[BIP-445] Decide on direction of restitution for affected LPs in Boosted Pool Incident

Background

After the recent exploit that occurred on Balancer, an approximate total loss of funds stands at around $980,000 on Mainnet and around another $215,000 on Optimism. A comprehensive post-mortem article about these events can be found here: https://medium.com/balancer-protocol/rate-manipulation-in-balancer-boosted-pools-technical-postmortem-53db4b642492

Motivation

Returns always come with risks. Part of keeping your money in DeFi today involves frequent monitoring of your positions. At the same time there are instances of other protocols that have refunded users follow hacks.

In this case, it is believed that a majority of funds affected were stale and no longer actively managed. Therefore, simply air-dropping a full restitution of all funds to all affected LPs does not seem adequate. Instead, the passage of this BIP would give users a time-bound period to report losses occurred by aforementioned incident.

This BIP should be considered an isolate response to a specific event and not be considered precedent setting.

Scope:

The scope of this pertains to pool implementations developed by Balancer Labs, including any losses on Mainnet, Polygon, Optimism or Arbitrum resulting from the linear pool hack and described exactly in the specification below.

Fantom falls under the complete jurisdiction of Beethoven X and is not included in this proposal.

Description of Research to be Completed:

Build a facility for users to report potential losses on chain.

Widely announce a 60 day window to report, which explains that affected users are expected to use the provided UI element to report losses within this time. Funds lost from contracts or other situations that can not use the reporting system in place may post on this Forum post to get in contact with the maxis to manually register.

Complete a final report of losses per reporting address, and initiate an RFC to to validate the results and discuss options for final payment based on the report.

Specification:

Acceptance of this BIP is a decision that the research described above should be completed to determine a list of active wallets reporting losses and understand the scale of said losses. Following this further governance should be raised to decide how to handle repayment.

The spirit of the proposed governance vote is such that it expects that users to pay attention within a 30-60 day window to their DeFi investment. Further they are expected to look deeper/come forward if they notice losses or potential problems/communications that they should do so by the protocols they are invested in.

By the time this governance has passed, the tool has been built and the 30 day window has past, there will have been more than enough time for anyone paying a modicum of attention to notice something went on and engage.

If there are questions around this, the reject side of the specification could be changed such that it was not a rejection of restitution outright, but simply a rejection of the currently proposed direction.

Do you have a period of time that you feel would be more suitable? What is your reasoning for this number?

I like the approach of giving a window for claiming loss; 30 or 60 days should be reasonable.

I am in favor of that proposal and believe that 30 days is plenty. The complete timeframe from disclosure until that 30 day period ends will be close to 90 days, because this will need to go through discussion and vote and the means to report needs to be built.

I think the point of this Governance is what we consider a valid claim for losses experienced when seeking returns on an investment (returns imply risk). It implies that users have a responsibility to pay attention.

I think it is quite reasonable to state that claims must be made within a reasonable period of time and that users are expected to check on their investments once a month if they are using DeFi.

Do you think that DeFi users are entitled to being paid back for anything they lose due to an exploit regardless of the circumstance and/or their own efforts (or lack thereof) to mitigate/handle said risk?

The 30 days is somewhat arbitrary, so let me ask, do you think that the 60+ days users will have had to notice and report before not being considered for restitution is an unreasonably short period of time to notice you lost money in DeFi and spend some time to figure out wha to do about it?

I have removed the section that said that a reject was a rejection of all restitution so that if this proposal is not to the linking of holders, they can vote against it and still leave room for another one.

I do not see the restitution period as a way of no longer honoring users who do not claim, but a way for common ground to be met between the affected LPs and the DAO. Leaving all funds earmarked perpetually may help neither party. If funds are never claimed, even if we push to 60 days, the DAO should be able to recover them after that period. If a user crops up after the time period ends, I do not think we should be drawing a hard line telling them they can not be restored, but can be flexible based on each user’s circumstances.

I perceive this proposal as the large wave of restitution and then if a few users come forward after the period ends, both DAO and the “late” users can determine the best way to move forward. I am ok with 60 days, 30 even is not so bad given it nearly been a month already. I support the time limit because at some point if funds are unclaimed, I do not think leaving them in redeem contracts is the best option.

Ok. So there seems to be some back-and-forth about the notice/reporting period. Let’s do a poll.

I guess what these deadlines mean in the end depends on the BIP that follows, but in my mind the idea here is as follows:

• Users participate in DeFi with knowledge of some risk, and have some responsibility to manage/mitigate said risk.
• The 5 days between very wide/loud announcement and the vulnerability was not very long.
  • I saw users commenting that they were on vacation and got back to find themselves having lost funds.
• It is common and respectable in the space to compensate users unexpected protocol losses when possible.
• In this case, most users, attentive users withdrew and were not affected.

