Bug Puts $162 Million Up For Grabs, Says Founder of DeFi Platform Compound (cnbc.com) 36
We thought the carnage was over for popular decentralized finance, or DeFi, staking protocol Compound, but as it turns out, millions more than we thought are at risk. About $162 million is up for grabs after an upgrade gone very wrong, according to Robert Leshner, founder of Compound Labs. CNBC reports: At first, the Compound chief tweeted Friday that there was a cap to how many comp tokens could be accidentally distributed, noting that âoethe impact is bounded, at worst, 280,000 comp tokens,â or about $92.6 million. But on Sunday morning, Leshner revealed that the pool of cash that had already been emptied once had been replenished â" exposing another 202,472.5 comp tokens to exploit, or roughly $66.9 million at its current price.
On Wednesday, Compound rolled out what should have been a pretty standard upgrade. Soon after implementation, however, it was clear that something had gone seriously wrong, once users started to receive millions of dollars in comp tokens. For example, $30 million worth of comp tokens were claimed in one transaction. The saving grace of the entire debacle, however, was the fact that the pool of cash that was open to exploit -- something called the Comptroller contract -- had a finite amount of tokens. The problem is that this leaky pool got a fresh influx of cash, and 0.5 comp tokens are being added roughly every 15 seconds, according to Gupta. "When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users," Leshner wrote in a tweet Sunday morning. Leshner noted that this brought the total comp at risk to 490,000 comp tokens, or about $162 million.
There are a few proposals to fix the bug, but Compound's governance model is such that any changes to the protocol require a multiday voting window, and Gupta said it takes another week for the successful proposal to be executed. In the meantime, this pool of cash is once again up for grabs for users who know how to exploit the bug. Compound made clear that no supplied or borrowed funds were at risk, which is some consolation. "No user funds are or were at risk so it's not that big of a deal," said Gupta. "Everyone kinda got diluted but didn't lose anything directly."
On Wednesday, Compound rolled out what should have been a pretty standard upgrade. Soon after implementation, however, it was clear that something had gone seriously wrong, once users started to receive millions of dollars in comp tokens. For example, $30 million worth of comp tokens were claimed in one transaction. The saving grace of the entire debacle, however, was the fact that the pool of cash that was open to exploit -- something called the Comptroller contract -- had a finite amount of tokens. The problem is that this leaky pool got a fresh influx of cash, and 0.5 comp tokens are being added roughly every 15 seconds, according to Gupta. "When the drip() function was called this morning, it sent the backlog (202,472.5, about two months of COMP since the last time the function was called) into the protocol for distribution to users," Leshner wrote in a tweet Sunday morning. Leshner noted that this brought the total comp at risk to 490,000 comp tokens, or about $162 million.
There are a few proposals to fix the bug, but Compound's governance model is such that any changes to the protocol require a multiday voting window, and Gupta said it takes another week for the successful proposal to be executed. In the meantime, this pool of cash is once again up for grabs for users who know how to exploit the bug. Compound made clear that no supplied or borrowed funds were at risk, which is some consolation. "No user funds are or were at risk so it's not that big of a deal," said Gupta. "Everyone kinda got diluted but didn't lose anything directly."
Digital, uhh software is not reliable money (Score:2)
Meanwhile hacking for ransomware and getting paid in crypto is a booming business.
Re: (Score:3)
The original mondex cards were debit cards that could transfer money to other debit cards directly, without the need for any intermediary. They used 768-bit RSA keys and tamper-resistant technology, so a mix of hardware and software. Although these days you'd want to use much longer keys and quantum computing resistant cryptography, these remain the only wholly digital currency that was reliable. They also remain the only wholly digital currency that could be taken off the grid entirely.
A great idea, quite
'it's not that big of a deal' (Score:2)
So why is this any better than government backed currencies and banks? Particularly why is it any better if one bad update can irrevocably change the values of people's accounts?
Decentralized I guess means a guarantee of no take-backs, hehe. Also no give-backs, which would cause riots in the, um, social media streets.
Governments have armies (Score:2)
More importantly governments have traditionally been forced to at least give lip service to governing with the consent of the populace. Despite what everyone tells you that's not true of cryptocurrencies. Relatively simple currency manipulation tactics can and will be used to control cr
Re: (Score:3)
How is that a bad thing? Tax means we have roads, schools, at least whatever counts as public medicine in the US, a military, cops, and countless other essentials of modern life.
Outside of abstract libertarian bullshit that nobody cares about or wants, how is any of this a *bad* thing?
Re: (Score:3)
How is that a bad thing? Tax means we have roads, schools, at least whatever counts as public medicine in the US, a military, cops, and countless other essentials of modern life.
Well said.
All these "don't tax me bro, it's theft!" fuckers would be living in a feral state without the quality of life services provided from taxes.
And any of you libertarians who want to "correct" me or debate me or "enlighten" me, save your breath. You're just greedy fuckheads with an empathy deficit, so please wrap your libertarian fantasy world in barbed wire and shove it up your ass.
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re: (Score:3, Informative)
Marked as insightful ... typical.
