DeFi Founder Threatens to Doxx Users Following Accidental $90 Million Giveaway

Robert Leshner informed users that he would begin reporting them to the IRS unless they returned COMP tokens sent to them in error. The response from crypto Twitter to the threat was less than favorable.

$90 Million Giveaway

Compound has given away more than $90 million in $COMP tokens in an upgrade which has gone awry. The lending protocol upgraded the Comptroller contract on Wednesday, but the contract contained a one-character bug that allowed users to claim more COMP than intended.

Robert Leshner, the Founder, and CEO of Compound Labs, revealed that no admin controls or community tools existed to switch off the faulty update. Helplessly watching the bug be exploited, the founder attempted to use both carrot and stick approaches to retrieve the siphoned funds.

“If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it to the Compound Timelock,” said Leshner in a Tweet on October 1st. “Keep 10% as a white-hat. Otherwise, it’s being reported as income to the IRS, and most of you are doxxed.”

The post was met with incredulity from crypto Twitter, as users pointed out that the logic of the IRS threat was at least as faulty as the Comptroller code. Many pointed out that they’d be better off paying the tax, while a few pointed out that they weren’t based in the US.

Schranke captures the general sentiment on Crypto Twitter | Source

Following some relentless criticism and mockery on Twitter, Leshner retook to the platform to row back on his earlier comments.

“I’m trying to do anything I can to help the community get some of its COMP back, and this was a bone-headed tweet/approach. That’s on me. Luckily, the community is much bigger, and smarter, than just me,” he said, striking a more conciliatory tone. He concluded by adding, “I appreciate your ridicule and support.”


How Did This Happen?

The issue with Compound’s distribution of COMP tokens emerged on Wednesday following an upgrade to the Comptroller contract. The update, referred to as “Proposal 62” was performed by a community member, with other community members completing the review process. It appears that no professional audit of the code was performed before its implementation.

SushiSwap coder Mudit Gupta was quick to sift through the ashes in an attempt to identify exactly where the error occurred. Gupta placed the finger of blame on a one-character error on line 1217. In this instance, the error was the use of an ‘>’ symbol where the correct implementation should have been ‘>=.’

“If someone only reviewed the delta of the upgraded contract, they might have missed this. A small change at one place can introduce a vulnerability at another,” explained Gupta in a string of Tweets on September 30th. “This is why reviewing deltas is dangerous and no matter how small the upgrade, full audits are essential for critical contracts.”

While no immediate resolution to the Proposal 62 is possible, the Compound community has now proposed a change that will prevent the further claiming of COMP tokens. It will take until October 7th for any proposal to pass, however. If the proposal does pass, and it seems likely that it will, the normal distribution of tokens will be temporarily suspended.

For now, the lesson seems to be that the auditing of code should be left to the professionals and not left in the hands of well-intentioned community members.

Source : bscnews

Leave a Reply

Your email address will not be published. Required fields are marked *