[BIP-445] Decide on direction of restitution for affected LPs in Boosted Pool Incident

Background

After the recent exploit that occurred on Balancer, an approximate total loss of funds stands at around $980,000 on Mainnet and around another $215,000 on Optimism. A comprehensive post-mortem article about these events can be found here: Rate manipulation in Balancer Boosted Pools — technical postmortem | by Juani | Balancer Protocol | Sep, 2023 | Medium

Motivation

Returns always come with risks. Part of keeping your money in DeFi today involves frequent monitoring of your positions. At the same time there are instances of other protocols that have refunded users follow hacks.

In this case, it is believed that a majority of funds affected were stale and no longer actively managed. Therefore, simply air-dropping a full restitution of all funds to all affected LPs does not seem adequate. Instead, the passage of this BIP would give users a time-bound period to report losses occurred by aforementioned incident.

This BIP should be considered an isolate response to a specific event and not be considered precedent setting.

Scope:

The scope of this pertains to pool implementations developed by Balancer Labs, including any losses on Mainnet, Polygon, Optimism or Arbitrum resulting from the linear pool hack and described exactly in the specification below.

Fantom falls under the complete jurisdiction of Beethoven X and is not included in this proposal.

Description of Research to be Completed:

Build a facility for users to report potential losses on chain.

Widely announce a 60 day window to report, which explains that affected users are expected to use the provided UI element to report losses within this time. Funds lost from contracts or other situations that can not use the reporting system in place may post on this Forum post to get in contact with the maxis to manually register.

Complete a final report of losses per reporting address, and initiate an RFC to to validate the results and discuss options for final payment based on the report.

Specification:

Acceptance of this BIP is a decision that the research described above should be completed to determine a list of active wallets reporting losses and understand the scale of said losses. Following this further governance should be raised to decide how to handle repayment.

Looks good, but I do think that we need to keep the window open for longer than 30 days. From my understanding, not a lot of people have come forward yet.

The spirit of the proposed governance vote is such that it expects that users to pay attention within a 30-60 day window to their DeFi investment. Further they are expected to look deeper/come forward if they notice losses or potential problems/communications that they should do so by the protocols they are invested in.

By the time this governance has passed, the tool has been built and the 30 day window has past, there will have been more than enough time for anyone paying a modicum of attention to notice something went on and engage.

If there are questions around this, the reject side of the specification could be changed such that it was not a rejection of restitution outright, but simply a rejection of the currently proposed direction.

Do you have a period of time that you feel would be more suitable? What is your reasoning for this number?

I like the approach of giving a window for claiming loss; 30 or 60 days should be reasonable.

I personally think that if the decision has been made to compensate users, then fully commit to the compensation. Any specified time window would seem to be arbitrary. Just let an affected party make a claim any time, if it’s valid, honor it.

I am in favor of that proposal and believe that 30 days is plenty. The complete timeframe from disclosure until that 30 day period ends will be close to 90 days, because this will need to go through discussion and vote and the means to report needs to be built.

I think the point of this Governance is what we consider a valid claim for losses experienced when seeking returns on an investment (returns imply risk). It implies that users have a responsibility to pay attention.

I think it is quite reasonable to state that claims must be made within a reasonable period of time and that users are expected to check on their investments once a month if they are using DeFi.

Do you think that DeFi users are entitled to being paid back for anything they lose due to an exploit regardless of the circumstance and/or their own efforts (or lack thereof) to mitigate/handle said risk?

The 30 days is somewhat arbitrary, so let me ask, do you think that the 60+ days users will have had to notice and report before not being considered for restitution is an unreasonably short period of time to notice you lost money in DeFi and spend some time to figure out wha to do about it?

I have removed the section that said that a reject was a rejection of all restitution so that if this proposal is not to the linking of holders, they can vote against it and still leave room for another one.

I do not see the restitution period as a way of no longer honoring users who do not claim, but a way for common ground to be met between the affected LPs and the DAO. Leaving all funds earmarked perpetually may help neither party. If funds are never claimed, even if we push to 60 days, the DAO should be able to recover them after that period. If a user crops up after the time period ends, I do not think we should be drawing a hard line telling them they can not be restored, but can be flexible based on each user’s circumstances.

