I wrote this on Discord on 11/17. Didn’t really know this Forum existed until just now. Thought I’d share it now, though I suspect it’s a bit late for compensation ideas:
Ooki Dooki Super Splooshy
Recently bZx suffered a $55m exploit due to… Well, a number of mind-boggling security issues. Perhaps the most boggling of the mind was a developer turning on macros from unknown sources in Microsoft Office (which are disabled by default) prior to opening a dodgy Word document. The author of this proposal does not think the developer was an 80-year-old grandma, but this has not been revealed yet.
Since the bZx DAO treasury contains only approximately $27k in non-bZx tokens (according to https://etherscan.io/token/0x6c3f90f043a72fa612cbac8115ee7e52bde6e490?a=0xfedc4dd5247b93feb41e899a09c44cfabec29cbc ), and the rest of the DAO treasury is in bZx-branded tokens, this presents only sub-optimal solutions for DAO-treasury-only reimbursement:
- Give only the non-bZx stablecoins. Since that is only 1/2500th of the amount stolen, for many people that would feel like a sympathy card that said “Sorry for your loss… of life savings” with a check for 5 cents within it. Basically, this first option can be included with any of the rest of the options, but the effect would be nearly meaningless.
- Give the bZx-branded tokens immediately. Likely, those most hurt by this exploit are not huge believers/users of bZx. They probably used it once or twice and left infinite allowance on because, let’s face it, there are no quick, cheap, and easy ways to remove infinite allowances or restrict them from being asked for in the first place. These people don’t want tokens whose values are directly related to the success of bZx products and services. These people will likely sell them immediately, causing them to tank in value.
- Give the bZx-branded tokens slowly over time. This forces the recipients to suffer opportunity costs on top of their current losses. It is very unlikely the (eventual) recipients would be happy with having their funds illiquid AND illiquid in this form. Further, again, these bZx-branded tokens are still directly related to the success of bZx, which will now be an organization with massive debt hanging over its head for a very long time. Further, to be truly equitable, the bZx-branded tokens would need to match the value performance of the tokens stolen. I doubt many of those effected feel like bZx tokens will outperform, say, any of their Ether that was stolen. This thus requires giving even more bZx tokens as time goes on to be equitable, which of course is likely to further draw down the value of bZx tokens, potentially creating an unfortunate feedback situation without escape.
The last point brings up the question of how does one determine the value of what was stolen upon reimbursement? Does one simply decide the dollar value of the tokens at that moment of theft and give in equal dollar value when reimbursing? I would venture the vast majority of users of bZx are generally bullish on crypto going up in value, and quite possibly the US dollar going down (e.g. due to inflation). In this proposal and proposal author’s view, the only equitable solution is reimbursing the exact tokens stolen plus an extra amount of each token due to the best interest possible to a user (which is likely not bZx’s interest rates). To be fair, we’ll keep the best-possible interest rate scope to decentralized lending protocols with top-10 Total Value Locked on each chain per DefiLlama between now and the moment of full reimbursement. Thus, if a person lost 0.1 ETH and 10 USDC, and it took 1 year for bZx to reimburse (let’s hope not), and the best lending APRs for those tokens were 5% and 15% respectively, the person would receive 0.105 ETH and 11.5 USDC. That is the most equitable solution according to this proposal and this proposal author.
Now, since the options for using the DAO treasury seem sub-optimal, how about another solution:
The Ooki Dooki Super Splooshy
Up until now, the proposal author has refrained from using the rebranded name for bZx: Ooki. This may be due to the proposal author’s personal feeling about this proposed name change, but such is not relevant. Regardless, bZx wants to be now known as Ooki, so we’ll use it for this proposed solution.
The Ooki Dooki Super Splooshy would be an event at an undisclosed location that would be live streamed worldwide. For this event two types of NFTs would be minted:
- 500,000 Dooki NFTs. Cost: $10. At first, 100k will be minted on Ethereum, 200k on BSC, and 200k on Polygon. If any one chain runs out of supply, then in batches of 10k every hour they will be burned on another chain at random and minted on the chain that ran out, until all NFTs are redeemed. More are minted on BSC/Polygon at first, because gas prices would likely be much higher than the NFT itself on Ethereum. A single Dooki NFT is needed to watch the livestreamed event.
- 5,000 Super Dooki NFTs. Cost: $1000. At first 4000 will be minted on Ethereum, 500 on BSC, and 500 on Polygon. Same methodology for burning and minting every hour, except batches are of 100. More Super Dookis are minted on Ethereum because most high-priced NFTs are on that chain, and let’s face it, Ethereum is a chain for whales, who are the only ones who can probably afford something like a Super Dooki. A Super Dooki allows both a ticket to watch the event and a special Super Dooki dunking privilege.
Sale continues for 1 month or until all NFTs are sold. Two weeks after the initial sale is complete, there will be a two-week trading period where NFTs can change ownership. After that, any rights that go along with the NFT are stuck with the wallet address holding it, cannot be transferred, and are forfeited if the NFT leaves that wallet address. The Super Dooki dunking privilege can then be redeemed. The holder can write a message the length of a “Tweet” (280 characters) which should take no more than 30 seconds to read. The only restriction is this message must not contain hate speech or an incitement to violence. The bZx operations team member who will ultimately be reading that sentence has full discretion as to what he or she defines as hate speech or incitement to violence. Super Dooki holders will have until 24-hours before the event, which should occur within four weeks after the initial sale is complete, to provide their message (e.g. via Twitter to a bZx-maintained account).
At the event, each bZx operations team member who was an operations team member as of the time of the exploit, is of able body to do so, and can do so within all safety guidelines and ethical limitations, will be in a dunk tank. That team member will then read a Super Dooki message, then be dunked, and then the livestream will move on to the next team member. This will continue until all the team members have read and been dunk. By then the first team member should be ready to read another Super Dooki message and then be dunked again. Team members can work in shifts as needed so no member has to “work” more than typical hours for a full-time employee according to the laws in their jurisdiction. This will continue until all Super Dooki messages are read. After the event, POAPs will be provided to anyone who attended.
All funds from the event, of course, go to the victims of the exploit.
The author of this proposal contends while this is an outlandish method for reimbursement, it is more likely to ultimately lead to maximum reimbursement and maintaining the value and longevity of bZx-branded tokens and the bZx protocol and its products and services. Crypto news organizations will likely be keen to report on the event because it is so bizarre, and this will in turn increase the speculative value of any NFTs related to the event, thus increasing their sales, and thus increasing the amount of reimbursement.
Further, the author of this proposal simply thinks the general concept and eventual execution of The Ooki Dooki Super Splooshy would be pretty funny and cathartic to all involved.