Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Bitcoin The Almighty Buck

Bug Puts $162 Million Up For Grabs, Says Founder of DeFi Platform Compound (cnbc.com) 36

We thought the carnage was over for popular decentralized finance, or DeFi, staking protocol Compound, but as it turns out, millions more than we thought are at risk. About $162 million is up for grabs after an upgrade gone very wrong, according to Robert Leshner, founder of Compound Labs. CNBC reports: At first, the Compound chief tweeted Friday that there was a cap to how many comp tokens could be accidentally distributed, noting that âoethe impact is bounded, at worst, 280,000 comp tokens,â or about $92.6 million. But on Sunday morning, Leshner revealed that the pool of cash that had already been emptied once had been replenished â" exposing another 202,472.5 comp tokens to exploit, or roughly $66.9 million at its current price.

On Wednesday, Compound rolled out what should have been a pretty standard upgrade. Soon after implementation, however, it was clear that something had gone seriously wrong, once users started to receive millions of dollars in comp tokens. For example, $30 million worth of comp tokens were claimed in one transaction. The saving grace of the entire debacle, however, was the fact that the pool of cash that was open to exploit -- something called the Comptroller contract -- had a finite amount of tokens. The problem is that this leaky pool got a fresh influx of cash, and 0.5 comp tokens are being added roughly every 15 seconds, according to Gupta. "When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users," Leshner wrote in a tweet Sunday morning. Leshner noted that this brought the total comp at risk to 490,000 comp tokens, or about $162 million.

There are a few proposals to fix the bug, but Compound's governance model is such that any changes to the protocol require a multiday voting window, and Gupta said it takes another week for the successful proposal to be executed. In the meantime, this pool of cash is once again up for grabs for users who know how to exploit the bug. Compound made clear that no supplied or borrowed funds were at risk, which is some consolation. "No user funds are or were at risk so it's not that big of a deal," said Gupta. "Everyone kinda got diluted but didn't lose anything directly."

This discussion has been archived. No new comments can be posted.

Bug Puts $162 Million Up For Grabs, Says Founder of DeFi Platform Compound

Comments Filter:
  • Some day, I may be wrong. But it will take a lot to displace fiat money.
    Meanwhile hacking for ransomware and getting paid in crypto is a booming business.
    • by jd ( 1658 )

      The original mondex cards were debit cards that could transfer money to other debit cards directly, without the need for any intermediary. They used 768-bit RSA keys and tamper-resistant technology, so a mix of hardware and software. Although these days you'd want to use much longer keys and quantum computing resistant cryptography, these remain the only wholly digital currency that was reliable. They also remain the only wholly digital currency that could be taken off the grid entirely.

      A great idea, quite

  • So congratulations, just like the government backed financial system and currencies they can just print more at any time because 'it's not that big of a deal'.

    So why is this any better than government backed currencies and banks? Particularly why is it any better if one bad update can irrevocably change the values of people's accounts?

    Decentralized I guess means a guarantee of no take-backs, hehe. Also no give-backs, which would cause riots in the, um, social media streets.
    • And they can tax people. I don't know of any cryptocurrency that can say the same. If you really stretch the definition of taxing you might be able to pretend that mining or proof of stake counts, but good luck with that.

      More importantly governments have traditionally been forced to at least give lip service to governing with the consent of the populace. Despite what everyone tells you that's not true of cryptocurrencies. Relatively simple currency manipulation tactics can and will be used to control cr
      • How is that a bad thing? Tax means we have roads, schools, at least whatever counts as public medicine in the US, a military, cops, and countless other essentials of modern life.

        Outside of abstract libertarian bullshit that nobody cares about or wants, how is any of this a *bad* thing?

        • How is that a bad thing? Tax means we have roads, schools, at least whatever counts as public medicine in the US, a military, cops, and countless other essentials of modern life.

          Well said.

          All these "don't tax me bro, it's theft!" fuckers would be living in a feral state without the quality of life services provided from taxes.

          And any of you libertarians who want to "correct" me or debate me or "enlighten" me, save your breath. You're just greedy fuckheads with an empathy deficit, so please wrap your libertarian fantasy world in barbed wire and shove it up your ass.

      • Congratulations to you, they mention governance in TFS but you were in such a big hurry to spout off you entirely missed it.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday October 04, 2021 @09:58PM (#61861821)
    Comment removed based on user account deletion
    • Re: (Score:3, Informative)

      by bb_matt ( 5705262 )

      Marked as insightful ... typical.

      If you are going to slate something, usually it's actually useful to know what you are talking about.

      DeFi - decentralised finance.
      The idea being, if run correctly, that it isn't the financial banking system that provide financial services, but rather millions of individuals, staking money. If someone uses a financial service offered, the participants staking their money, all receive a portion of the fees.
      That's the idea in a nutshell.