If you are going to slate something, usually it's actually useful to know what you are talking about.
DeFi - decentralised finance.
The idea being, if run correctly, that it isn't the financial banking system that provide financial services, but rather millions of individuals, staking money. If someone uses a financial service offered, the participants staking their money, all receive a portion of the fees.
That's the idea in a nutshell.
Yes, there's a fuck ton of coolaid being
Re: (Score:1)
Re: (Score:3)
Like I said, this is very much like the dotcom boom - there's plenty of players out there who are going to fail and the "investors" left holding the bags, get recked.
There's many different ideas in this space and many issues to sort out - the entire thing is very much in its infancy, but it remains a valid idea.
Yep, anyone staking or rather, providing liquidity in DeFi is putting their money at risk - there's no getting around that side of it. It's just the nature of the game. It becomes a collective risk -
Re: Jeezuz (Score:3)
Generally speaking, DeFi algorithms and collateral protect the lenders.
So, for example, you've got 10 Bitcoin and bills to pay. You think Bitcoin is going up, so you don't want to sell. Instead, you lock up your Bitcoin in a DeFi platform, then you borrow $100k from it. As long as you pay it back, you keep all your Bitcoin.
But if you don't pay it back, or your Bitcoin drops down in value to $100k, then your Bitcoin is automatically sold on the open market to cover your loan.
As long as the DeFi platform is s
Re: (Score:2)
So if you guess right you lose nothing. If you guess wrong you lose everything.
Re: Jeezuz (Score:2)
There's a big difference between needing to trust the DeFi platform and - as the GP suggests - needing to trust in the solvency of the borrowers. The GP is making it sound like handing bills to bums on the street in the hopes they'll pay it back.
Re: (Score:2)
Nope.
DeFi means decentralised finance.
I mean, you are taking a quote from someone who says, quote: "Don't let the toxic crypto bros fool you" - yeah, deep insight there, right?
There absolutely is a huge section of the cryptocurrency boom that are very much intent on "flying under the radar" - and the market absolutely needs regulation, to protect "investors".
Note, I put investors in quotes, because what this really is, right now, is speculation.
The entire market is firmly in startup territory, with the exce
Re: (Score:2)
It means the Startup/Agile process of "write code, patch it in production" (which isn't really Agile, but a lot of people do it that way) isn't appropriate for currency.
The Satoshi Nakamoto process of "Make a solid design, test it hard, no need for patches in production" is much more appropriate.
Re: (Score:2)
It means the Startup/Agile process of "write code, patch it in production" (which isn't really Agile, but a lot of people do it that way)
THIS....this is what I hate about most Agile implementations- the fact that they almost always do it wrong. Plus, the terminology sucks.
cryptocurrency needs banking / stock laws or under (Score:2)
cryptocurrency needs banking / stock laws or it becomes underground only and if you have some you better give the IRS it's cut or you may be doing hard time like Al Capone
Those words don't mean what he thinks they do... (Score:3)
"No user funds are or were at risk so it's not that big of a deal," said Gupta. "Everyone kinda got diluted but didn't lose anything directly."
Assuming there is actually an real value to be found here: Dilution directly impacts every single user. Dilution of $162 million - what the total value of invested user funds? There's no way that's not significant. Either the guy is delusional, or - more likely - he is desperately trying to downplay this little fiasco.
Re: (Score:2)
Re: Those words don't mean what he thinks they do. (Score:2)
I might not understand all of this but, if a bank with 15 billion in assets lost 162 million of customers money, Iâ(TM)d move my money immediately. Weâ(TM)re not talking âlostâ(TM) like the market went down, or they made some bad investments. This is more like Uncle Billy accidentally giving old man Potter $8,000 in a rolled up newspaper. Would you trust uncle billy with your money?
Re: (Score:2)
Fail fast development model (Score:3)
Want to develop quickly, be agile and keep adding new features often, fail fast and reset when needed? Well, accept the risks that come with it. The alternative is the old fashion process, which tests the crap out of everything before releasing (simulation, staging, alpha, beta, etc), slowing down progress but yielding more reliable results. Pick your poison. The faster you want to move, the more risk you take that you're going to slip.
This is almost comical (Score:2)
You had the design forethought to put a governance model that requires 7 days for a change? But.... No emergency rollback or temporary recall capability to cancel or defer a change after that, despite the high likelihood of a critical issue getting discovered immediately after the vote-in?
Why oh why, were you building to be exploited?
Re: (Score:2)
Testing? (Score:2)
Re: (Score:2)
They practiced testing but never got round to doing it for real?
how crypto rips you off, generally (Score:2)
"Everyone kinda got diluted but didn't lose anything directly."
Just like when miners are paid $100 per transaction to process bitcoin payments on the blockchain.
Re: (Score:2)
Hilarious (Score:2)
Am I the only one that finds this whole debacle utterly hilarious?
It's funny on so many levels that I hardly know where to begin.
"No user funds are or were at risk so it's not that big of a deal," said Gupta.
I dunno...it kinda sounds like something is at risk or they wouldn't be running around with their hair on fire.