Coming soon: The only portfolio tracker you’ll ever need. Find out more

Compound DeFi Bug

Compound’s DeFi Bug: What Happened & How to Handle Erroneous Transfers

Learn how Compound mistakenly transferred more than $90 million in rewards and what it means for the community and recipients of the funds.

Decentralized finance, or DeFi, has become extremely popular, with more than $100 billion in total valued locked. These platforms seek to decentralize all financial services using blockchain protocols and cryptocurrencies. By cutting out intermediaries, they aim to provide more efficient, lower cost, and more equitable financial services.

There are over a hundred different DeFi platforms, but Compound is one of the most popular, with $11 billion in total value locked. Earlier this year, a bug in the popular platform resulted in over $90 million in mistaken rewards. Given the nature of the blockchain, these funds were impossible to reverse or recoup aside from voluntary repayment.

Let’s look at what happened with Compound and what to do if you received some of these mistaken funds.

Compound is one of the most popular DeFi platforms, but a software bug led to more than $90 million in losses. Here’s what happens if you receive some of these funds.

What Happened?

Compound is a popular DeFi platform enabling the borrowing and lending of specific cryptocurrencies, such as Ether (ETH) or Tether (USDT). For example, if you own ETH, you can lend it to the Compound protocol and earn interest in ETH. The protocol also has a governance token, called COMP, that’s distributed to all participants based on the interest accrued.

Compound rolled out a software update designed to split COMP reward distribution between borrowers and liquidity suppliers based on governance-set ratios rather than the previous 50/50 model. Unfortunately, the upgraded contract contained a bug causing some users to receive far too much in rewards—upwards of $30 million in one user’s case!

By design, the platform didn’t have administrative controls or community tools to disable the erroneous COMP reward distribution. In fact, the protocol requires a seven-day governance process to make any changes, meaning that no fix could take effect for a week. The “good” news is that there was a cap of 280,000 tokens worth about $92.6 million.

The bug led to many users becoming overnight millionaires without having to do anything malicious. At the same time, the platform couldn’t reclaim the money without rolling back the chain with a 51% attack due to the nature of blockchain technology. As a result, these newly-minted millionaires were free to keep the erroneous funds without retribution.

Compound’s Response

Compound’s founder, Robert Leshner, initially threatened those that mistakenly received funds, saying that he would report the income to the IRS and dox them—or their identity would be made public. But, of course, doxxing is a cardinal sin in the privacy-centric world of cryptocurrencies, and Leshner quickly walked back the threats a day later.

Compound DeFi Bug
Leshner’s threat to report transactions to the IRS and doxx users. Source: Twitter

While those in the “code is law” camp believe that any protocol distributions are fair game to keep, others insist that COMP rewards are a community-owned public good. Regardless of morality, the Compound community proposed several incentives to encourage users to return the funds, including non-fungible tokens redeemable for a meeting with Leshner.

As of mid-October, users returned 163,000 COMP rewards worth about $50 million to the Compound community, and another 130,000 tokens worth about $40 million were left untouched. The remaining 200,000 tokens that were claimed but not returned effectively dilute all Compound stakeholders by about $40 million in total value.

Despite the costly mistake, Compound’s COMP tokens have largely retained their value over the ensuing month. The coin’s $1.7 billion market capitalization means that a $90 million loss isn’t particularly significant in the grand scheme of things. After a fix was deployed a week later, the platform is again secure and presumably more aware of these risks.

Compound DeFi Bug
Compound wasn’t particularly hard-hit from the bug. Source: CoinMarketCap

Receiving Erroneous Funds

Compound is a decentralized autonomous organization, or DAO, so there is no clear basis for pursuing any legal action. The platform is also hosted on InterPlanetary, a distributed file storage protocol, limiting the amount of public user information. Thus, despite Leshner’s threats, it’s unlikely that the platform has any recourse against those that received the tokens.

While Compound has little recourse to recoup the funds, those that received the tokens still owe tax. The amount is likely to be treated as ordinary income that’s taxed at each individual’s marginal tax rate. For example, those that received $1 million worth of COMP rewards could owe $370,000 in taxes, assuming they fall into the 37% tax bracket.

Those that returned their ill-gotten COMP reward tokens don’t owe any tax since they didn’t experience any gain. However, it’s a good idea to document the return in case the IRS begins auditing blockchain transactions. For example, you may want to note the transaction returning the funds and have the URL on hand for any regulatory questions.

Lessons for the Future

The crypto world is no stranger to hacks, bugs, and other costly mistakes. Earlier this year, someone stole more than $600 million from the Poly Network. The good news is that the transparency of the blockchain makes it difficult to launder these funds. That’s one reason that the Poly Network hacker ultimately opted to return the funds.

The rise of DAOs and DeFi platforms could complicate these dynamics. By nature, DAOs don’t have a centralized authority and transactions are much more anonymous. There’s an important trade-off between decentralization and the ability to reverse transactions and hold people accountable for security breaches or mistakenly appropriated funds.

Crypto traders and investors should keep these risks in mind. While Bitcoin and a handful of cryptocurrencies are very mature with no recent security breaches, DeFi, NFTs, and many other platforms are relatively new and could experience security breaches and other issues. Diversification, insurance, and other measures can help mitigate many of these risks.

The Bottom Line

Compound, one of the largest DeFi platforms in the world, inadvertently deployed code that caused some users to receive a massive COMP reward. Ultimately, the community lost around $40 million worth of COMP reward tokens that diluted existing stakeholders. The mistake marks the latest in a long line of hacks and bugs that have plagued the industry.

Of course, the crypto world is constantly evolving and many of these problems are due to the newness of the technology. A growing number of safeguards are being put in place to balance privacy with security and ensure that these services ultimately become a viable alternative to conventional financial services for millions or even billions of people.

If you trade cryptocurrencies, ZenLedger can help you aggregate transactions from across your wallets and exchanges, calculate your capital gain or loss, and autocomplete popular tax forms. In addition, you can use the platform to identify tax-loss harvesting opportunities and integrate with tax tools like TurboTax to simplify your filings. Try it for free today!