If a decentralized finance (DeFi) protocol accidentally gave you millions of dollars in tokens, are you obligated to give it back?
In an interview with CoinDesk following an $80 million exploit, Compound Labs founder Robert Leshner is arguing users should do just that.
On Wednesday night, a bug in money market Compound’s code led to an erroneous disbursement of COMP tokens intended for long-term liquidity mining rewards.
The Compound Twitter handle acknowledged the bug shortly after, saying that no user funds were at risk. The bug only applied to Compound’s Comptroller Contract, which is responsible for distributing liquidity mining rewards earned over time.
Nearly the entirety of the Comptroller Contract has now been drained, with 280,000 COMP distributed to users incorrectly, according to Leshner.
Despite the eye-popping sums lost to the bug, however, the community is now captivated by a debate as to what users should be obligated to do with their funds.
“This has been, without a doubt, the worst day in the history of the Compound protocol,” Leshner told CoinDesk.
He went on:
“What makes it way worse is that I and most folks are completely powerless to do anything besides sit back and watch this moral dilemma play out.”
In a Tweet on Thursday night, Leshner seemed to warn recipients of the erroneous tokens that there could be real-world consequences for keeping them – namely, that the U.S. Internal Revenue Service (IRS) might want to hear about it:
If you received a large, incorrect amount of COMP from the Compound protocol error:
Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.
Otherwise, it's being reported as income to the IRS, and most of you are doxxed.
— Robert Leshner (@rleshner) October 1, 2021
Some members of the DeFi community interpreted the comments to mean that Compound Labs was planning to report recipients to relevant tax authorities. Leshner apologized for the tweet shortly after.
Threats of “doxxing” have proven to be effective in dealing with exploits in the past – last month, a non-fungible token (NFT) team memorably threatened to call in the FBI and ordered soup to a hacker’s address. The hacker relented, returning stolen funds.
However, in this instance even if an organization wished to pursue claimants, in practicality it may be an empty threat.
Compound Labs is a real-world entity that is working on the protocol, but there’s no clear basis for it to pursue legal action – the structure of the decentralized autonomous organization (DAO) is such that it is now just another member of the community, according to a Compound Labs representative.
The representative also said the Compound interface is hosted on distributed file storage protocol InterPlanetary File System (IPFS) and there’s no reportable information about users collected in any way.
However, due to the nature of the bug, many of the recipients of the tokens are not sophisticated hackers – they just happened to hit the jackpot.
what if someone was really that ignorant and disconnected and did not know that their COMP jackpot was due to a bug
are users obliged to know the "intent" of the devs behind every function?
mind you, intent is the difference between murder and manslaughter
— 찌 G 跻 じ ( 𝙃𝙚𝙣𝙩𝙖𝙞, 𝙎𝙚𝙣𝙥𝙖𝙞 ) (@DegenSpartan) October 1, 2021
Their operational security, or opsec, isn’t hacker-grade. Some addresses that claimed large sums of the tokens have interacted with centralized exchanges where their real-world information is stored, and the claims could have an impact on their taxes.
Claiming the funds required no knowledge of the bug, and some users might not have been aware there was an exploit underway – they may have received millions while intending to harvest much smaller sums as rewards.
Leshner said the DeFi community has rallied around the protocol in an effort to find solutions. Yearn.Finance and MakerDAO representatives have been active in community channels in finding short- and long-term solutions.
However, Compound has an “extremely rigid” and slow governance process by design – architecture intended to make the protocol more resilient is now acting as a barrier to a fix. It will take another five days before the community can approve any updates to the contract code.
Technical solutions to the initial bug aside, however, the protocol now faces an even bigger problem: trying to convince users who received tokens to return them to the community.
“In my opinion, this is a bank error in a couple people’s favor,” said Leshner.
He went on:
“I think it’s harder because there was nothing deliberately criminal. If there was a hacker who deliberately exploited the code, people would celebrate going after them with every means possible. These users weren’t initially malicious.”
The question now turns to whether a moral obligation, rather than a legal one, can incite users to return funds – a question that has prompted significant debate in the crypto community.
One popular take is that “code is law” – regardless of intention, the protocol disbursed the funds and now users can spend them as they please.
However, others are appealing to the notion of “public goods” – that taking ill-gotten money from an on-chain bank, where anyone in the world can take out a loan regardless of who they are, is a violation of DeFi’s highest ideals.
In an interview with CoinDesk, Leshner said the moral dilemma can be split roughly into two camps.
“There’s a lot of members of the community that view protocols like Compound as benefitting the entire ecosystem,” he said. “And there are some users that don’t necessarily care. The builder mindset is, ‘This adds value, this is crucially important,’ and the trader mindset is ‘Money is money,’ and that’s the only ethos of crypto.”
He went on:
“I’m personally hopeful users will return funds to the community. It’s not my property, it’s not their property, it’s the community’s property.”
So far, two users have returned a total of 37,493 COMP tokens worth over $12 million at the time of writing.
“There are ideas to further incentivize people to return the COMP that they received,” Leshner said, but even with some incentive program “it’s still going to be relying on people doing the right thing.”
Read more: ‘Free Money’ Bug Hits DeFi Platform Alchemix
Some potential incentives have already been proposed, including non-fungible tokens (NFT) redeemable for a meeting with Leshner, to which he enthusiastically agreed:
This idea is crazy, and I'm in 🙌
— Robert Leshner (@rleshner) October 1, 2021
“I want to hear other people’s views on this, because it’s not my decision,” he said. “This is a decision every user has to make themselves, and I think most of them are taking the view of, ‘Haha, f**k you guys, it’s your problem.’”
Source: Coin Desk