CIP-206: Reimburse Discord Scam Victims

I am putting forward a proposal to allocate $50k from the treasury to reimburse victims of the recent Discord Scam.

While I don’t love having to use funds to compensate those who failed to judge it was a scam, I think we should do it because:

  • The scammers were very persistent - DMing lots of Citizens directly, using official channels, and impersonating me.
  • If this passes, the Council will create a form using DeForm or similar to collect and validate claims.
  • If 50k in claims are exceeded, people will be refunded pro rata to their loss, with a maximum of 5k per person
  • The CityDAO council will verify veracity of the each claim and reserves the right to ignore claims from non-citizens, spammy or suspicious claims, etc
  • Claim period will be 10 days after the snapshot passage of this CIP.
7 Likes

While I do have empathy for the victims of this scam, I don’t think it makes sense to reimburse.

  1. This is the second time that the CityDAO discord was hacked and the members were targeted for a scam. The previous time was very similar, with an admin being hacked and promoting an airdrop (or similar). A few important things that came out of that:
    i. A similar vote was put forth, and the citizens voted NOT to reimburse victims. I see no reason why this time should be different.
    ii. It was made clear after the previous hack that CityDAO will never do any surprise drops.

  2. We’re not trading bitcoin on coinbase here. Everyone involved in a DAO should have some basic understanding of how to ensure security for their crypto assets, and have responsibility for their own actions. There were a million red flags for this scam, and while I empathize with the victims, the collective citizens should not need to pay for their mistake.
    i. As previously stated, CityDAO has never done and will never do any surprise airdrops.
    ii. The url was not one used before or associated with CityDAO.
    iii. Scott or any CityDAO admin has never spammed the discord with messages. This is scammy and spammy, and is an obvious sign of a hack. This is the persistence mentioned in Scott’s message above, but instead of a reason to vote for this, it is a huge red flag and reason not to.
    iv. They shut down discord so no one could post in any channel except through their weird bot they set up. Another sign of a hack.
    v. CityDAO immediately posted on X about the hack.
    vi. METAMASK FLAGGED THE TRANSACTION AS PHISHING AND PEOPLE SIGNED ANYWAYS. NEVER SIGN ANYTHING IN CRYPTO YOU DON’T UNDERSTAND.

  3. Lastly, setting the precedent to reimburse victims of a scam sets up a perverse incentive, as victims never have anything to lose, and even worse could give a bad actor reason to hack themselves and others (there’s no way for us to know that the scammer isn’t a member themselves and drain their own wallet, thus stealing even more money by being part of the future reimbursement).

To summarize, the victims of this hack saw that an airdrop was posted in a discord server for a project that previously made clear they would never do a surprise airdrop, and with a url that is not associated to the project. The posts were incredibly spammy, for a project that is anything but that (except for the last time it was hacked!), and all ability to communicate in the discord was disabled. They ignored all of those red flags, and then proceeded to click the link without a second thought or checking X or this forum. Finally, they signed a contract that they did not read or understand, even after Metamask warned them that it looked like phishing. I’m sorry they lost what was in their wallets, but the responsibility here lies solely with the person who signed the hacked contract.

I will be voting against this CIP, but I ask that if you do put it forward, please include:

  1. Language to not reimburse future hacks. I don’t think we need to relitigate this every time.
  2. Language that checks to see if the person was an active citizen during the last hack and exclude them from reimbursement. I think everyone should have known better, but especially people who were around the last time this same thing happened.
  3. Thoughtful language around what specifically is eligible for reimbursement. ETH is clear, but what about NFTs? What about other tokens? How is their value calculated? What if that value has gone up or down since the day of the hack? This not not a straightforward thing to solve.
5 Likes

I think more importantly and beneficial to the community would be allocating 50k to do an after action report and chain analytics to try to either trace and prosecute or gather intelligence that could be useful as a public good.

Considering that CityDAO hasn’t even updated the public on Twitter to let citizens know the hack is over or who is in control or what assets have even been compromised while we didn’t have control- it’s probably best to focus on getting reorganized first and understanding the damage. The reality is we don’t know if our tools have been compromised and could unwittingly be another vector for attack. Until then I would be very cautious.

2 Likes

As a victim I’m necessarily biased but so you are as a non-victim so I’ll try to answer as neutral as possible. I understand your point of view but I have some words to say as well concerning your points :

1/ The “surprise” airdrop concept is valid on a short time period. This time the malicious messages were posted many times on a long time period so it wasn’t looking at all as a surprise airdrop. I didn’t get scammed at the first message, I clicked because this was persistent.

