Last week a ‘free money’ bug on Compound caused some users to be able to claim far more COMP than they were supposed to, creating an estimated potential max loss of $147m / 490k COMP to the protocol. These ‘free money’ bugs aren’t common, but they’re not exactly unheard of either, as other top tier DeFi projects like Alchemix have also previously been impacted.
As you might imagine, calls quickly came in for the funds to be returned, but a chorus rose up to protest that “code is law” and therefore whoever received funds is entitled to keep them. In this post I’m going to explain exactly what we mean by “code is law”, how that’s different from a cultural code, and why I hope you’ll agree the funds should be returned.
The phrase “code is law” captures the cypherpunk ethos of using the unflinching rules of math and physics rather than man-made laws, which can be manipulated or misinterpreted, to assure individual liberty. Cypherpunks write code and in doing so build the universe they work in and the rulesets that govern it. The blockchain protocols we all know and love exist to enshrine code as law; if they don’t, they’re no better than databases.
If we dig into “code is law” what we find is a framework that reliably produces predictable outcomes — each set of inputs results in a deterministic output regardless of how we feel about it. In Compound’s case, that means that no matter how much the Compound community wished they could roll back their contract or deploy a hotfix, they couldn’t, and would need to operate within the ruleset they’ve already enshrined in code. Long term, we want “code is law” to remain true no matter who doesn’t like the deterministic output, whether it’s corporations, dictators, or anyone.
Everyone that incorrectly received COMP from the ‘free money’ bug is able to claim it and keep it, and no one is able to stop them. This is good, because if we want the system to be uncensorable, it has to be that way consistently. Code IS law.
However, just because everyone could keep the money, doesn’t mean they should. This is where the cultural code comes in.
A cultural code is a set of standardized or normative conventions, expectations, or signifying practices in a particular domain that would be familiar to members of a specific culture or subculture. Ethereum’s greatest superpower is its community and this community has a culture of kindness, curiosity, and principles. We’re all along for this crazy wild ride that is crypto and say gm and wagmi to each other because we truly want our peers, and hell, sometimes even our competitors to be successful.
A cultural code is crucial to Ethereum’s continued success and the root of our code is doing the right thing. Strategically, this fundamental cornerstone enables us to continue prioritizing decentralization over shortcuts to scalability, technical innovation over ossification, and inclusion over exclusion. Tactically, it has profit-driven entities like miners returning $23m fat-fingered tx fees, which is completely unheard of in legacy industries.
What does Ethereum’s cultural code tell us about the COMP bug? It is, frankly, obvious that there is a clearly right answer and a wrong one. Compound is a pillar of our community. They birthed yield farming and have invested in the success of what feels like half of the DeFi ecosystem. If someone erroneously received too much COMP, the right thing to do is to give it back.
It is well known that individuals tend to copy behaviours that are common among other people — a phenomenon known as the descriptive norm effect. This effect has been successfully used many times to promote prosocial behavior like organ donation registration. It is best to give the COMP back publicly to take advantage of the descriptive norm effect and to publicly recognize people who do so. Set and uphold the cultural code and others will do the same.
Ironically, the cultural code proved itself out when Robert broke it by threatening folks with the IRS / doxxing. He was immediately dunked on as the community turned against him and Compound, greatly diminishing the odds users would return funds. Contrast this with Alchemix’s approach.
Alchemix worked with POAP, a beloved community standard for recognizing individuals and recording experiences and accomplishments. They leveraged the cultural code and got results in that moment, but also protected their long term reputation.
Compound has since pivoted to the Alchemix approach, but the damage is done. Folks should still return the funds because it’s the right thing to do, but this is a good learning experience for how the cultural code applies to all of us.
What would Ethereum look like if we followed “code is law” without a cultural code? A world of black hats, secrecy, and anxiety. Should Paradigm have drained their Twitter-nemesis Sushiswap for $350m of user funds? Should projects keep all their code closed-source and launch attacks on their competitors? If a contract is upgradeable, do we want to consider the multisig operators as within their rights to rug pull and drain the funds? After all, their ability to do so was written in code and code is law.
I don’t want to live in a world where we have “code is law” without a cultural code. It’s even worse than legacy finance, and that’s saying something.
Ethereum enshrines both “code is law” and the “cultural code.” They are both real, true, and necessary. So if we must have a cultural code, let’s make it a good one.
Thank you to Mark Forscher, Rocco, Sarah Tavel, banteg, Evan Weiss, Elias Simos, Brendan Forster, Shaun Martinak, Conor Grogan, Cam Boyce, and @scupytrooples for providing feedback on this post before publication.
*Disclosure: I own a minuscule amount of COMP (it’s the smallest proportion of my portfolio of all my assets).