30 Sep 2021 · 3 min read

Taking Coins from Bugged Compound Contract: Illegal, Unethical or Perfectly Fine?

Source: Adobe/manstock007

As the crypto space is developing, various accompanying questions are being raised, increasingly spreading from strictly those of technical nature, to those of legality and ethics – with the latest episode revolving around millions in liquidity mining rewards in Compound Finance's COMP coin mistakenly paid out, and claimed.

“Question of the day,” said analytics firm DeFiPrime, “claiming [COMP] from [the] bugged smart contract is illegal or unethical?”

The replies range from both, to neither, and to “economically rational.” Many more it seems would not have minded if they had a chance to get some of this money. Others are waiting to see what the team themselves will decide to do about this, and if they’ll be asking the users to return the funds. And there are opinions that people will exploit the bug and drain the contract as long as there’s anything to take.

More commenters argue that this can’t be seen as stealing, that those who took advantage of the exploit and sold the COMP they got should not be doxed or bullied, and that there is nothing wrong with that they’ve done, with some adding: “code is law.”

This comes after the team behind decentralized finance (DeFi) protocol Compound Finance passed and executed a proposal on Wednesday, but reported early today (UTC time) that “unusual activity has been reported regarding the distribution of COMP following the execution.” They noted that no borrowed/supplied funds are at risk.

However, a bug in a contract update has erroneously enabled some users to claim massive amounts of COMP. “Users don't have to worry about their funds; the only risk is that you (or another user) receives an unfairly large quantity of COMP,” said Robert Leshner, Founder of Compound Labs.

For example, one user claimed nearly USD 26.79m worth of COMP, and wasn’t the only one to get a substantial amount in rewards for borrowing and supplying smaller quantities of coins, such as ethereum (ETH), USD coin (USDC), DAI, and BAT.

Leshner added that “The impact is bounded; at worst, 280k COMP tokens.” At 8:32 UTC, this is equal to over USD 82m. COMP trades at USD 294 and is down by almost 12% in a day and 15% in a week.

This bug is “a tragic case of ">" instead of ">=" (in two code locations). Two characters, tens of millions of value lost,” Kurt Barry, Smart Contract Specialist at Fixed Point Solutions, said, adding that smart contracts are “unforgiving of the tiniest errors.”

Yet, for Leshner, this incident is both the greatest opportunity and greatest risk for a decentralized protocol, “that an open development process allows a bug to enter production.”

More questions have been raised over timelocks and the tradeoff that comes with them and fully permissionless systems, with Kain Warwick, founder of Synthetix (SNX) and Aelin Protocol, arguing that “one of the planned features for the new synthetix governance module is the ability for token holders to override these time locks with sufficient votes.”
____

Reactions:

____
Learn more: 
- DeFi Governance Tokens Face Three Challenges 
- DeversiFi Explains What Caused the USD 23M Transaction Fee on Ethereum 

- Banks Not Looking to Create Own DeFi Alternatives – Investment Banker 
- Multi-Chain Future Brings Multiple Competitors to Bitcoin & Ethereum - Analysts 

- How to Prevent Crypto Theft - And Whom to Blame When It Does Happen 
- SushiSwap's MISO Suffers USD 3M Attack, Contract Thefts May Rise