CIP-31: Should the DAO reimburse scam attack victims?

Context:
(taken from announcements channel in Discord)

Regarding the recent phishing scam hack
I wanted to give an update on the recent hack, the steps that have been taken and the next steps.

What happened?
:scroll: Please see the tweet thread @lyons800#0001 posted above that explains in detail what happened to his account.

:scroll: Here is another overview by another community that suffered the same hack (it seems like several communities have been hit with this - @calvin#8090 said he’s witnessed it happening in 3 different servers :frowning: ):

:scroll: Here is a 1-pager that goes over the timeline and extra context that has been found (massive shout-out to @DenverCitizen9#9674 for putting this together! :pray: )

Steps that have been taken

  1. **Removed threat: **Our first focus was on removing the threat to the community and ensuring that the Discord was secure. The hacker changed loads of settings (even locked channels so that members couldn’t warn others).

  2. Damage control + coordinate victims: Immediately after the acute threat was removed, our focus turned to assessing the damage to the community. We replied as quickly as possible to messages in all the channels, created a form for people who got scammed to let us know and shepherded scam-victims into support tickets so we had a clear point of contact to provide updates / next steps as we got them.

  3. Contact a professional for assistance: @lyons800#0001 (this is his new account, his compromised account has been banned) then contracted a professional to do a debrief and review of the server to check for any unknown vulnerabilities. That process gave more information on what happened (see lyons’ tweet thread above) and gave some peace of mind for CityDAO’s server that this time. That being said, web3 is the wild west and I encourage everyone to be extremely cautious here and in all servers you are a part of. I’ll just say it now: we will never do any “surprise drops”. We will always give dates in advance.

  4. Warn others: CityDAO posted a tweet immediately after we felt the server was secure and we have been reaching out to communities to let them know of this situation so they can best protect against it.

**What are the next steps? **

  1. Citizen vote to reimburse scam victims: See the snapshot below. I personally would like to see the DAO take care of those in our community who got scammed, but we feel this is a decision best voted on by the community.
    :ballot_box: Please vote here: Snapshot

  2. Improve security and education in the DAO: as we all know, scams are pervasive in web3 and as the industry continues to grow, this will only increase. We will be looking at ways we can improve in this area and a big focus will be on education around wallet security, notifications about new sophisticated scams, etc.

Let’s use this forum to discuss the currently ongoing vote in snapshot. This forum post should have went up before the vote and this is my mistake. I wanted to move quickly on this for the sake of the victims being reimbursed in a timely manner if the vote went that way. People who got scammed are understandably worried they may not be reimbursed and to be honest, not all are the most friendly or civil, so I felt it prudent to solve the situation quickly. I apologize for this mistake. We have this forum to discuss your opinions. The vote will be on for 3 days in total and was put into place 3 hours ago so there is lots of time for discussion.

Reminder: please keep the conversation civil and respectful.

4 Likes

Thanks for putting up this post and providing context @chance .

I think there are a few considerations here:

  • Of course, it is unfortunate that the Discord was compromised, and that some Discord members and Citizens got scammed.
  • Doing anything on-chain, one should always operate under the assumption that transactions are irreversible. Part of the risk native to crypto is rugs, scams, etc. If we reimburse this scam’s victims, should we also reimburse someone who was DM’ed from a fake admin account in the CityDAO server and then gave out their seed phrase? Should we reimburse someone who bought a shit NFT from the CityDAO server?
  • By reimbursing scam victims, we set a precedent for future attackers. If the Discord is compromised in a similar way, the attacker can send 100 ETH from an anon address to the attacker address, and can credibly claim to have been scammed out of 100 ETH from the attack.

I generally agree with the next steps you’ve outlined.

  1. The options in the Snapshot proposal are all reasonable. I don’t agree with the voting thresholds–they seem arbitrary and biased–but that’s more of an implementation detail. The most important piece is that Citizens are the ones voting, ideally after there’s been enough time for discussion here.
  2. Agreed as well, but the DAO can’t be in charge of babysitting and educating everyone in the Discord. At the end of the day, every transaction you sign and every seed phrase you send to a phisher has to be your responsibility.

