp tokens to exploit, or roughly $66.9 million at its current price.
Leshner begged the users to voluntarily return the tokens. In a tweet, Leshner made another plea in a tweet — with a few threats — to incentivize the voluntary return of the platform’s crypto tokens.
“If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat. Otherwise, it’s being reported as income to the IRS, and most of you are doxxed.”
If you received a large, incorrect amount of COMP from the Compound protocol error:
Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.
Otherwise, it's being reported as income to the IRS, and most of you are doxxed.
— Robert Leshner (@rleshner) October 1, 2021
Some experts, including a core developer at DeFi platform Yearn, are saying this as the biggest-ever fund loss in a smart contract incident, but investors, for their part, don’t seem to care all that much.
Over the weekend, Banteg, a core developer at Yearn.Finance, tweeted concerning the exploit saying that “the best-kept secret in DeFi is out, someone called drip() on Compound’s Reservoir, which sent another $68.8m of COMP to Comptroller.”
The best-kept secret in DeFi is out, someone called drip() on Compound's Reservoir, which sent another $68.8m of COMP to Comptroller.
I've run the numbers and it seems about 1/4 of that could be drained.https://t.co/I4mGeNX6uT
— banteg (@bantg) October 3, 2021
Since then, four main transactions have drained the Comptroller pool of 64,997 COMP, or $21.4 million. One of these transactions withdrew 37,504 COMP, or $12.3 million. Banteg stated that solely “addresses with the buggy state can drain” and that there are another five addresses that could claim $45m, “emptying the Comptroller.”
Even though DeFi is promising technology with the potential to disrupt the current banking and financial systems, DeFi is prone to hacking. Last August, hackers stole $600 million in the biggest DeFi hack after PolyNetwork was exploited on Binance Smart Chain, Polygon, and Ethereum.
Below is what Mudit Gupta, a core developer at decentralized crypto exchange SushiSwap, said:
“The crypto market shrugged off the largest-ever fund loss as if it was nothing. The future for DeFi is bright but we’re in uncharted territory, and there’s a lot to be learned still.”