[RFC] Linear pool hack restitution

TL;DR:

This BIP is concerning what to do with $376k USD in losses reported pertaining to the linear pool hack.

It proposes paying LPs back in BAL, and a poll at the bottom of this RFC asks how much should be paid.

Following at least 1 week of discussion, and when discussion seem to have calmed down, a final BIP will be posted to be approved or denied by veBAL voters.

Background:

Last year, Balancer, a whitehat found a vulnerability in Balancer’s linear pools. Mitigations were put in place for many pools, and a strong comms effort was initiated to try to reach depositors in the pools that could be mitigated, asking them to withdraw. 5 days after the vulnerability was announced, hackers figured out the exploit and remaining funds in vulnerable pools were drained.

Following the passage of BIP-445, a 90 day collection period was completed. Multiple reminders were sent out over various channels, the most recent of which was this Tweet. This RFC presents the results of the research on the resulting dataset of claims, and asks veBAL voters to decide on how to restitute the victims. Once final details are decided in this RFC, a BIP will be posted with similar contents to approve the decision.

Details

The Claims Data set:

Users were sent to a UI element that requested transaction IDs withdraws from hacked pools. These requests were submitted on chain to this Smart Contract, which generated events for each claim. Note that the claims period is now closed, using the UI element to report a loss now will not result in it being considered.

The events were collected and imported into this google sheet, where research was conducted and results were obtained. In the end 41 addresses reported losses. Of those, 4 addresses did not show any on-chain evidence of loss. A vast majority of the losses came from the bb-a-usd pool. The total USD value lost, based on pricing at time of hack adds up to $376,032.42. $5,861.27 of these losses were from 2 wallets on Optimism, the rest from mainnet.

The shape and style of Compensation:

The form of payment:

A major narrative over the last year at Balancer has been building/maintaining a stable USD runway. Things have improved recently, but Balancer is not USD rich. For that reason, it is proposed that restitution be paid in BAL tokens. The amount of BAL tokens paid should be based on a 24 hour TWAP preceding the posting of the snapshot (on a Thursday).

The delivery of payment:

On mainnet, payment will be directly airdropped to affected wallets in the same week that voting ends.
The addresses on Optimism do not look like they have gas on mainnet. Further, Beets has signalled its willingness to assist with distribution, and potentially cover half of the costs of repayment for Beets users on OP. For this reason, it is suggested that 50% of the BAL due to OP users is sent to Beethoven X on mainnet, and Beethoven then takes responsibility for restitution to the users for the full amount due directly on Optimsm. If beet governance decides not to pay half of the costs, the final proposal will be changed such that 100% of the BAL due to OP users is sent to beets.

The amount of payment:

Users of the DNS hack accepted some risk and responsibility and agreed to a repayment of 75% of the USD value lost. In various governance topics around restitution there has been a lot of philosophy about precedent, and how to think about these things. The primary decision to be discussed in this RFC is how much to pay. To start the conversation, the below poll offers 2 options: restitute 75% of the amount lost (this is in line with the restitution program of the DNS hack), or 100% of the amount lost to make people whole. Please feel free to discuss other options, and the poll can be rerun or amended if there is a collection of interest around another number or way to think about the amount.

What % of USD value lost should be repaid to hack victims
  • 100%
  • 75%
0 voters
6 Likes

Thanks a lot for putting this RFC together. Also thanks to all the people involved getting us here - from the white hat to effortless work from all contributors to reduce funds at risk in the millions down to this number which is great to see.

I am personally in favor of doing 75% so it is aligned with the DNS hack restitution. The main reason for me personally is that people had 5 days to remove funds and recover their assets from the affected pools before the pools were drained.

This is an important detail that we should all be aware of and I am also in favor of repaying in BAL tokens. USDC is still a scarce commodity that is mostly used to fund SPs. Paying back victims with USDC would negatively impact our runway which we should avoid at all cost.

5 Likes

Note that as referenced above, the results of the research can be found here:
linear-hack-claims-public - Google Sheets on the summery tab.

If you reported losses using the tool, please verify that everything looks right on the sheet above. You can message me or @gosuto here, find us on the Balancer Discord under the same names, or post publicly on this Forum if something seems off.

2 Likes

Thank you @Tritium for putting this discussion up and taking the lead here, and ofc @gosuto for the thoughtful work putting this together.

