A technical glitch in a crypto marketplace has just made some cryptocurrency users tens of millions of dollars richer — and the marketplace founder's threats have ignited a debate about the rules of digital money in an authority-less world.
Compound, a popular cryptocurrency platform, last week put out what should have been a routine update to the code that governs users' transactions. However, the update contained a bug that mistakenly sent up to $89 million worth of crypto tokens into some users' accounts.
Compound Labs noticed "unusual activity" late Wednesday, but at that point the tokens were already distributed with no easy way of getting them back.
The company's founder, Robert Leshner, quickly took to Twitter to persuade Compound users to return the surprise windfall — veering from persuasion to praise to threats against anyone who doesn't return the tokens.
First, Leshner said that users could keep 10% of the funds as a bonus, but threatened to reveal the identities of holdouts who don't return the money.
"If you received a large, incorrect amount of COMP from the Compound protocol error: Please return it," he tweeted, listing an account ID. He added, "otherwise, it's being reported as income to the IRS, and most of you are doxxed."
Doxing — or publicly revealing information many people might consider private, such as a person's name and home address — is considered a massive breach of protocol in the cryptocurrency world, where users often prize privacy and the absence of a central authority.
Leshner later walked back his statements, calling his tweet "bone-headed" and telling users, "I appreciate your ridicule and support."
On Friday, Leshner jumped on board with an offer to reward the first five people to return funds with a digital asset, or NFT, that he said would be redeemable for a real-world meeting with the founder.
"This has been, without a doubt, the worst day in the history of the Compound protocol," Leshner told the trade publication CoinDesk on Friday.
What happened with Compound Labs was the opposite of a typical hack, in which a person or group exploit a bug to take money from others. "Instead of people losing money, they magically gain money. Money appears and it's yours — the bank cannot reverse it," said R.A. Farrokhnia, a professor at Columbia Business School who runs the Columbia Fintech Inititative.
The extra money came in the form of COMP tokens, which are typically awarded to people who interact with the Compound market by lending, borrowing or depositing cryptocurrency into a lending pool. Users who own COMP tokens have a say in how the platform operates and can also exchange them for dollars, however, there's a limited number of COMP tokens that can be in circulation.
"The funds that were distributed were reserved for future community members and contributors to the protocol," Leshner told CBS MoneyWatch late on Friday. "It's essentially like an endowment for the protocol, to keep it operating for hundreds of years."
When the tokens were mistakenly issued, Leshner said he was hopeful that users wouldn't claim them, but by Friday nearly all of them had been claimed.
"It's been a long 48 hours," Leshner said. The biggest losers of the update debacle were essentially future users, he added.
Multimillion-dollar errors are distressingly common in the decentralized world of crypto finance. In June, Alchemix, another crypto-borrowing platform, prematurely forgave about $4.8 million worth of loans. The previous month, another crypto-lender, BlockFi, mistakenly sent users bonuses worth $10 million.
Such bungles are even more common with conventional banks, crypto fans note. Citibank mistakenly wired $900 million to some hedge funds last year; in February it lost a court battle to force the lucky recipients to return the funds.
"This happens every single day," said Peter Jensen, the CEO of Rocketfuel Blockchain. "Ask the banks how many transactions are distributed incorrectly."
But unlike banks, cryptocurrency marketplaces don't have an override feature or a central authority like the Federal Reserve, and the technology behind digital money is still new enough that it's unclear what laws and regulations apply.
"There's no ability for us to reverse it," Compound's Leshner said. He added that a code update to fix the bug is in the works.
Compound contributes to its code, but does not control it — instead, users vote on all changes, which take effect with a time delay.
"The company in essence gave away free money, and they'd like to it to come back," Columbia's Farrokhnia said. "But there's no recourse — you just have to rely on the good graces of recipients to return the money."
By Monday morning, about 117,000 COMP tokens (valued at roughly $36 million) had been returned, Compound reported. "It's a sort of moral dilemma for folks," Leshner said. "I think if this were dollars accidentally appearing in a bank account, nobody would hesitate to assume it's not their property ... I think the recipients of this newfound wealth are questioning if it's theirs, if they have a right to keep it, what's the social or moral expectation of them." Aside from depleting reserves intended for future Compound users, Leshner worries the incident will do further damage to cryptocurrency's Wild West reputation. "It allows a negative narrative to take hold," he said. "It plays on the fears of people that are antagonistic to cryptocurrency — that these systems don't run smoothly, even though, when built correctly, they can operate flawlessly, without error, for decades," he said. The error has split the crypto community into two camps, Leshner said. Some people side with his argument that the tokens belong to the entire Compound community, including future participants, and should be returned. Others think of the bug as essentially a bank error in their favor. How much the error will ultimately cost future users will depend on the value of COMP tokens, which fell after the bug was reported. As of Monday, COMP tokens were worth about $317 each, according to Coinbase.