Compound, an Ethereum-based decentralized finance (DeFi) platform, accidentally gave out $90 million to its users in a botched upgrade. Now, the owners would appreciate it if they gave it back. Compound might even be willing to throw in a 10 percent “reward,” it said.
On the flip side, those who don’t return the money could be doxxed (i.e., have their private information published online), or be reported to the Internal Revenue Service, Compound’s founder and comptroller Robert Leshner threatened over Twitter.
If you received a large, incorrect amount of COMP from the Compound protocol error:
Please return it to the Compound Timelock (0x6d903f6003cca6255D85CcA4D3B5E5146dC33925). Keep 10% as a white-hat.
Otherwise, it's being reported as income to the IRS, and most of you are doxxed.
— Robert Leshner (@rleshner) October 1, 2021
After getting roasted as a “loser,” “moron” and frankly, far worse, Leshner apologized, but the damage seemed to have already been done among the crypto community.
“Cooperation with the Feds goes against everything crypto stands for,” a user replied to Leshner. “Doxxing people and ratting them out to the IRS, knowing that the agency will use the threat of violence to collect ‘taxes’ is even worse.”
Another user put it more bluntly in his response to Leshner. “You torched your trust equity with me,” Mr. Delete Button tweeted. “I won’t be using Compound anymore and will be encouraging everyone I know in the space and who is entering the space to avoid you and your product.”
Leshner said it was all a misunderstanding.
“The tweet was taken out of context — it meant to suggest that, unlike a black-hat attacker, most of the addresses that had received COMP incorrectly were active users of Coinbase, FTX, Binance, etc., that had their information,” Leshner explained to Threatpost. “The Compound interface is hosted on IPFS and collects zero user information whatsoever.”
Just 24 hours after Leshner’s Sept. 30 tweet, Compound’s native currency token COMP had lost 13 percent of its value, Bleeping Computer noted. According to Coinbase, the price of Compound is down 10.99 percent over the past seven days.
“COMP tokens from the user-incentive pool were misallocated as a result of the bug,” Leshner told Threatpost. He added that 163,000 COMP tokens have been returned and 183,000 are still missing.
That means the platform is still missing about $58,528,890 at today’s COMP price.
“Community developers have submitted a patch to tokenholders to approve, which fixes the underlying issue and resumes the COMP distribution properly,” Leshner said.
DeFi Likely to See More Fraud, Attacks
Just a few weeks ago, fellow DeFi platform PolyNetwork was ripped off for a stunning $610 million. Ultimately, the entire amount was returned by the attacker, dubbed “Mr. White Hat” by the PolyNetwork negotiators. They eventually offered Mr. White Hat a job as PolyNetwork’s chief security officer to recoup the stolen cryptocurrency.
Mr. White Hat turned down the gig and instead said the breach was intended as a security lesson for the DeFi community.
Cream Finance DeFi platform was also hit by attackers over the past several weeks and robbed of $29 million in Amp coin.
The big difference with the Compound situation is that no crime was committed. PolyNetworks and Cream Finance were victims of cybercrime. Compound just mistakenly gave the crypto away.
“Unlike other recent losses of cryptocurrency, this was not due to hacking or criminal activity,” Jake Williams with BreachQuest told Threatpost. “In this case, the root cause was a bug introduced in a software upgrade.”
He added the threat to dox users was a bit “overboard.”
“While Leshner walked that back, it’s hard to see how that doesn’t hurt COMP’s public persona well into the future,” Williams added. “To avoid issues like this, operations teams should threat model any operational bugs that threaten the viability of the platform itself and review each of these situations before any deployment.”
Perhaps this is a huge warning sign that decentralized finance isn’t secure enough to be trusted, another researcher added.
“The complete lack of central authority in cryptocurrency has been used as an excuse by companies to sit on their hands while their users’ get their life savings plundered,” John Bambenek from Netenrich explained to Threatpost. “Now that Compound discovered that the same sword cuts the other way, they are shocked, shocked I tell you, that there is nothing they can do about it. If Compound can’t implement basic financial controls to detect and prevent this, I have very little confidence that other forms of fraud are not far behind on targeting their platform.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.