For this reason it seems reasonable that users should have some decent time to report, after which point the legitimacy to their claim to restitution is quite a bit less, in that they are not paying sufficient attention to their investments. That was the spirit in which this BIP was written.

This proposal is written such that the how late-comers will be handled is something that was left to be decided for a second BIP following the research. The BIP itself is not specific one way or another.

I have given this substantial thought from various angles, and have arrived at a perspective I feel most aligned with my principles:

Balancer operates as a decentralized protocol enabling peer-to-peer transactions through an open-source platform, distinct from a profit-seeking application. It is grounded in a collaborative ethos, pooling resources to foster development and sustain the ecosystem through the reinvestment of accumulated fees. Given that a small portion of it was compromised, and even a smaller fraction actually impacted, the equitable path seems to be one that does not automatically reimburse users who took on a greater contractual risk voluntarily. It is essential to uphold a balance where the diligent are not penalized for the actions of the less cautious, particularly when gains have not been communally shared. If we are to pay now just because “we can”, where is the line drawn if “we can’t”?

However, we must also consider the image and perception of Balancer in the wider community. Balancer is to be seen as operating for the public-good, and this could portray us as a for-profit entity, subsequently raising expectations of a higher level of responsibility over the code and its ramifications than the community would prefer. This could inadvertently lead us down a path of increased regulations, forcing our hand against the DeFi nature.

Initiating a 30 to 60-day window for governance to scrutinize the number/volume of reclamants is a process would not guarantee refunds, but would serve as a starting point to find a compromise that respects the community’s collaborative spirit.

I’m assuming it would take substantial man-hours to adequately address this issue, a time that might be channeled more productively elsewhere. But, a detailed assessment should help in deciding whether this initiative warrants the effort, considering the broader objectives and long term sustainability of the protocol.

I think a 30 day notice period is way enough (and most people seem to agree from the poll). If we count the time since the announcement of the vulnerability and technical post-mortem, there has been plenty of time for any user of our protocol to register that there has been an issue. As stated by @0xDanko and others, managing funds in DeFi is self-custodian and requires some kind of active management and I argue checking funds at least once a month sounds reasonable.
As a result, I wouldn’t perform an airdrop as most likely a lot of wallets may be lost / not-recoverable and we would throw away funds. Therefore, it makes sense to filter out dormant wallets in this way.

Thanks for contributing to this discussion Franklin!

Maybe I’m missing something in your rationale but I don’t see how what you were suggesting:

Is different from this:

In both cases people who pay attention in whatever window the DAO defines (30, 60 days) will get their funds back, if they miss it they will not.

The difference is only that in what’s being proposed the DAO knows beforehand how much will be refunded, compared to your option where all the funds lost would have to be put in a redeem contract and then the DAO would claw back an unknown amount after the deadline.

At the end of the day the DAO cannot prohibit itself from considering future claims, anyone can make a claim and ask for a vote. However this BIP passing means a directive that, unless something extraordinary is brought up, claims will be disregarded so this matter is closed and we can all move on.

Note that as there is still an ongoing conversation, we will wait until at least next week to post this BIP to snapshot.

Makes sense, I changed my vote to 60 days on the poll, to me that doesn’t make much of a difference tbh.

I agree with this proposal and with the proposed timeframe.

In my personal opinion, users had enough time to withdraw funds before any exploit happened, and this is the reason that the exploited funds are only a small portion of the initial funds at risks. Using DeFi platforms poses a handful of risks and it requires active monitoring. These risks normally come with outsized rewards. So indeed it requires active monitoring of your positions. Balancer shouldn’t be giving away grants for those that fail to do their due diligence. 30 days (+ all the time that users had to withdraw prior to the exploit, + all the time that they had to reach out/realise the restitution of funds was happening) is more than enough.

I would vote for a longer period to make a claim like 60 or even 90 days and then can redeem the funds within a year. I don’t think there is a big risk of getting that wrong though and doing 30 days.

I am not sure the benefits of a shorter claim period but certainly think there should be a fixed period where the DAO commits resources to helping folks redeem lost funds from this exploit. Would be open to arguments on the benefits of a short claim period but I don’t see strong ones at the moment.

Details matter, but the general intention of this BIP is a good one. I don’t think there will be a solution where everyone is happy but debate is good.

Separately, kudos to the white hat for finding the vulnerability and to the Labs team for handling it so well.

I just changed my vote to 60 days as there seems to be some momentum in this direction and we should error on the side of caution.

The conversation seems to have quieted down. @Xeonus I suggest we post this BIP to snapshot for this week, taking whichever option has the most votes at the time of snapshot (30 day or 60 day), using 60 day if there is a tie.

Thank you to everyone who took part in this conversation. These are important things to discuss and decide together.

https://snapshot.org/#/balancer.eth/proposal/0x576e698cd8649dd6a6a2456f06c4648bb0d95e35da000c51c82f243774b7ef9f