Decentralised finance platform Compound made a costly mistake after a bug in a recent update sent cryptocurrency worth almost $90 million to users, leaving its creator’s CEO begging users to voluntarily send it back.
The glitch is a black eye for cryptocurrency platforms hoping to upend the traditional finance system. Decentralised finance (DeFi) platforms don’t have banks or other middlemen administering funds. They instead relying on “smart contracts” struck between users that are governed completely by computer code.
Supporters say DeFi is more egalitarian in cutting out traditional firms, often using the adage “Code is law” to emphasise that computer code, rather than fallible humans, governs the system. But critics note that erroneous code has led to disasters for users.
“There are reasons to criticise the existing banking system, but there are a lot of safeguards in place to prevent these kinds of things from happening,” Andrew Park, a senior policy analyst for Americans for Financial Reform, an investor advocacy group that’s been a critic of many crypto projects, told Bloomberg. “If I have my money in Compound, how much faith am I going to have in that system now?”
The Compound case is the latest high-profile error in DeFi world. A closely watched crypto project blacked out for hours last month. In August, a hacker exploited a vulnerability in another DeFi project to take around $600-million worth of tokens, which was recognised as the biggest theft in the cryptocurrency world. The hacker later returned the stolen amount.
This week’s fiasco occurred on Compound, one of several DeFi platforms that allow users to lend out cryptocurrencies and earn interest. Unlike similar platforms run by companies such as BlockFi Inc., Compound isn’t run by a central company but rather by a distributed network of users utilizing smart contracts. Compound also distributes a token, called COMP, that gives users a say in how the protocol works and whose price on Friday was about $319 per coin.
The trouble started Wednesday, when users approved an update to Compound’s platform that contained a bug. Compound Labs Inc. Chief Executive Officer Robert Leshner on Twitter said the bug caused too much COMP to go to some users. But since the platform is decentralized and requires a waiting period, neither his company nor anyone else had the ability to pause distribution of the tokens.
Leshner said the impact was limited to 280,000 COMP tokens, which on Friday were worth about $89.3 million.
In an interview, Leshner said the mistake shows that Compound’s protocol needs to have a lengthier review process and more community developers hunting for errors before changes are introduced.
“This is not an event that calls into question whether DeFi can be operated safely. It’s a wake up call for decentralized, community-run protocols to improve the processes by which changes are introduced,” Leshner said.
After Compound users claimed the erroneous tokens, Leshner on Twitter threatened to reveal their identities to the Internal Revenue Service if they didn’t return most of them. He later apologized for the threat.
“Open source, decentralized protocols are early & hard. But every hiccup leads to a more anti-fragile system,” Leshner wrote.
While this week’s error apparently didn’t endanger users’ funds, it does show that DeFi probably needs to find a way to increase user protection before getting widespread adoption, said Kevin Werbach, director of the Blockchain and Digital Asset Project at the University of Pennsylvania’s Wharton School.
“The vast majority of people in the world are not going to trust their money to something if they are told a bug will cause you immutably to lose everything,” Werbach said. “That’s not satisfactory.”
(With agency inputs)
Catch all the Business News , Market News , Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.