This bug happened to the crypto project Compound. I work for a crypto company that has a DeFi product that uses Compound. So I've been deep into following this since it started.
The funds sent to users were "rewards" for using the platform. Compound didn't actually lose any user funds, it was Compound's "governance token" that was given out.
Although user funds were not affected, billions of dollars have been pulled out of lending pools in Compound.
It's really unusual for a crypto project to threaten users like this. Bugs happen all the time, heck, even giant thefts due to bugs happen all the time. Everyone usually just keeps right on doing whatever they were doing.
Unfortunately the bug didn't just hand out tokens to people, it did so by messing up the stored accounting for those "lucky" users. Fixing it is not going to be trivial. Also, the tokens that it handed out already "belong" to people who had "earned" them, but not yet cashed them out. This means that once this bug is fixed, Compound is going to take the funds for this out of their own treasury to refill this so users can be paid (or face some amazing backlash).
To change the smart contracts requires a community vote and a seven day period of review, voting, and timelock. This means that it's staying broken and handing out money for the next week, and people are racing to catch as much of it as they can.
The fact that you can give away millions by mistake and do nothing about it then break the systems then do not much about it says a lot about crypto currency practicality ;) I wonder when this madness is going to stop.
I believe that the fact that bugs are hard to fix and that operations are hard to revert is a pretty common property of most crypto-currency/asset/contact and that's what makes them IMO impractical for many usages, and in particular currency
That fact that it can happen at all when a time-proven solution has already existed for centuries is telling. I don't know why people think having irreversible transactions where no recourse, even legal, can force a reversal of the transaction, is a good thing.
The rate at which bugs like this happen isn't the dominant metric of risk here, it is that when they happen they are often catastrophic and ruinous. And so it could be that, though rare, playing in this game eventually equals ruin the longer you are in it. Good discussion of these types of risk[0], "The Logic of Risk Taking" by Taleb
Au contraire, this madness is going to become the norm for the next generation. Personally I think the more things break in the immediate future, the better.
Hopefully we will reach some sort of steady state where users keep a baseline of trustworthiness / reliability for a portion of their wealth, yet willing to occasionally play around with another portion of their wealth trying out bug-infested moonshots.
>this madness is going to become the norm for the next generation
all the hype and the news and market valuations might create the illusion that there is a lot of crypto activity but compare the money moved through crypto to money moved across normal financial markets. SWIFT moves 5 trillion per day, Tenpay does 500 billion transactions per year. There is what, a few hundred thousand bitcoin transactions per day?
In its current state crypto does not and will not influence the lives of ordinary people who go shopping, pay their rent and whatnot.
I think most crypto-supporters overestimate how much of a police state modern banking is, and underestimate how much of a wild west the current crypto ecosystem is.
They’re willing to trade a system with reasonable and democratic oversight for a “free for all” shark infested pool that will rip from their hands their retirement fund just before they mean to retire.
I wonder how much central banks and treasuries could do to engage people on what they actually do. It's still ripe for disruption on some level, but still, people have no idea I think.
It's not thoughtful, it is hyperbolic. That's not what is going on here and this is not crypto in general. These are smart contracts which the vast majority of crypto users have no involvement in.
yes that is a valid point but there are others who dont want that because then the central authority can take away your money or stop payments send to you just because they dont like you like what happened to Wikileaks.
Yes, it's true that in case you are in the legendary fascist state that steals your money but allows you the hide your money in crypto currency it can be useful ;) it reminds me of https://xkcd.com/538/ (note that I do not count government taxes in democratic countries as stealing, while I do think tax avoidance is stealing in that case).
And what would you call the US dollar's monetary expansion of over 40% [1] since the start of the pandemic, if not stealing?
The Cantillon Effect has never been stronger, but those that continue to measure their financial worth in a unit of account that is shrinking in its purchasing power every day are missing the point. The system _is_ stealing your savings!
Let’s not act like the infusions were for no reason. Many people are willing to incur some inflation and inflation risk in a gamble to avert a near-certain societal level catastrophe.
and which people were those? rich people, that's who...
I agree that desperate times call for desperate measures, but there are fairer ways to fund this. Just inflating the money supply just hits asset-poor people hardest... this is the very definition of the Cantillon Effect...
It's a tiny fraction of their market cap. Mistakes happen and are fixable.
