Compound Founder Says $80M Bug Presents ‘Moral Dilemma’ for DeFi Users

If a decentralized finance (DeFi) protocol accidentally gave you millions of dollars in tokens, are you obligated to give it back?

In an interview with CoinDesk following an $80 million exploit, Compound Labs founder Robert Leshner is arguing users should do just that.

On Wednesday night, a bug in money market Compound’s code led to an erroneous disbursement of COMP tokens intended for long-term liquidity mining rewards.

Read more: DeFi Money Market Compound Overpays Millions in COMP Rewards in Possible Exploit; Founder Says $80M at Risk

The Compound Twitter handle acknowledged the bug shortly after, saying that no user funds were at risk. The bug only applied to Compound’s Comptroller Contract, which is responsible for distributing liquidity mining rewards earned over time.

Nearly the entirety of the Comptroller Contract has now been drained, with 280,000 COMP distributed to users incorrectly, according to Leshner.

Despite the eye-popping sums lost to the bug, however, the community is now captivated by a debate as to what users should be obligated to do with their funds.

“This has been, without a doubt, the worst day in the history of the Compound protocol,” Leshner told CoinDesk.

He went on:

“What makes it way worse is that I and most folks are completely powerless to do anything besides sit back and watch this moral dilemma play out.”

IRS threats

In a Tweet on Thursday night, Leshner seemed to warn recipients of the erroneous tokens that there could be real-world consequences for keeping them – namely, that the U.S. Internal Revenue Service (IRS) might want to hear about it:

Some members of the DeFi community interpreted the comments to mean that Compound Labs was planning to report recipients to relevant tax authorities. Leshner apologized for the tweet shortly after.

Threats of “doxxing” have proven to be effective in dealing with exploits in the past – last month, a non-fungible token (NFT) team memorably threatened to call in the FBI and ordered soup to a hacker’s address. The hacker relented, returning stolen funds.

However, in this instance even if an organization wished to pursue claimants, in practicality it may be an empty threat.

Compound Labs is a real-world entity that is working on the protocol, but there’s no clear basis for it to pursue legal action – the structure of the decentralized autonomous organization (DAO) is such that it is now just another member of the community, according to a Compound Labs representative.

The representative also said the Compound interface is hosted on distributed file storage protocol InterPlanetary File System (IPFS) and there’s no reportable information about users collected in any way.

However, due to the nature of the bug, many of the recipients of the tokens are not sophisticated hackers – they just happened to hit the jackpot.

Their operational security, or opsec, isn’t hacker-grade. Some addresses that claimed large sums of the tokens have interacted with centralized exchanges where their real-world information is stored, and the claims could have an impact on their taxes.

Claiming the funds required no knowledge of the bug, and some users might not have been aware there was an exploit underway – they may have received millions while intending to harvest much smaller sums as rewards.

Leshner said the DeFi community has rallied around the protocol in an effort to find solutions. Yearn.Finance and MakerDAO representatives have been active in community channels in finding short- and long-term solutions.

However, Compound has an “extremely rigid” and slow governance process by design – architecture intended to make the protocol more resilient is now acting as a barrier to a fix. It will take another five days before the community can approve any updates to the contract code.

Technical solutions to the initial bug aside, however, the protocol now faces an even bigger problem: trying to convince users who received tokens to return them to the community.

“In my opinion, this is a bank error in a couple people’s favor,” said Leshner.

He went on:

“I think it’s harder because there was nothing deliberately criminal. If there was a hacker who deliberately exploited the code, people would celebrate going after them with every means possible. These users weren’t initially malicious.”

Moral dilemma

The question now turns to whether a moral obligation, rather than a legal one, can incite users to return funds – a question that has prompted significant debate in the crypto community.

One popular take is that “code is law” – regardless of intention, the protocol disbursed the funds and now users can spend them as they please.

However, others are appealing to the notion of “public goods” – that taking ill-gotten money from an on-chain bank, where anyone in the world can take out a loan regardless of who they are, is a violation of DeFi’s highest ideals.

In an interview with CoinDesk, Leshner said the moral dilemma can be split roughly into two camps.

“There’s a lot of members of the community that view protocols like Compound as benefitting the entire ecosystem,” he said. “And there are some users that don’t necessarily care. The builder mindset is, ‘This adds value, this is crucially important,’ and the trader mindset is ‘Money is money,’ and that’s the only ethos of crypto.”

He went on:

“I’m personally hopeful users will return funds to the community. It’s not my property, it’s not their property, it’s the community’s property.”

So far, two users have returned a total of 37,493 COMP tokens worth over $12 million at the time of writing.

“There are ideas to further incentivize people to return the COMP that they received,” Leshner said, but even with some incentive program “it’s still going to be relying on people doing the right thing.”

Read more: ‘Free Money’ Bug Hits DeFi Platform Alchemix

Some potential incentives have already been proposed, including non-fungible tokens (NFT) redeemable for a meeting with Leshner, to which he enthusiastically agreed:

“I want to hear other people’s views on this, because it’s not my decision,” he said. “This is a decision every user has to make themselves, and I think most of them are taking the view of, ‘Haha, f**k you guys, it’s your problem.’”