This BIP is concerning what to do with $376k USD in losses reported pertaining to the linear pool hack from last year.
It proposes back paying holders 75% of the lost value in BAL by way of a direct airdrop based on the discussion held here: [RFC] Linear pool hack restitution.
If passed, BAL amounts will be finally calculated based on pricing before a direct airdrop TX is loaded. Based on current pricing the total amount is 75,475 $BAL.
If any users bring up concerns about being dropped BAL, they may request themselves to be removed before the final payload is loaded on Monday. We can then handle that in separate governance.
Last year, a whitehat found a vulnerability in Balancer’s linear pools . Mitigations were put in place for many pools, and a strong comms effort was initiated to try to reach depositors in the pools that could be mitigated, asking them to withdraw. 5 days after the vulnerability was announced, hackers figured out the exploit and remaining funds in vulnerable pools were drained.
Following the passage of BIP-445, a 90 day collection period was completed. Multiple reminders were sent out over various channels, the most recent of which was this Tweet. This RFC presents the results of the research on the resulting dataset of claims, and asks veBAL voters to decide on how to restitute the victims. Once final details are decided in this RFC, a BIP will be posted with similar contents to approve the decision.
Users were sent to an UI element that requested transaction IDs withdraws from hacked pools. These requests were submitted on chain to this Smart Contract , which generated events for each claim. Note that the claims period is now closed, using the UI element to report a loss now will not result in it being considered.
The events were collected and imported into this google sheet , where research was conducted and results were obtained. In the end 41 addresses reported losses. Of those, 4 addresses did not show any on-chain evidence of loss. A vast majority of the losses came from the bb-a-usd pool. The total USD value lost, based on pricing at time of hack adds up to $376,032.42. $5,861.27 of these losses were from 2 wallets on Optimism, the rest from mainnet.
The shape and style of Compensation:
A major narrative over the last year at Balancer has been building/maintaining a stable USD runway. Things have improved recently, but Balancer is not USD rich. For that reason, it is proposed that restitution be paid in BAL tokens. The amount of BAL tokens paid should be based on a 24 hour TWAP preceding the posting of the snapshot (on a Thursday).
On mainnet, payment will be directly airdropped to affected wallets in the same week that voting ends.
The addresses on Optimism do not look like they have gas on mainnet. Further, Beets has signalled its willingness to assist with distribution, and potentially cover half of the costs of repayment for Beets users on OP. For this reason, it is suggested that 50% of the BAL due to OP users is sent to Beethoven X on mainnet, and Beethoven then takes responsibility for restitution to the users for the full amount due directly on Optimsm. If beet governance decides not to pay half of the costs, the final proposal will be changed such that 100% of the BAL due to OP users is sent to beets.
An RFC was held to collect community feedback around this issue. A poll was staged asking if this BIP should offer 75% of the amount lost or 100% and opened the floor to discuss other options.
As a result of said conversation, this BIP proposes that 75% of the amount lost is paid back. This results in a total of
376_032.42 * .75 = 282_024.32 USD of value, which results in a total of
282_024.32 / 3.57 = 78_998.40896359 BAL at the time of this vote. If the price of BAL moves by more than 5 cents by noon on Monday after a successful yes vote, the payload will be regenerated using new BAL pricing and the total amount of BAL paid out may change.
Beethoven has agreed to pay half of the
5_861.28 * .75 = 4_395.96 USD due to victims as decided by Balancer, which is 50% of the final value owed to Optimsim based victims will be sent to the Beets Treasury on Mainnet
0x811912c19eEF91b9Dc3cA52fc426590cFB84FC86. This reduces the total amount due by Balancer by
615.68067227 BAL (see first row of the airdrop csv).
A user with the address 0x8484e288b7c2edad1b5214ed9df3bae4af7dadf5 showed up on Discord after the end of the claim period reporting losses from the USD+ pool on Arbitrum. The total losses were calculated using the same methods as other claimants:
pre-hack value = 2_312.80701209198413362 BPTs * 1.01542668 USDperBPT = 2_348.48594577 USD
recpvered value USD = (106.19 USD in USD+) + (66.35 USDC) = 172.54
total loss = 2_312.8070120919841336 - 172.54 = 2140.267012092 in USD value lost
Support and the Balancer Maxis agreed to include this address in this restitution BIP barring any strong objections stated in comments before snapshot.
Based on the 75% payback at the currently used BAL price this equates to
2140.267012092 * .75 / 3.57 = 449.6359269101 $BAL. As with other claims this amount will be recalculated if the price of BAL drops more than 5 cents.
Further this user is the sole Arbitrum claimant, and does not have gas on mainnet. The Balancer Maxis still have 1,287 $BAL in the Op LM Multisig. This BAL was left over from the entry into BAL/ETH LP due to price movements between snapshot and deposit. The plan was to bridge these assets back to the DAO multisig on mainnet, but this BIP proposes that this BAL is instead held on Op to be used there as instructed by governance, with a portion of it being used to pay back the affected user described above. The user has agreed to accept payment on Optimsim for their Arbitrum based losses.
Around Noon GMT on Monday the final price of BAL should be checked. If it deviates from the current payload price of
$3.57 by more then 5 cents, the payload CSV will be renegerated from the google sheet using the new current price. The final payload will then be reviewed by at least 2 Balancer Maxis on github before being loaded into the DAO multisig as part of the regular process.
The Maxis are authorized to hold upto 1300 BAL in the Op LM multisig, and use a portion of that to pay back
1605.200259069 USD worth of BAL to
0x8484e288b7c2edad1b5214ed9df3bae4af7dadf5 on Optimism. Remaining BAL in this safe will stay put until future governance specifies otherwise.
The current CSV, that may be revised based on BAL pricing and does not include Optimsim victims, but does include the Beethoven Treasury is below. If you reported, please check this. If you will be unable to access $BAL sent to this address, please comment on this forum post or contact @gosuto or myself or any of the Maxis here or on Discord.