      Yes, there's a fuck ton of coolaid being

      • Comment removed based on user account deletion
        • Like I said, this is very much like the dotcom boom - there's plenty of players out there who are going to fail and the "investors" left holding the bags, get recked.

          There's many different ideas in this space and many issues to sort out - the entire thing is very much in its infancy, but it remains a valid idea.

          Yep, anyone staking or rather, providing liquidity in DeFi is putting their money at risk - there's no getting around that side of it. It's just the nature of the game. It becomes a collective risk -

        • Generally speaking, DeFi algorithms and collateral protect the lenders.

          So, for example, you've got 10 Bitcoin and bills to pay. You think Bitcoin is going up, so you don't want to sell. Instead, you lock up your Bitcoin in a DeFi platform, then you borrow $100k from it. As long as you pay it back, you keep all your Bitcoin.

          But if you don't pay it back, or your Bitcoin drops down in value to $100k, then your Bitcoin is automatically sold on the open market to cover your loan.

          As long as the DeFi platform is s

          • So, for example, you've got 10 Bitcoin and bills to pay. You think Bitcoin is going up, so you don't want to sell. Instead, you lock up your Bitcoin in a DeFi platform, then you borrow $100k from it. As long as you pay it back, you keep all your Bitcoin.

            But if you don't pay it back, or your Bitcoin drops down in value to $100k, then your Bitcoin is automatically sold on the open market to cover your loan.

            So if you guess right you lose nothing. If you guess wrong you lose everything.

            As long as the DeFi plat

            • There's a big difference between needing to trust the DeFi platform and - as the GP suggests - needing to trust in the solvency of the borrowers. The GP is making it sound like handing bills to bums on the street in the hopes they'll pay it back.

    • It means the Startup/Agile process of "write code, patch it in production" (which isn't really Agile, but a lot of people do it that way) isn't appropriate for currency.

      The Satoshi Nakamoto process of "Make a solid design, test it hard, no need for patches in production" is much more appropriate.

      • It means the Startup/Agile process of "write code, patch it in production" (which isn't really Agile, but a lot of people do it that way)

        THIS....this is what I hate about most Agile implementations- the fact that they almost always do it wrong. Plus, the terminology sucks.

  • cryptocurrency needs banking / stock laws or it becomes underground only and if you have some you better give the IRS it's cut or you may be doing hard time like Al Capone

  • "No user funds are or were at risk so it's not that big of a deal," said Gupta. "Everyone kinda got diluted but didn't lose anything directly."

    Assuming there is actually an real value to be found here: Dilution directly impacts every single user. Dilution of $162 million - what the total value of invested user funds? There's no way that's not significant. Either the guy is delusional, or - more likely - he is desperately trying to downplay this little fiasco.

    • That's $162M out of $15B total... Around 1%. Anybody shitting their pants over 1% shouldn't be holding crypto in the first place.
      • I might not understand all of this but, if a bank with 15 billion in assets lost 162 million of customers money, Iâ(TM)d move my money immediately. Weâ(TM)re not talking âlostâ(TM) like the market went down, or they made some bad investments. This is more like Uncle Billy accidentally giving old man Potter $8,000 in a rolled up newspaper. Would you trust uncle billy with your money?

        • They didn't lose any customers money, They lost their own money. And the money they lost was supposed to go out anyway, just not all at once. It's like this: imagine your bank stops paying interest for a few months, and then all of a sudden pays it all out at once. No problem, right? Except your uncle Billy points out that this affects the foreign exchange between USD and EURO ever so slightly. Who gives a fuck?
  • by misnohmer ( 1636461 ) on Tuesday October 05, 2021 @02:31AM (#61862233)

    Want to develop quickly, be agile and keep adding new features often, fail fast and reset when needed? Well, accept the risks that come with it. The alternative is the old fashion process, which tests the crap out of everything before releasing (simulation, staging, alpha, beta, etc), slowing down progress but yielding more reliable results. Pick your poison. The faster you want to move, the more risk you take that you're going to slip.

  • You had the design forethought to put a governance model that requires 7 days for a change? But.... No emergency rollback or temporary recall capability to cancel or defer a change after that, despite the high likelihood of a critical issue getting discovered immediately after the vote-in?

    Why oh why, were you building to be exploited?

    • I wonder if you even read the fucking thing. It amounted to 2 months worth of comps, which would have been handed out anyway except for the comp account was empty. There's no exploit here, just some sensational journalism and retards making a fuss.
  • Makes you wonder what their testing practices are.
    • by jd ( 1658 )

      They practiced testing but never got round to doing it for real?

  • "Everyone kinda got diluted but didn't lose anything directly."

    Just like when miners are paid $100 per transaction to process bitcoin payments on the blockchain.

  • Am I the only one that finds this whole debacle utterly hilarious?

    It's funny on so many levels that I hardly know where to begin.

    "No user funds are or were at risk so it's not that big of a deal," said Gupta.

    I dunno...it kinda sounds like something is at risk or they wouldn't be running around with their hair on fire.

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...