General principle of compensation

golftel · November 9, 2021, 7:52am

Hi All,
I’m trying to think carefully about general principle of compensation.
Actually, we can seperate the affected users into two main groups.

The protocol user at the time of exploit. This include the ones who lend out money, the one who borrow, the ones who’re using leverage, and the one who’re staking.
The users who approved unlimit or over allowance. This include the ones who have already left the protocol but forget to revoke, and the ones who’re still in the protocol.

For myself, I got effect on both scenarios. I was lending out my money in the protocol at the time of exploit and I approved over allowance for some tokens in my wallet.

As we know clearly, the incident is from serious mistake of dev’s awareness in security principle. If dev doesn’t store private key in the plain text or word file in his computer and the key is divided by multi-seg, then they can’t trigger this incident.

To be honest, 1st group should be treated as higher priority. What’s the reason?
It’s because there’s nothing they were doing wrong. They were using the protocol and their funds were totally stolen due to dev’s fault.

The 2nd group share a small part of mistake because they haven’t revoke the allowance when left protocol, or they’re giving over allowance for the protocol.
By the way, the compensation must be provided as well (but could be second priority) because the main root cause is from the dev and the protocol doing serious mistake.

Lastly, I would say that the DAO voting should consider not only BRZX holder but also include anyone who were using the protocol at the time of exploit. Fulcrum can consider snapshot right before exploit to know which wallet address should be included for voting right. The value of compensation can be based on token value at the time of exploit.

Wis · November 9, 2021, 11:48am

The notion that the 2nd group ‘did something wrong’ by not revoking the allowance when they left the protocol is a weak conclusion. I don’t think putting the blame on unsuspecting users is wise nor accurate. All of these users were never made aware that when they traded a few coins like BTC for iBTC that there was an unlimited allowance given over. If this information had been relayed prior, obviously no one would leave the possibility for one person with one key on his computer to have access to all of their funds.

Fulcrum’s protocol is quite unusual, that staking a few coinsnd necessarily results in an indefinite and unlimited permission to access assets. Most countries have laws that protect individuals from being tricked into signing contracts where they are unaware of the exploitive nature underlying said contract.

The assets that were taken from this oversight will cost the entire bZx development team and DOA more money the longer they wait for reimbursement, especially in this bull market, not to mention the growing risk of legal action taken against the developers, since they do have personal responsibility, as the DAO is not a legal entity.

It is not absolutely necessary to compensate everyone now, especially when it’s difficult and the funds aren’t there, but some sort of plan about how the compensation would work is warranted, primarily in in consideration to the variety of coins that were taken by the bzx protocol, like BTC and ETH, which will change in value.

cants3eme · November 9, 2021, 12:49pm

Wis:

The notion that the 2nd group ‘did something wrong’ by not revoking the allowance when they left the protocol is a weak conclusion. I don’t think putting the blame on unsuspecting users is wise nor accurate. All of these users were never made aware that when they traded a few coins like BTC for iBTC that there was an unlimited allowance given over. If this information had been relayed prior, obviously no one would leave the possibility for one person with one key on his computer to have access to all of their funds.

Fulcrum’s protocol is quite unusual, that staking a few coinsnd necessarily results in an indefinite and unlimited permission to access assets. Most countries have laws that protect individuals from being tricked into signing contracts where they are unaware of the exploitive nature underlying said contract.

The assets that were taken from this oversight will cost the entire bZx development team and DOA more money the longer they wait for reimbursement, especially in this bull market, not to mention the growing risk of legal action taken against the developers, since they do have personal responsibility, as the DAO is not a legal entity.

It is not absolutely necessary to compensate everyone now, especially when it’s difficult and the funds aren’t there, but some sort of plan about how the compensation would work is warranted, primarily in in consideration to the variety of coins that were taken by the bzx protocol, like BTC and ETH, which will change in value.

Ray of light in the darkness. Totally agree with you. If we will be compensated in lost BTC and ETH, I am ok to wait. But bzx have to give some sort of guarantee

RektFulcrumTrader · November 10, 2021, 6:08am

Why weren’t the devs using multisig? I really want to know the answer to this question. I just can’t believe the keys to the the entire platform was sitting plain text on a laptop.

plumbus · November 10, 2021, 6:27am

The main deployment on Ethereum was already under DAO control thankfully so it was just the two alternate chain deployments that got hit

RektFulcrumTrader · November 10, 2021, 8:33pm

That still doesn’t answer the question. Why weren’t they using multisig before they transferred BSC and Poly to a DAO system? For this alone the devs should forfeit their earnings and should be compensated last, if at all. Then with the unlimited approval and permissions being left open is just unforgivable. Rookie mistakes that finally completely ruined their users and likely their platform. Fulcrum will never recover from this and that’s 100% because of the teams lazy security practices. They essentially gave all their user funds away because they were too lazy to take extra precautions. I mean even a What will it take for these guys to get it. You’re being targeted because your security and code sucks!

After the 3 or 4 previous hacks they were still being reckless and negligent? I’m not trying to kick people when they’re down but what the *uck! After being hacked 4 times you’re going to leave plaintext private keys to the entire platform on your laptop. Unreal.