The CEOs reaction on the other hand is a complete write-off. Threatening to harm users for a situation that isn't their doing but rather yours? Childish at best
I deposited some assets on Compound a year ago and I think I got the initial COMP airdrop
Does this make me eligible for this glitch? There wasnt anything in the UI suggesting so, but I can skip the frontend and use the smart contract directly, with hex or bytecode if necessary
and the claimComp(address, tokenAddresses[]) method
can be used, but its only if you supplied to some pools in the past and I'm not sure which pools. Someone told me TrueUSD but I haven't been able to confirm and I can't tell which claim transactions onchain are results of the glitch versus normal Compound UI behavior from normal users
so you would just make a transaction to the Compound Comptroller contract address with the hex data for that contract and method variables
unfortunately it seems like there are multiple Comptrollers and its a little expensive to play around with on mainnet, I might branch off and try a few transactions in a local environment so I don't waste gas trying to figure it out on mainnet. But I really just want to be able to tell and its weird how hard it is to find these details with all of this reporting. Hope this space matures to the point where this is the baseline level of reporting.
okay, so the main comprotroller address is the one to execute against
but you had to still be supplying or borrowing, you can probably still do this now, as for some reason the comptroller still gets refilled. it seems like anybody can refill it if it gets empty. due to a "timelock" that the Compound team implemented to increase confidence in the security of the system, it also takes that amount of time to fix this issue lol.. they could really get drained if people were paying more attention
Trustless Distributed Finance sounds like money to me, if I was a hacker. Considering the forum we're on and what we know to be the actual state computer security (hint: it's theater), it's pretty laughable.
I think its pretty telling about the state of defi.
That a CEO of a defi project thinks that threatening to make people pay the taxes they should already be paying is some sort of leverage.
If I were running the IRS I'd be looking at Robert Leshner to make sure he's paying all the taxes he should be on his crypto given that he thinks that threatening to report trades to the IRS(that he already should be doing) will make people return their crypto gains:)
It's extra rich that this same person told congress that they couldn't possibly report to the IRS these trades as thry don't have the proper KYC docs for traders, but when those traders have "his" crypto all of a sudden he can find out who they are:)
I doubt he can actually find out who they are. It's just a nonsense tweet.
Nobody who uses Compound sends them KYC information, it's all just addresses on the blockchain, which is public data that the IRS can read just as well as Compound can. (And unlike Compound, the IRS can subpoena centralized exchanges to trace who's behind the addresses.)
honestly I can see bitcoin ending up like this, actually transacting the bitcoins is too expensive: lets just build an accounting system where we keep a database entry of who owns a particular address
Most all of the people in defi do, yes. It's happened a number of times now, so you'd have to work pretty hard to understand enough to use defi but not be aware of the risks.
People who interact with non-bitcoin crypto tend to be a lot more knowledgable about the tech and its implications than an average person. So I would say the answer is probably yes.
I didn't say they were geniuses, just that they were more familiar with the tech and its implications than the average person. Smart contracts have been around for a while and we basically know the scope of the catastrophes that can result from bugs in smart contract code. The DAO hack was years ago. This is not a new problem space
This is an irrelevant point and borderline strawman. Considering the environmental impact of proof of stake blockchains, everyone is impacted whether they use crypto or not.
It's very strange as a threat because it doesn't make sense from an incentives standpoint.
"Pay me 20 million dollars or you'll have to pay 8 million to the IRS."
That's not a difficult calculation.
It also makes the money sound more legitimate. If this was theft or hacking, I'd be afraid of criminal proceedings. But I'm not afraid of paying the IRS money when I can easily afford it.
The whole thing speaks to the CEO's worldview in a very bizarre way.
It's especially confusing because the 10% 'bounty' would also be taxable, and if they could report you to the IRS for 100% because they'd "doxed you" then one would imagine they'd be obligated to report you for 10% too.
He is getting tons of criticism over this. Not only is it not possible to dox anyone with DEFI but defeats the decentralized ethos of DEFI. And also, the 10% bug bounty would also be taxable.
> would be the taxable event from the IRS's perspective.
But you can explain that right? Cannot imagine you would be taxed on that: you would get taxed on 10% you keep though when you sell up. Or do you pay over that right away in the US?
Re: (1) I'm genuinely not sure how that would work. I suspect if you claimed you received it in error and sent it back, that would probably not incur an actual tax obligation. Not sure though, that's the kind of thing I'd want to run by a tax attorney if it was a non trivial quantity.
Re: (2) definitely, which makes the threat a lot stranger.
No, but on a serious note, I don’t think cryptocurrency will ever be a sufficient replacement for the US dollar, but I can imagine the infrastructure going into it will produce new, helpful financial tools.
