TL;DR:
This BIP is concerning what to do with $376k USD in losses reported pertaining to the linear pool hack.
It proposes paying LPs back in BAL, and a poll at the bottom of this RFC asks how much should be paid.
Following at least 1 week of discussion, and when discussion seem to have calmed down, a final BIP will be posted to be approved or denied by veBAL voters.
Background:
Last year, Balancer, a whitehat found a vulnerability in Balancer’s linear pools. Mitigations were put in place for many pools, and a strong comms effort was initiated to try to reach depositors in the pools that could be mitigated, asking them to withdraw. 5 days after the vulnerability was announced, hackers figured out the exploit and remaining funds in vulnerable pools were drained.
Following the passage of BIP-445, a 90 day collection period was completed. Multiple reminders were sent out over various channels, the most recent of which was this Tweet. This RFC presents the results of the research on the resulting dataset of claims, and asks veBAL voters to decide on how to restitute the victims. Once final details are decided in this RFC, a BIP will be posted with similar contents to approve the decision.
Details
The Claims Data set:
Users were sent to a UI element that requested transaction IDs withdraws from hacked pools. These requests were submitted on chain to this Smart Contract, which generated events for each claim. Note that the claims period is now closed, using the UI element to report a loss now will not result in it being considered.
The events were collected and imported into this google sheet, where research was conducted and results were obtained. In the end 41 addresses reported losses. Of those, 4 addresses did not show any on-chain evidence of loss. A vast majority of the losses came from the bb-a-usd pool. The total USD value lost, based on pricing at time of hack adds up to $376,032.42. $5,861.27 of these losses were from 2 wallets on Optimism, the rest from mainnet.
The shape and style of Compensation:
The form of payment:
A major narrative over the last year at Balancer has been building/maintaining a stable USD runway. Things have improved recently, but Balancer is not USD rich. For that reason, it is proposed that restitution be paid in BAL tokens. The amount of BAL tokens paid should be based on a 24 hour TWAP preceding the posting of the snapshot (on a Thursday).
The delivery of payment:
On mainnet, payment will be directly airdropped to affected wallets in the same week that voting ends.
The addresses on Optimism do not look like they have gas on mainnet. Further, Beets has signalled its willingness to assist with distribution, and potentially cover half of the costs of repayment for Beets users on OP. For this reason, it is suggested that 50% of the BAL due to OP users is sent to Beethoven X on mainnet, and Beethoven then takes responsibility for restitution to the users for the full amount due directly on Optimsm. If beet governance decides not to pay half of the costs, the final proposal will be changed such that 100% of the BAL due to OP users is sent to beets.
The amount of payment:
Users of the DNS hack accepted some risk and responsibility and agreed to a repayment of 75% of the USD value lost. In various governance topics around restitution there has been a lot of philosophy about precedent, and how to think about these things. The primary decision to be discussed in this RFC is how much to pay. To start the conversation, the below poll offers 2 options: restitute 75% of the amount lost (this is in line with the restitution program of the DNS hack), or 100% of the amount lost to make people whole. Please feel free to discuss other options, and the poll can be rerun or amended if there is a collection of interest around another number or way to think about the amount.
- 100%
- 75%