2/ You are right, we’re all responsible for our own actions. In 7 years in crypto I never got hacked and even if it happens to me this time I still think the same way of you. But I also think it’s nice to support affected DAO members as soon as they are the DAO themselves.

The false Scott started spam on the end of the hack when he mentioned the “95% airdrop was claimed” not at the beginning. The hack was very more obvious when they saw victims were less easy to catch.

We don’t have necessarily the time to chat on channels each time an announcement is made.

CityDAO posted on X and only on X but how to find the information when you follow thousands of account ? There was only one post. They should have reach out in DM directly to max the chance of handling the situation. Especially members that got their X and Discord linked or at least make dozens of tweet about it.

Metamask is flagging many transactions nowadays, you got this flag as well when you borrowing against an asset. So it’s not catchy anymore especially when you are active on-chain

3/ it’s possible to control this easily case by case not gonna lie

TO SUMMARIZE

I agree with this proposal because many victims are community members for a while now (Im here from the beginning) and they deserve some support imho in this nightmare. Moreover, 50k is less than 1% of our treasury so it shouldn’t impact future plans.

1/ I think we shouldn’t compare this hack to the first one. It was way longer than before. However, if we turn turn the problem to the opposite and if victims should have been warned and have learn from the first hack, what about admins ? It sounds like people managing the DAO didn’t make any mistakes by getting hacked -again- and it’s the victim fault entirely.

2/ Hacks are everywhere, we didn’t need to live the first CityDAO hack to be warned about it. Every new citizen should have the same knowledge about it than old ones. Knowing about security don’t depend on being part of the CityDAO hacks. That said, it’s more likely old members that need to be considerated for being OGs.

3/ The value is simple to calculate. For NFTs, it’s just the price in ETH it was sold by the hacker accepting offer or FP if it’s less that this. For tokens, it’s the full amount of token if the price dropped since then or the value of the swap made by the hacker.

As I said I already consider starting from 0 again because Im the only person that clicked on that damn link but the link is here because of another mistake innit ? So I also think it’s good and healthy (in reasonable numbers) to help victims to get through this when the mistake is shared. I think 5k capped is not that much and can help some members to get back on their feet.

Thank y’all for reading me, love on everyone whatever is voted <3

1 Like

I agree with what you say and think it need to be verbalise in another proposal. I think both of the proposal can co-exist and are important.

I appreciate this perspective, thank you for sharing!

2 Likes

If someone wants to charge us 50k to do ‘chain analytics’, that will be the biggest scam pulled so far on this DAO.

2 Likes

We would obviously take bids but ideally we would want something more then just a basic -i look at the chain a bit- after action report. Ideally we would have a report we could bring to law enforcement that spoonfeeds them answers and possibly sets a path to recovery.

Hi, i also got wallet drained for about $14k i was a CityDAO lurker (heard about you guys thru Kift) and was hoping to start participating with this airdrop
and then i got drained.
I’ve also been in crypto for several years and pride myself on not being scammed and seeing through phishing schemes. My guard was down because i trusted the discord – not crying or complaining, just saying i trusted the discord and didn’t verify anything as normally would. clearly i’m biased, but would be appreciative to somehow receive some type of recovery

1 Like

This is the right thing to do, thank you :clap:

I’m not sure that the council is able to verify the veracity of each claim, or how this would be done. I think someone would need to be put in charge of this. The council has a specific set of tasks and depending on the nature and number of claims, it seems like it is outside the scope of what the council can handle.

1 Like

not sure if others got an automated message from metasleuth to their wallet, but the one i received noted that wallet drainer is a well known scammer ‘pinkdrainer’

thanks for sharing here @sentinelle ! i resonate a lot with your perspective and points shared here.

i’ve been following cityDAO for a while – i’d been meaning to get more involved in this project since i’m also working on an irl collective / land-based project, and felt like this drop was an opportunity to get involved.

some thoughts below:

  • [persistent / constant messages] i was also initially suspicious of the messages in the discord – i usually don’t click on airdrops, especially ones with time sensitivity, but since i’ve been wanting to get involved with cityDAO + i kept getting reminded of them, they piqued my curiosity.
  • [entire community discord got taken over, not individual accounts - which makes fact / truth checking more difficult] i did some rudimentary checking, like reading some of the discord message history (at this point, i didn’t realize the entire discord had been taken over) and messaging the scott (who was fake) who posted the message to ask some questions / test if he was real
  • [“authentic-sounding” / more sophisticated human scammers lending itself to more credibility] for context, they responded not only promptly, but with the same kind of tone / responses that i felt like were authentic – ie not what i’d expect bots or the usual scammer to sound like (usually overly robotic messages, or sounding too formal given that i know scott irl).