Most of the value in defi is in stablecoins and most prices are quoted in dollars. Some crypto stuff will have good value accrual mechanisms, others wont. The idea crypto displaces the dollar as a reserve currency is insanity.
The US dollar is inflating at 40% year/year as measured by M2 money supply and there seems to be no end in sight. The US government is considering minting a $1 Trillion dollar coin to keep this debt-spiral going a little longer.
The idea of using the US dollar as the world’s reserve currency is an insane 50 year old experiment that won’t end well.
Wow that would be amazing if it were true or sensical or really even grounded.
Inflation in the real world isn't defined by supply but rather purchasing power as measured by CPI. Your definition is closer to the Austrian definition, long debunked because what people do with that supply is as important as its existence. The M2 supply increased 15X since the 70s but purchasing power only dropped by a factor of 7, meaning without a doubt that supply isn't the be all and end all.
TL;DR: The M2 supply is not a measure of inflation. It's just not.
Agreed. For starters population growth is part of the equation.
Consider the following scenario. There are 10 people in the world, and $100. So all being equal [1] each has $10 to spend. (Remember "money" is just a useful way of measuring accumulated social value.)
Fast forward a few years, now there are 100 people, all creating social value. To maintain the status quo the money supply must now be $1000. 0% inflation as the money supply per person is still $10.
[1] now imagine that all things are not equal. Some people add more social value than they consume. Ie their accumulated $ grows. In effect some number of $ are no longer in circulation. So more money has to be added to the supply to compensate.
Equally some company or individual may move money out of the economy and store it externally. Think cash under a matrass, or sitting in a Bahamas bank account. That money can (and must) be replaced in the system or the system will fail.
So the increase of money supply, taken as a measure by itself, is a meaningless number.
> So the increase of money supply, taken as a measure by itself, is a meaningless number.
The M2 money supply has been diluted by 40% over the past year. The population has not meaningfully changed over the past year. Official inflation is running at 5.6% (almost 3x the target) and un-official measures range from 12-20%.
All other things being equal inflating the money supply absolutely has a disproportionate effect on inflation.
You are confusing cause and effect. Prices go up over time as measured in fiat because of monetary inflation (i.e. money printing) by the Fed which dilutes the purchasing power of the dollar. M2 monetary supply inflation coupled with the velocity of money causes CPI to increase, not the other way around.
70% of all the dollars ever created were created since the invention of Bitcoin. Please substantiate your claim that Austrian economics has been debunked (in favor of modern monetary theory I suppose?) From my perspective, Austrian economics is proving itself more and more each day.
I would love to hear your explanation of how a nation can inflate it’s money supply by 40% in a year without affecting inflation.
Not that it is definitive proof, but these same alarm bells were going off when we drastically increased the money supply to combat the financial crisis in 2008. And inflation never happened.
The reason we aren't, at least for now, likely to see serious inflation due to the recent increase in money supply is because most of it entered the economy through the Fed's bond buying program. So the bonds went on the Fed's balance sheet and most of the money used to purchase those bonds went back on deposit with the fed.
Those bonds will either reach maturity or the fed will sell them - at which point the fed can erase that from the money supply.
But, as the other poster said, the simplified version is that money supply doesn't matter if it's not actually in circulation and being used.
> The reason we aren't, at least for now, likely to see serious inflation due to the recent increase in money supply is because most of it entered the economy through the Fed's bond buying program.
In what fairy-tale world do you live in where we are not experiencing inflation? Seriously, do I actually need to justify the fact that we are experiencing inflation as a result of money printing in a world where Biden just explained that his $3.5 Trillion dollar stimulus bill is actually going to be FREE since $3.5 Trillion = $0 in politician math?
I highly doubt that 100% of the significant increase in prices over the past year was due to supply chain issues and 0% can be attributed to the exponential increase in money supply.
Also, to the sister comment arguing that it’s all due to an increase in the size of the population, has the population increase 40% in the past year? As we begin to open up the economy the velocity of money is increasing and inflation is the natural result.
It's not that complicated. If money supply is causing the price inflation, then we should be seeing higher than usual demand. For most things, that doesn't appear to be the case. Demand may be slightly up, but supply constraints are the real issues. No one said 0% was attributable to money supply. But it is likely a small factor since, as I explained, most of that money is not even circulating.
GP wasn’t stating that a larger stock of cash is definitively not a parameter of inflation, but that it is not the only parameter.
As to your question about the other factors, here’s a thought experiment: if I printed cash daily but locked it up in a chest and sunk it to the bottom of the sea, will there be inflation? Going one step further: does inflation depend on the distribution of liquidity in the economy?