I guess the other, more obvious answer to the poll would be 0%. This would most likely come from a pov where we shift the risk to the user. Anyone agreeing to Balancer’s terms of use would waive all claims to damage and loss, when acknowledging contract risk. This statement would then support a vision for Balancer as a trustless and decentralized public good. Zero restitution also means veBAL cares for our community owned Treasury stack, resources that are built collectively, and that risk-takers shouldn’t have a safety net at the costs of the more risk-adverse.

100% is good PR. Imo, this is what this proposition would be all about, relationship with partners, public perception, branding, etc.

75% is a good precedent and, in this case, a good compromise. It must be said that the DNS hack victims (under BIP-443, an entirely different and unrelated event/scenario) chose to take the 25% cut voluntarily when it was offered, to acknowledge their own responsibility by clicking weird links and signing transactions. Here, the cut would refer to at least some joint responsibility for qualified DeFi users such as ours to be vigilant of their holdings and take part of the contract risk they signed off. I think it’s pretty fair and reaches some middle-ground consensus.

4 Likes

I agree with Xeonus on this and support his reasoning for a 75% payout.

1 Like

I seem to be that odd man out at 100% so let me state my reasoning, then I am happy to remain the odd man out.

A vast majority of the addresses above were deposited in the bb-a-usd pool. bb-a-usd was USD stableswap made up of the most trusted USD tokens, but added a boosted element. The yields on bb-a-usd were not insanely high/demonstrating much of a risk premium assumed by users.

There were 5 days between the communication about the vulnerability and the request to withdraw.

I’d like to think that Balancer is a place where you can put some USD stableswap, go on a 2 week vacation and not look at it, and assume it will still be there when you get back. I agree that using DeFi comes with the responsibility of risk management and keeping an eye on your investments, but I think Balancer needs to offer USD stableswap at a reasonably low risk premium that doesn’t need such active monitoring.

I fear that asking LPs who took more than 5 days, but less than 90, to take a 25% haircut may communicate the wrong message about what we expect from USD LPs. I think the expectation to keep an eye on your investments within a 90 day timeframe in DeFi is super reasonable.

4 Likes

I think that when it comes to the pools, the restitution should be closer to 100%, if possible. As mentioned previously, most of the lost funds came from a stablecoin pool (and the user won’t be checking it/news about it that often).

That don’t invalidate the huge effort made to announce the issue in a reasonable way, and to incentivise the users to remove their assets from it. The time we got (and the huge amount of assets saved) because of that was great, but it was still an issue on the contract.

2 Likes

Personally, I feel that we should be at either 0% or 100% for all hack restitutions.

Danko has already stated a pretty good defense for 0%, above.

For 100%, my reasoning is the same as the ones I stated for previous BIPs on this topic. If we’re providing restitution largely for the sake of making a PR gesture, that gesture should be generous and meaningful, meaning full comp, longer time limits for claiming/direct airdrop, and a comprehensive marketing/PR campaign around the claim process–both to notify affected BAL users and to reach new users to show that this is a platform that’s trustworthy and secure.

However, I voted 75% because that precendent has largely been set already by the DNS hack BIP. Tritium, above, is essentially stating that precedent shouldn’t apply because the circumstances of the two hacks are different–it’s a good point. Another discussion topic could revolve around whether that 75% precedent was meant to apply to all users, or rather, was it a specific, targeted restitution meant only to apply to a limited set of individuals. Yet another could revolve around whether the concept of precedent even applies to DAOs. I think these are pretty interesting questions that we could explore fully in the future (or perhaps already should have been explored more fully in BIP-445.)

Here, however, the author states:

If high level discussions are off the table on this particular BIP, and we have no other reference points except the 75% for the DNS hack, then it just makes the most sense to me for us to follow prior precedent. I believe we wouldn’t be able to open up fair discussions about 100% without giving a wider range of options as well, 0, 25, 50, etc.

Just to clarify, it was not my intention to bound the conversation with the poll. Only to create a first entry point for people to talk. I did state that we can post another poll if there is interest and that the discussion should not be bounded by the options in the poll, but you’re the only person who seems to care and the options you like (100 or 0) are already included.

I don’t think 0 needs to be an option here, because if this BIP is rejected by snapshot, nothing will be paid out. So the question here is what to ask, not what to do.

Still happy to include more options and poll again if there is significant feedback that this is desired, but we seem to have pretty strong consensus around 75%. Barring a change in the course of the poll or conversation, I’ll put a BIP together to approve or deny 75% restitution next week.

1 Like

Note that there seems to be a consensus around 75%. We will take some time to figure out how to figure out pricing and get a proper specification for the payload/multisig together to run a BIP next week.

