An error in the Compound DeFi platform saw it distribute millions in the tokens by mistake. Then on Sunday, people started taking more.
A glitch in a smart contract on the Compound decentralised finance platform has left a pool of almost €134 million in cryptocurrency up for grabs.
Last week, the DeFi platform mistakenly distributed around €77 million worth of the Comp cryptocurrency to users after an upgrade went awry and started giving out far more of the tokens than it was supposed to.
On Sunday, it emerged that the error was worse than first thought, as an unidentified user took advantage of the bug to send a further €59 million of Comp coins to a distribution pool known as Comptroller.
Users were then able to withdraw the crypto from Comptroller, exploiting the same glitch to take almost €19 million worth of the tokens.
Compound founder Robert Lescher took to Twitter to ask for the tokens back, sparking controversy in the process by seemingly threatening to "doxx" users - in this case implying Compound would send their details to tax authorities.
Lescher confirmed that the incident had brought the total Comp at risk "to approximately 490k," on Sunday, which at the time of writing is worth €133,995,524.
Established in 2018, Compound is one of many DeFi platforms that use so-called "smart contracts" to automate transactions.
How did this happen?
After the initial glitch was discovered last Thursday, Comp users came up with a proposal to patch it.
However, the "decentralised" nature of DeFi can mean that any updates take time to filter through.
In Compound's case, proposals need two days for review, three days for voting, and then a further two days before being implemented, meaning a full week passes before any change takes place.
Lescher confirmed that there was nothing anyone could do to fix the bug more quickly, tweeting, "there are no admin controls or community tools to disable the Comp distribution; any changes to the protocol require a seven-day governance process to make their way into production".
The seven-day delay gave users time to figure out how to exploit a function called "drip()" to send more Comp to the Comptroller pool for distribution, with users claiming thousands of the tokens.
Information from Ethereum blockchain data service Etherscan showed a large spike in activity in the Comptroller pool last Thursday, followed by another on Sunday.