Restore brand trust in Balancer by assisting DNS hack users, allowing them to immediately recover 75% of lost funds, while Balancer continues to investigate this incident. Users claiming immediate restitution shall forfeit all further claims relating to this incident, with any further recovery accruing to the Balancer DAO.
On September 19, the Balancer frontend was attacked via social engineering on EuroDNS, the domain register used for .fi TLDs.
Due to prompt action from community members, damage was mitigated, and control was quickly restored.
Unfortunately, users interacting with the Balancer frontend while the attack was ongoing were affected. Final damage numbers have not been published. However, rough estimates would be around 200-300K USD.
Brand trust is the public’s perception of a brand’s reliability and trustworthiness, as informed by both personal experience and marketing communication. It’s a complex concept that encompasses a variety of factors, including security and privacy, product quality, customer service, brand mission and values, and political or philanthropic efforts. In crypto, brand trust is an important, and arguably the most vital, differentiator between comparable products in competitive market conditions.
Brand trust is a critical component of brand loyalty. Customers who trust a brand are more likely to utilize it again, even if they have a negative experience from time to time or one-off experiences that don’t meet their expectations.
Consistency is another strong component of successful branding. Communicating the same values in the same voice at every customer touchpoint–treating all users alike–is important in creating an authentic brand. Inconsistent actions are unpredictable, and unpredictability dissuades consumers.
[BIP-XXX] Decide on direction of restitution for affected LPs in Boosted Pool Incident is an excellent example of striving to restore brand trust. While Balancer is neither obligated to provide restitution, nor responsible for user actions, the community has nonetheless found it worthwhile to seek a resolution to the first hack and make its users whole.
Similar, Balancer should attempt to take any possible actions within its power to mitigate harm caused by the second hack as well to known, affected users. We propose that verified actors affected by the DNS hack be allowed to claim 75% of their lost funds from Balancer while it continues to investigate this incident, forfeiting further claims to their lost funds, with any additional funds recovered going to the Balancer DAO. By doing so, Balancer will be not only be able to restore, but grow its brand trust, which will be essential if it seeks to succeed in the long term. In today’s competitive marketplace, users have more choices than ever before, and are increasingly demanding, especially with consumer security and safety. Consumers want to interact with brands, like Balancer, that can provide a safe transactional environment and positive overall experience.
Upon approval of this BIP, immediately send $117,806.25 USDC (72.0528468675 ETH) to address 0xD14f076044414C255D2E82cceB1CB00fb1bBA64c, a verified, known, damaged wallet, who will be providing an on-chain signature for wallet verification referencing this BIP in the comments below, along with a statement forgoing all further claims to restitution. The amount to be sent is 75% of the $157,075 USD (96.07046249 ETH) total lost by this wallet during the attack period across 5 transactions, which can be verified on chain here.
1.The max budget for this program shall be 350K USD.
2. A 60 day reporting window shall by announced via appropriate channels, including Discord and Twitter, following approval of this BIP, with a second reminder at 30 days, and a final reminder in the final week to deadline. The 60 day claim period will start upon announcement of the claim window.
3. To submit claims, users will verify wallet ownership and report any DNS hack losses via a Google Form, which shall be prepared by a volunteer committee of 5 well-qualified, objective individuals with experience in DeFi opsec, who shall serve as a technical advisory committee to process these transactions. Because a widely used angel drainer was used in this attack, it’s not possible to determine whether tokens drained during the timeframe of the attack were from user interactions with the Balancer FE or from elsewhere. Some blockers can be put in place to prevent potential double-dipping from the attacker himself, such as gathering identifying information on the claim form. But ultimately, whether a user making a claim was truly affected will come down to a human call. If the committee reviews a claim, finds it satisfactory, submits a BIP, and governance approves that BIP, then that claim is legitimized.
4. To validate and approve claims, the committee will verify the address and transaction details on Etherscan, arriving at an independent total to be compared against details submitted on the Google Form. Should the details match, the claim shall be recommended for processing. Should the details conflict, the claim will be rejected for resubmission.
5. To execute, the committee will aggregate all claims in batches, and prepare two BIPs to be approved by governance–one BIP to be submitted 30 days after the start of the 60 day claim period announcement, the second BIP to be submitted at the 60 day deadline. Each BIP shall include a list of affected wallet addresses and amounts, and be sent to the Balancer DAO signers on the following Tuesday after each BIP has been approved, who shall use transaction builder to execute one multi-send transaction to send the verified amounts to the affected wallets.
6. Further claims following the 60 day period will require a new BIP and must go through governance.
To ensure the effectiveness of public relations campaigns, immediate action is necessary. Consequently, we’d respectfully request that this BIP be moved to vote this week.
The DAO Multisig
0x10A19e7eE7d7F8a52822f6817de8ea18204F2e4f will interact with USDC
0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 by writing
transfer passing the affected user address identified as auramaxi.eth as the recipient
0xD14f076044414C255D2E82cceB1CB00fb1bBA64c and amount