Press Release

DeFi Founder Threatens to Doxx Users After $90 Million Accident

Robert Leshner warned users that if they did not return COMP tokens sent in error, he would report them to the IRS. Twitter users reacted negatively to the threat.

$90 Million Giveaway

In a botched upgrade, Compound gave away over $90 million in $COMP tokens. The Comptroller contract was upgraded on Wednesday, but a single character bug allowed users to claim more COMP than intended.

Compound Labs’ founder and CEO, Robert Leshner, revealed that no admin or community tools existed to disable the faulty update. Watching the bug be exploited, the founder tried both carrot and stick to recover the funds.

According to Leshner’s October 1st tweet, if you received a large amount of COMP from a protocol error, return it to the Compound Timelock. “Keep 10% white hat. Otherwise, it’s reported to the IRS as income, and you’re doxxed.”

Crypto Twitter users were skeptical of the IRS threat, pointing out that the IRS logic was as flawed as the Comptroller code. Many said they’d be better off paying the tax, while others said they weren’t US citizens.

Leshner returned to Twitter after a barrage of criticism and mockery to retract his earlier remarks.

“I’m trying to do anything I can to help the community get some of its COMP back, and this was a bone-headed tweet / approach. That’s on me. Luckily, the community is much bigger, and smarter, than just me. I appreciate your ridicule and support.”, Leshner said in a conciliatory tone.

What caused this to happen?

The problem with Compound’s distribution of COMP tokens was discovered on Wednesday after an upgrade to the Comptroller contract. The update, dubbed “Proposal 62,” was carried out by a community member, with additional community members completing the review process. There appears to have been no professional audit of the code prior to its implementation.

Mudit Gupta, a SushiSwap coder, was quick to dig through the ashes to find the error. Gupta blamed a one-character error on line 1217. In this case, the error was the use of a ‘>’ symbol instead of ‘>=.’

“If someone only reviewed the delta of the upgraded contract, they might have missed this. A small change at one place can introduce a vulnerability at another,” Gupta explained in a series of Tweets on September 30th. “This is why reviewing deltas is risky and full audits are required for critical contracts.”

A change to Proposal 62 has been proposed by the Compound community to prevent further claims of COMP tokens. But any proposal must be approved by October 7th. If the proposal passes, which seems likely, normal token distribution will be temporarily suspended.

In the meantime, the lesson seems to be that professional code auditing should be left to professionals, not well-meaning community members.