Assuming no delays, voting should happen from the 1st to the 5th of February with payout happening via a direct airdrop sometime around Feb 6-9.

1 Like

Beethoven X DAO voted in favor of BIP-59 which specifies that Beethoven X will cover 50% of the (to be decided) restitution amount on Optimism. Beethoven X’s share of the restitution amount will be covered in USDC.

1 Like

Thanks to all involved in the process for drastically reducing the potentially affected amount.

Regarding repayments, I agree with Danko’s statement below.

I guess the other, more obvious answer to the poll would be 0%. This would most likely come from a pov where we shift the risk to the user. Anyone agreeing to Balancer’s terms of use would waive all claims to damage and loss when acknowledging contract risk. This statement would then support a vision for Balancer as a trustless and decentralized public good.

We operate in a field where managing liquidity and ensuring active risk management is essential. My personal views are that I must manage my risk. The risk is on me. While a 5-day window would allow me ample time to withdraw liquidity and manage personal risk, I understand this is not the case for everyone. A 90-day window, however, offers everyone ample time to look at announcements and put forward their losses.

Saying this, the 3-month period in which users were required to fill out losses paints a picture of restitution. Users who did not have ample time to remove funds, but did check announcements and fill out the forms for loss that were required did so in the belief funds would be repaid. I do not think an arbitrary amount of 75% makes sense in this instance and therefore vote that we repay 100% of reported losses.

5 Likes

karpatkey welcomes the discussion and all the points of view presented so far. This is our understanding of the matter:

As the hack affected Balancer’s smart contracts, compensation should be 100% if that does not jeopardize the protocol’s operation (which is not the case). This reasoning is based on two points:

  • The majority of the funds were in a stable pool (bb-a-usd pool), whose LPs generally do not actively manage their positions;
  • The time between announcing the potential issue (the call for exiting the position) and the effective hack was short.

The DAO should send a message acknowledging that these losses happened because of an issue with Balancer protocol, and, as we (as the Balancer DAO) are always attentive to situations like this, we are proposing total compensation while doubling down our efforts to prevent these incidents from happening again.

4 Likes

Guys, a brand is not built in moments of highs, in happy and abundant moments, a brand is consolidated and gains people’s respect in moments of adversity. A brand truly shows its greatness, in its crisis management, in the way it responds to failure. Empathy is a virtue that few brands possess. Therefore, I ask for empathy from all of you so that the refund can be made in the amount of 100%; Furthermore, the most affected pool was a StableCoin Pool, it was not a risky pool. In my specific case, I looked for an old and renowned protocol in the crypto universe (balancer), an ultra conservative pool (stables only) and so I relaxed. Accidents happen and I’m sure that returning 100% is the right attitude (in my case, you don’t even need to return everything at once, if you have a monthly disbursement schedule, in installments, everything would be perfect) This makes it good for everyone. Thanks guys, much love for U!

5 Likes

Thank you for everyone who participated in this conversation. A resuling BIP proposing a 75% payback in BAL to affected users has been posted here: [link pending once BIP posted]

Here is the reasoning that was used to choose 75%:

1: Beyond the options in the poll, the primary other option that people thought should be considered was 0, or no restitution. A rejection of this BIP has the same functional effect while not blocking further governance. There was not strong support for other options or ways of thinking about this.

2: Almost all poll particpants were known members of the Balancer Community and/or users affected by the hack (no sybil) and 75% polled with more individual votes than 100%.

3: The poll participants represented a significant portion of veBAL:

  • @humpydumpy007 is the largest individual veBAL holder who voted 75%. He was joined by a couple of other delegates who control more than 100k veBAL.
  • @jameskbh is the only delegate who voted for 100% who carries substantial vote weight. Given an understanding of the current state of Balancer governance, it is clear that more veBAL is supporting 75% than 100%.
  • It is worth noting that @karpatkey expressed an opinoin in the discussion for 100% without voting in the poll, and also carries significant vote weight, however it still seems like the 75%'s have it.

For that reason it is clear that 75% is the preferred choose based on this RFC and was used for the BIP.

  • More individuals selected the 75% option to the 25% option.
  • A number of major HODLers or delegates polled on both sides
    • @humpydumpy007 and a number of other sizeable delegates choosing 75%,
    • @jameskbh was the only delegate with real vote weight choosing 100% .

Anyone who disagrees with this assessment is welcome to comment in the BIP post linked above, which is still open for feedback until next week and/or to vote against this specific implementation of restitution.

2 Likes