> As to your question about the other factors, here’s a thought experiment: if I printed cash daily but locked it up in a chest and sunk it to the bottom of the sea, will there be inflation? Going one step further: does inflation depend on the distribution of liquidity in the economy?
In your thought experiment No it would not impact inflation, but in the real world over the past year we have begun to see rates of inflation not seen in 40 years. Inflation is running at 3x the Fed’s target at a time when the Fed’s money printer is creating trillions of US dollars out of thin air.
In September 2021, anyone diminishing or dismissing the impact of money printing on inflation is being willfully ignorant or intentionally disingenuous.
This. Plus also, lets for a moment remind ourselves how reliable of a measure of inflation CPI is. Its basis is a basket of products the composition of which is opaquely tweaked to suit an particular agenda.
This makes it _less_ reliable than M1-M4 as a measure of inflation.
They might not need it if it didn't already exist, but since it does they might need to embrace it / adapt to it... also, taken at face value, some players such as Visa [0] claim it would aid with cross border transactions. "Helpful" could also apply to the users, not necessarily to the current providers they have been forced to deal with. For example, deposit instiutions that allow for USDC deposits while paying out much better interest rates, and even allow USDC to be used to pay for debit care payments are "useful" as hell to me, if not the bank I pulled my money out of (to deposit in various crypto custodians like Celsius and Crypto.com for yield).
no need to do that. just convert to dai stablecoin and just let it sit for years or split it up among many defi protocols to collect interest. no way to trace it, nor any need to do anything.
Lawful intention. What the smart contract dictates isn’t necessarily the final authority, but what the intent was (per legal interpretation of state contract law).
This kinda belies the whole premise behind "smart" "contracts", doesn't it? I've always heard that the point of smart contracts is that we don't need the legal system to settle issues, because the code itself enforces the contract.
Apparently code can have bugs, and people can make mistakes? Whoops, wish we'd known those things before pouring millions into this stuff.
The intention of the parties was that the smart contract was enforced exactly as the smart contract was written: if that turns out to be unexpectedly disadvantageous for a party, then that's their problem.
I wonder if the argument will become what is the contact - essentially, is it specific transfers as implemented by the smart contract, or is it to be bound by the smart contract, even if these transfers weren't in the contemplation of the parties at formation?
This assumes a contract in addition to the smart contract. I am not sure in this case whether one could be said to exist, but certainly a truly decentralised system probably ought not to create such contracts.
Because "code is law" and if there was a bug, that was part of the law of the code. It's not fraud. If it was, the threat would have been different, right?
That headline is really misleading. That "threatening" tweet (Thursday) was followed by an apology two hours later.
"I'm trying to do anything I can to help the community get some of its COMP back, and this was a bone-headed tweet / approach. That's on me," said Leshner. "Luckily, the community is much bigger, and smarter, than just me. I appreciate your ridicule and support...."
Since then he's been engaging with the community, thanking users who are returning their money. In an interview with CoinDesk, he pointed out that "I'm personally hopeful users will return funds to the community. It's not my property, it's not their property, it's the community's property...."
What we might find out here is if 'smart contracts' are actually so smart.
If people can take each other to court on the basis of these auto transactions given the intent or nature of the contract, then, well, they're just regular contracts, aren't they.
And then they're regular assets, subject to the lawful rulings of courts aka 'The contract was executed unlawfully, you have to return XYZ funds'.
I suggest a lot of people are going to be cashing out, thinking they are above/outside the Judiciary, but eventually this will come home to roost, it not now, but later.
I'm wary that a few young lads will be made scapegoats.
So the threat is they get taxed on an unearned windfall? Spooky. It’s one thing to be afraid of a crypto exchange, quite another to be afraid of Johnny law.
And as far as getting doxed, well, more than one can play at that game. Not to mention that making that threat is not exactly earning them sympathy points.
At some point crypto holders and organizations will have to decide whether they want the law involved or not. Is it a new decentralized form of money that doesn’t need the government, or not?
The fact that getting taxed is even considered a “threat” is weird and disturbing. It’s not even a downside — 60% of a pile of free money is still a pile of free money.
You are assuming it has enough value at the time you liquidate to pay the taxes at the cost basis the transfer took place. Very similar to stock options ending up worthless you owe $large_sum_of_taxes on because the value declined after exercise but before liquidity.
1099ing recipients and causing a race to unload would nuke them.
> Elisabeth de Fontenay is a professor at Duke University's law school, and she used to be a corporate lawyer.