I perceive this proposal as the large wave of restitution and then if a few users come forward after the period ends, both DAO and the “late” users can determine the best way to move forward. I am ok with 60 days, 30 even is not so bad given it nearly been a month already. I support the time limit because at some point if funds are unclaimed, I do not think leaving them in redeem contracts is the best option.

Ok. So there seems to be some back-and-forth about the notice/reporting period. Let’s do a poll.

It looks like there’s actually two timelines being discussed here, 1. a deadline for claiming funds from a redeem contract, and 2. a hard cutoff for all claims, as in restitution is no longer possible after this date. To clarify, I would support a deadline for 1. 30 days, 60, it’s all reasonable and ultimately just an arbitrary number anyways. Leaving unclaimed funds in a redeem contract doesn’t make any sense, as you mentioned. For 2, hard deadline for all claims, I do think it makes sense to just leave that open in perpetuity. If we’re going to evaluate on a case by case basis, no deadline for claims is essentially what this means, unless we really do want to set a hard cutoff, in which case I would argue for a pretty long time period then, maybe like a year minimum.

I guess what these deadlines mean in the end depends on the BIP that follows, but in my mind the idea here is as follows:

• Users participate in DeFi with knowledge of some risk, and have some responsibility to manage/mitigate said risk.
• The 5 days between very wide/loud announcement and the vulnerability was not very long.
  • I saw users commenting that they were on vacation and got back to find themselves having lost funds.
• It is common and respectable in the space to compensate users unexpected protocol losses when possible.
• In this case, most users, attentive users withdrew and were not affected.

For this reason it seems reasonable that users should have some decent time to report, after which point the legitimacy to their claim to restitution is quite a bit less, in that they are not paying sufficient attention to their investments. That was the spirit in which this BIP was written.

This proposal is written such that the how late-comers will be handled is something that was left to be decided for a second BIP following the research. The BIP itself is not specific one way or another.

I have given this substantial thought from various angles, and have arrived at a perspective I feel most aligned with my principles:

Balancer operates as a decentralized protocol enabling peer-to-peer transactions through an open-source platform, distinct from a profit-seeking application. It is grounded in a collaborative ethos, pooling resources to foster development and sustain the ecosystem through the reinvestment of accumulated fees. Given that a small portion of it was compromised, and even a smaller fraction actually impacted, the equitable path seems to be one that does not automatically reimburse users who took on a greater contractual risk voluntarily. It is essential to uphold a balance where the diligent are not penalized for the actions of the less cautious, particularly when gains have not been communally shared. If we are to pay now just because “we can”, where is the line drawn if “we can’t”?

However, we must also consider the image and perception of Balancer in the wider community. Balancer is to be seen as operating for the public-good, and this could portray us as a for-profit entity, subsequently raising expectations of a higher level of responsibility over the code and its ramifications than the community would prefer. This could inadvertently lead us down a path of increased regulations, forcing our hand against the DeFi nature.

Initiating a 30 to 60-day window for governance to scrutinize the number/volume of reclamants is a process would not guarantee refunds, but would serve as a starting point to find a compromise that respects the community’s collaborative spirit.

I’m assuming it would take substantial man-hours to adequately address this issue, a time that might be channeled more productively elsewhere. But, a detailed assessment should help in deciding whether this initiative warrants the effort, considering the broader objectives and long term sustainability of the protocol.

I think this is very insightful. The action of a refund actually suggests centralization as well. I hold a pretty similar view, which would be a preference towards a) no refunds for all, but if refunds must be made, then I would favor b) refunds for all. Us picking and choosing which users get refunds, which we would essentially be doing with a time limit, is pretty centralized, even if we cover it with a vote from the DAO.

