This bug happened to the crypto project Compound. I work for a crypto company that has a DeFi product that uses Compound. So I've been deep into following this since it started.
The funds sent to users were "rewards" for using the platform. Compound didn't actually lose any user funds, it was Compound's "governance token" that was given out.
Although user funds were not affected, billions of dollars have been pulled out of lending pools in Compound.
It's really unusual for a crypto project to threaten users like this. Bugs happen all the time, heck, even giant thefts due to bugs happen all the time. Everyone usually just keeps right on doing whatever they were doing.
Unfortunately the bug didn't just hand out tokens to people, it did so by messing up the stored accounting for those "lucky" users. Fixing it is not going to be trivial. Also, the tokens that it handed out already "belong" to people who had "earned" them, but not yet cashed them out. This means that once this bug is fixed, Compound is going to take the funds for this out of their own treasury to refill this so users can be paid (or face some amazing backlash).
To change the smart contracts requires a community vote and a seven day period of review, voting, and timelock. This means that it's staying broken and handing out money for the next week, and people are racing to catch as much of it as they can.
The fact that you can give away millions by mistake and do nothing about it then break the systems then do not much about it says a lot about crypto currency practicality ;) I wonder when this madness is going to stop.
I believe that the fact that bugs are hard to fix and that operations are hard to revert is a pretty common property of most crypto-currency/asset/contact and that's what makes them IMO impractical for many usages, and in particular currency
That fact that it can happen at all when a time-proven solution has already existed for centuries is telling. I don't know why people think having irreversible transactions where no recourse, even legal, can force a reversal of the transaction, is a good thing.
The rate at which bugs like this happen isn't the dominant metric of risk here, it is that when they happen they are often catastrophic and ruinous. And so it could be that, though rare, playing in this game eventually equals ruin the longer you are in it. Good discussion of these types of risk[0], "The Logic of Risk Taking" by Taleb
Au contraire, this madness is going to become the norm for the next generation. Personally I think the more things break in the immediate future, the better.
Hopefully we will reach some sort of steady state where users keep a baseline of trustworthiness / reliability for a portion of their wealth, yet willing to occasionally play around with another portion of their wealth trying out bug-infested moonshots.
>this madness is going to become the norm for the next generation
all the hype and the news and market valuations might create the illusion that there is a lot of crypto activity but compare the money moved through crypto to money moved across normal financial markets. SWIFT moves 5 trillion per day, Tenpay does 500 billion transactions per year. There is what, a few hundred thousand bitcoin transactions per day?
In its current state crypto does not and will not influence the lives of ordinary people who go shopping, pay their rent and whatnot.
I think most crypto-supporters overestimate how much of a police state modern banking is, and underestimate how much of a wild west the current crypto ecosystem is.
They’re willing to trade a system with reasonable and democratic oversight for a “free for all” shark infested pool that will rip from their hands their retirement fund just before they mean to retire.
I wonder how much central banks and treasuries could do to engage people on what they actually do. It's still ripe for disruption on some level, but still, people have no idea I think.
It's not thoughtful, it is hyperbolic. That's not what is going on here and this is not crypto in general. These are smart contracts which the vast majority of crypto users have no involvement in.
yes that is a valid point but there are others who dont want that because then the central authority can take away your money or stop payments send to you just because they dont like you like what happened to Wikileaks.
Yes, it's true that in case you are in the legendary fascist state that steals your money but allows you the hide your money in crypto currency it can be useful ;) it reminds me of https://xkcd.com/538/ (note that I do not count government taxes in democratic countries as stealing, while I do think tax avoidance is stealing in that case).
And what would you call the US dollar's monetary expansion of over 40% [1] since the start of the pandemic, if not stealing?
The Cantillon Effect has never been stronger, but those that continue to measure their financial worth in a unit of account that is shrinking in its purchasing power every day are missing the point. The system _is_ stealing your savings!
Let’s not act like the infusions were for no reason. Many people are willing to incur some inflation and inflation risk in a gamble to avert a near-certain societal level catastrophe.
and which people were those? rich people, that's who...
I agree that desperate times call for desperate measures, but there are fairer ways to fund this. Just inflating the money supply just hits asset-poor people hardest... this is the very definition of the Cantillon Effect...
It's a tiny fraction of their market cap. Mistakes happen and are fixable.
The CEOs reaction on the other hand is a complete write-off. Threatening to harm users for a situation that isn't their doing but rather yours? Childish at best
I deposited some assets on Compound a year ago and I think I got the initial COMP airdrop
Does this make me eligible for this glitch? There wasnt anything in the UI suggesting so, but I can skip the frontend and use the smart contract directly, with hex or bytecode if necessary
and the claimComp(address, tokenAddresses[]) method
can be used, but its only if you supplied to some pools in the past and I'm not sure which pools. Someone told me TrueUSD but I haven't been able to confirm and I can't tell which claim transactions onchain are results of the glitch versus normal Compound UI behavior from normal users
so you would just make a transaction to the Compound Comptroller contract address with the hex data for that contract and method variables
unfortunately it seems like there are multiple Comptrollers and its a little expensive to play around with on mainnet, I might branch off and try a few transactions in a local environment so I don't waste gas trying to figure it out on mainnet. But I really just want to be able to tell and its weird how hard it is to find these details with all of this reporting. Hope this space matures to the point where this is the baseline level of reporting.
okay, so the main comprotroller address is the one to execute against
but you had to still be supplying or borrowing, you can probably still do this now, as for some reason the comptroller still gets refilled. it seems like anybody can refill it if it gets empty. due to a "timelock" that the Compound team implemented to increase confidence in the security of the system, it also takes that amount of time to fix this issue lol.. they could really get drained if people were paying more attention
Trustless Distributed Finance sounds like money to me, if I was a hacker. Considering the forum we're on and what we know to be the actual state computer security (hint: it's theater), it's pretty laughable.
The funds sent to users were "rewards" for using the platform. Compound didn't actually lose any user funds, it was Compound's "governance token" that was given out.
Although user funds were not affected, billions of dollars have been pulled out of lending pools in Compound.
It's really unusual for a crypto project to threaten users like this. Bugs happen all the time, heck, even giant thefts due to bugs happen all the time. Everyone usually just keeps right on doing whatever they were doing.
Unfortunately the bug didn't just hand out tokens to people, it did so by messing up the stored accounting for those "lucky" users. Fixing it is not going to be trivial. Also, the tokens that it handed out already "belong" to people who had "earned" them, but not yet cashed them out. This means that once this bug is fixed, Compound is going to take the funds for this out of their own treasury to refill this so users can be paid (or face some amazing backlash).
To change the smart contracts requires a community vote and a seven day period of review, voting, and timelock. This means that it's staying broken and handing out money for the next week, and people are racing to catch as much of it as they can.
It's an all round mess.