this all being said, there was definitely more due diligence i could have done – admittedly, there were red flags that i missed, and i take responsibility for those things. looking back after getting drained, the scam messages now feel obviously fake, but they were not in the moment. hindsight is truly 20/20

similar to the sentiment in other posts by victims, given my existing interest / desire to be more involved in this project (emotional), coupled with existing trust in the community discord (trust in infrastructure), i let my guard down and was scammed for the first time in my time in crypto, ~5 years or so

i’m noticing that through this thread, there have been multiple people commenting, who have had several years in crypto, and are getting scammed for the first time. i think it’s important to take into account the community trust in infrastructure when we consider the reimbursing victims. given the legitimacy of the project / resources available for cityDAO, i had assumed more robust measures around security and infra that was more resistant to attacks like this

ultimately, i’ll assume responsibility for my actions. i understand both sides of this discussion, and at the very least, this was a really important / costly lesson for me in opsec + crypto security

thanks for considering the reimbursement and reading through this. even though the capped reimbursed amount would be roughly 20% of what i had lost ( :smiling_face_with_tear:), the effort and intention would mean a lot for the victims of this scam

2 Likes

Question; how to you see this Discord hack as different than the other Discord hack we had back in 2022?

I lost money in the first Discord hack and I was denied reimbursement. Pretty much the exact same situation, I was dm’d by a real-looking admin account.

imho, a specific person or team should be setup for this, not the council. This is more involved than simply collecting peoples information. There’s basic, but somewhat time-consuming blockchain analysis auditing, validations, cross referencing, and likely a LOT of discussions required with these users.

If this is to proceed, it needs a dedicated person or small team to execute on it most effectively.

1 Like

The mofo’s need to be caught.

Could bounty it maybe, and/or see if anyone at Boring Security could help. I would sleep better knowing the scammers were at the very least doxxed as a result of us stepping up to the plate and doing something like this

1 Like

Def $50k is not needed for this I agree haha. Bounty most likely is the best and kinda only way to ensure proper results.

Thoughts?

Hi all

Long term lurker and holder of CityDAO.

I had a friend’s NFT I was holding taken by the scammers, so I can’t absorb the cost and need to reimburse her. Not your problem, ofc, it’s my own stupid fault.

Obviously I am biased, but for me it is the length of time it took for the discord hack to be addressed and the lack of communication on other channels that I think make CityDAO more responsible than last time. Lessons should have been learnt and protocols put in place.

This is the first scam that I have fallen for and annoyingly it didn’t actually drain the wallet until I stupidly sent over some ETH so I could send my friends NFT back to her. Suddenly the pink drainer had funds to pay gas and poof, it went.

Anyway, I will be voting to reimburse and show outsiders that we look after our own.

I’ve heard other communities talking about the hack with stuff like “it’s such a shame, CityDAO was a great project”. I think showing the crypto world that we have the clout and will power as a community to absorb this sort of attack and protect each other shows that there’s more to this project than just financial gain. .

Tweets were sent out on the day of the hack and on following days. A message was posted in this forum on the day of the hack. A message was posted in WeChat on the day of the hack. These are all the channels of communication.

I was banned from the server because I was warning people not to click on any link and it was likely 5-10 minutes after the hack.

I was scammed by this link and would like to add a few elements of context:

  • The CityDAO is a trustful place by default
  • The website was perfectly mimicked. I noticed the URL was weird but the website looked complete, I browsed other pages.
  • Metamask didn’t show any warning.

I used a wallet I thought empty on Polygon while there were some ETH left (0.45). That’s why I accepted the transaction too fast. When it switched to Ethereum I saw that the transaction was weird and stopped there. Then I got it was a scam. I noticed only later that I had a weird transaction on Polygon.

Of course I could have done better like checking the Twitter and noticing weirdness in the Discord. But it’s the responsibility too of the DAO to bring a trustful place for its members. There is a lot of activity in the crypto space at the moment and we can be tired. I have significant experience in crypto and felt into the trap. So, anyone with less experience could have been scammed.

This partial reimbursement would show that the DAO is accountable and does its best to build a safe project. It’s not a meme project where community members will leave in 2 days, it’s a project where people hold their citizenship since the beginning. The expectations are not the same. If the DAO can’t afford to do it it’s ok, but the option to tell “you’re dumb, we don’t care” doesn’t show high standards. I’m glad to read that @scottfits takes this seriously.

FYI, it is the account that took my ETHs: 0xf9a8bc30f360fcfca082629db5fe7f793e45d33e

1 Like