> DE FONTENAY: When payments are made, for example, from banks to individuals like all of us in error, we have to give it back. And in fact, if we don't give it back, the banks actually will come after you. They will sue you, and sometimes they will bring criminal cases against you.
Look at the Citibank Revlon case from last year [0]. In a clerical error, Citi sent $900m to a bunch of hedge funds, related to some Revlon debt. It asked for it back. It got about $400m. It sued for the other $500m… and lost in court.
I’m not saying this is identical to that case, which depended upon New York law. But it is far from clear-cut and I think you are being way too confident in your view, since nothing like this has ever appeared in court.
The document you cited actually supports toomuchtodo’s position:
“The law generally treats a failure to return money that is wired by mistake as unjust enrichment or conversion and requires that the recipient return such money to its sender. Under New York law (which applies here), however, there is an exception to this rule: The recipient is allowed to keep the funds if they discharge a valid debt, the recipient made no misrepresentations to induce the payment, and the recipient did not have notice of the mistake.”
I’m assuming no debt was owed to these random people.
If I am not mistaken, In Citi's case the hedge funds were going to get that money anyway but a bit later, they thought they got the money early, so they kept it.
The entire question is whether this executed smart contract will be treated as an actual binding contract.
I see no reason why it should not be - parties entered into it freely for adequate consideration. Parties were well aware they were entering into a contract ("smart contract"), and by the technical format of the contract did contemplate that they could end up with an unfavorable result due to "bugs" or other unforgiving consequences of its extremely formal definition.
This is the crux of the matter. If you've got a reason why this smart contract could possibly not end up being treated as a contract, then you need to make that argument. You can't just keep asserting that the payments are mistaken transfers without an actual argument.
Furthermore, unless/until setting aside smart contracts were to become well established case law, recipients of the windfall should be able to rely on such reasoning, making keeping the tokens decidedly not fraud or conversion.
I'm arguing the opposite. Your assertion is that a smart contract will be treated as a binding contract. Provide case law and statute that that is the case. Your belief at the moment is hope that a smart contract will be interpreted favorably by the judiciary. If you can't provide such citations, backing your assertions, it seems disingenuous to attempt to twist contract law to fit crypto reality ("taking the money and running is legal"), and even worse to advise people who have received ill gotten gains through unjust enrichment to keep them.
As always, the question is not only, "what does the contract say?" but also "how will the judge interpret the claim?" I've provided citations throughout this thread for my claims relying on existing case law.
There is no case law or statute declaring it permissible to write down a contract on a piece of drywall in French, yet it would be safe to assume that doing so would be valid. Courts generally grant wide leeway to private parties to contract how they'd like. These parties chose to enter into a contract with a highly formal definition - with all its benefits and drawbacks.
In short, I think you're the one arguing uphill. In what way does this smart contract fail to meet the standards of a bona fide contract?
The only thing I can see from you in this thread is that the "sender didn't mean to". But this isn't some value transfer external to the contract, but rather due to operation of the contract that the CEO did intend to enter (the purchaser of an options contract similarly doesn't intend to lose money). So restating that in the framework of the contract would be something like the CEO didn't contemplate the possibility of a bug causing a significant loss. I could see that having legs in the case of investors losing money, but isn't the losing party here the one that drafted the contract?
edit: I didn't delete my comment. I've got delay = 5 in my profile, and I guess there's a way you can see my comment before 5 minutes are up? It might be cleaner if you move your reply to a separate comment.
Obvious scam is obvious. Previous DeFi scams have seen founders just openly walking away with the money. This one involved some "random users" getting the money instead. Totally random, I'm sure. Totally unpredictable.
The funds sent to users were "rewards" for using the platform. Compound didn't actually lose any user funds, it was Compound's "governance token" that was given out.
Although user funds were not affected, billions of dollars have been pulled out of lending pools in Compound.
It's really unusual for a crypto project to threaten users like this. Bugs happen all the time, heck, even giant thefts due to bugs happen all the time. Everyone usually just keeps right on doing whatever they were doing.
Unfortunately the bug didn't just hand out tokens to people, it did so by messing up the stored accounting for those "lucky" users. Fixing it is not going to be trivial. Also, the tokens that it handed out already "belong" to people who had "earned" them, but not yet cashed them out. This means that once this bug is fixed, Compound is going to take the funds for this out of their own treasury to refill this so users can be paid (or face some amazing backlash).
To change the smart contracts requires a community vote and a seven day period of review, voting, and timelock. This means that it's staying broken and handing out money for the next week, and people are racing to catch as much of it as they can.
It's an all round mess.