I think my concern here is that not everyone is going to make a fuss, some people might just see this first BIP, see the deadline, and be like, oh, I missed it, well, I lose, gg. Maybe that is what we want. But sometimes people just go MIA in crypto for no reason at all. I still go around today collecting things from old wallets I totally forgot about, it’s a nice surprise. It’s true that I wasn’t paying attention to those projects, but I didn’t treat them as an investment. Technically, that’s not supposed to be happening here as well. People are accumulating governance power, not making investments. I think if you’re going to take the “buyer beware, risks are on you” stance, then Danko’s line of reasoning is more sound–no refunds needed at all. We’re doing a half way thing here that seems a bit weird to me, risks are on you, but wait, maybe they aren’t, if we feel generous.

I think a 30 day notice period is way enough (and most people seem to agree from the poll). If we count the time since the announcement of the vulnerability and technical post-mortem, there has been plenty of time for any user of our protocol to register that there has been an issue. As stated by @0xDanko and others, managing funds in DeFi is self-custodian and requires some kind of active management and I argue checking funds at least once a month sounds reasonable.
As a result, I wouldn’t perform an airdrop as most likely a lot of wallets may be lost / not-recoverable and we would throw away funds. Therefore, it makes sense to filter out dormant wallets in this way.

Thanks for contributing to this discussion Franklin!

Maybe I’m missing something in your rationale but I don’t see how what you were suggesting:

Is different from this:

In both cases people who pay attention in whatever window the DAO defines (30, 60 days) will get their funds back, if they miss it they will not.

The difference is only that in what’s being proposed the DAO knows beforehand how much will be refunded, compared to your option where all the funds lost would have to be put in a redeem contract and then the DAO would claw back an unknown amount after the deadline.

At the end of the day the DAO cannot prohibit itself from considering future claims, anyone can make a claim and ask for a vote. However this BIP passing means a directive that, unless something extraordinary is brought up, claims will be disregarded so this matter is closed and we can all move on.

I think the difference in my mind here is that setting a deadline might cause affected users reading the BIP to think that they have no recourse once the deadline has passed, when in actuality, they could bring a claim any time.

We just did a big back-and-forth on this with the Balancer Maxis, and I think the conclusion that we came to was that no refunds at all was too draconian and would cause friction for those that interact w/ other projects on Balancer’s behalf. I do see the value of compromise to make lives easier. My only concern, at the end of the day, is that 30 days just seems to be too short of a deadline. Since the primary goal of this refund would be to maintain good public relations, it seems logical to commit to that and perhaps make a more generous gesture. Perhaps this can be accomplished in the language of the BIP itself–touting the benefits of the refund first and the magnanimity of the action, rather than focusing on the cut-off period. Like I jokingly mentioned to Tritium, even those junk class action mailers for things like FTX losses give you at least 6 months to claim or something like that.

Note that as there is still an ongoing conversation, we will wait until at least next week to post this BIP to snapshot.

Makes sense, I changed my vote to 60 days on the poll, to me that doesn’t make much of a difference tbh.

I agree with this proposal and with the proposed timeframe.

In my personal opinion, users had enough time to withdraw funds before any exploit happened, and this is the reason that the exploited funds are only a small portion of the initial funds at risks. Using DeFi platforms poses a handful of risks and it requires active monitoring. These risks normally come with outsized rewards. So indeed it requires active monitoring of your positions. Balancer shouldn’t be giving away grants for those that fail to do their due diligence. 30 days (+ all the time that users had to withdraw prior to the exploit, + all the time that they had to reach out/realise the restitution of funds was happening) is more than enough.

I would vote for a longer period to make a claim like 60 or even 90 days and then can redeem the funds within a year. I don’t think there is a big risk of getting that wrong though and doing 30 days.

I am not sure the benefits of a shorter claim period but certainly think there should be a fixed period where the DAO commits resources to helping folks redeem lost funds from this exploit. Would be open to arguments on the benefits of a short claim period but I don’t see strong ones at the moment.

Details matter, but the general intention of this BIP is a good one. I don’t think there will be a solution where everyone is happy but debate is good.

Separately, kudos to the white hat for finding the vulnerability and to the Labs team for handling it so well.