I voted “NO” on the proposal before this forum post came up, but if I could change my vote I would change it to “Partially remediate” to reimburse verified scam victims for 50% of their scam amount. This was a particularly sophisticated attack and it is easy to sympathize with people who got scammed.

In addition, after this vote finishes, I will put up a CIP to not reimburse any scam victims in the future. If passed, this will codify that everyone is responsible for their own security, and that no transaction they sign is insured by CityDAO. It will also remove some of the incentive for scammers to juice the value of their scams with fake scam victim accounts.

6 Likes

My first response was also to vote no, as it is not the City’s job to run its citizen’s risk profiles.

However it is vital that we are educating ourselves before voting, and so I came here to see the whole picture. The core team are highly competent and well-intentioned so it is a surprise when I see a proposal I fully disagree with. I’m glad I did.

I think the key here is for us to be clear and specific about who we assign responsibility for this vulnerability, and who we will hold responsible in future (thanks eugene for introducing the concept).

Right now ENS is working on a vulnerability allowing unique, but visually identical accounts. This was one vulnerability used in the exploit.
The other was a discord vulnerability where a token that can be used to bypass 2fa is stored in blank text within the discord server console.

With the above said, here are my current thoughts:

  1. A person is responsible for their own wallet. If you send anything to another wallet it is no longer yours. Therefore, people should always verify where they are sending something.
  2. We the city are responsible for coming up with a workable verification system. Otherwise we cannot function.
  3. This attack shows that our verification systems were inadequate and need to be fixed (both ENS and Discord’s).
  4. Therefore we the city should reimburse the people who suffered under the broken system.
  5. We should also fix the verification system.

I’d also like to thank Lyons.eth and the core team for handling this so well. The problem was discovered and shutdown quickly, focusing on solutions instead of blame. And ownership was taken and information spread to the wider community for the greater good. That’s top-tier leadership right there.

4 Likes

I also voted no for now. That doesn’t mean I won’t vote yes in the future but I really thought back to @asincrypto @gugz & @elmo 's discussion about quorum and the size of this disbursement.

I stand by what I said the other day about this being an issue for the council, but a disbursement of this size should have a minimum quorum of more than 100 votes.

I am sympathetic to the size and sophistication of this attack and if we are going to reimburse folks I think we need to better understand the scope and nature of the various claims. I also would frankly rather spend up to 10 or 15 ETH in actually hiring chain analytics to track this scammer down.

2 Likes

Unfortunate event really, sorry for who is lost.

But this is still decentralized world where everyone should take care of their own mistake. Yes it’s from the official announcement of our discord, this is bad. But I don’t think it’s fair for other members to compensate for.

What can be improve here? security and recovery fund is what we can agree with. We can start thing like, 0.1% of our fund (or income?) is for security purpose. That’s a solution.

Thank you, love you all

My vote YES. For this incedent only.

DAO is an organization, first of all, and if organization doesn’t care about members than if you will ask me, this organization doesn’t need to exist at all. Especialy If organization members was harmed becouse of DAO weak security.

This should be a lesson for everyone, especialy fore those persons who make a blind YES votes on previus CIPs. And this should be a lesson that we as a DAO have to put higher priority to security issues.

I’m preaty sure that security is the same or even higher priority than mayor position creation :wink:

1 Like

Hi, I’m a victim of this incident. But thinking about the long term benefit of this project, I still believe it’s wiser to reimburse the victims. Hope people who have voted can reevaluate their votes after reading.

First, this incident is majorly caused by the inadequate security measures of the DAO, rather than victims not responsible for their wallets.

  1. Folks say people should be responsible for their own wallets. I completely understand and agree.
  2. However, personally I have never been scammed like this. I’ve been in this space for a while and I have always been extremely careful with interacting with websites and contracts.
  3. Why did I fall for this scam? Because I trusted the cityDAO team and the mods should have good security measures and will not share scams within its own channels.

My intention is not to blame people but to hope people can take this into consideration.

Second, the cityDAO I’d like to see is a united, mutually supportive community. When some of our people are hurt because of our own mistakes, do we just ignore them and say “it’s your own fault”? Is this the right example we’d like to set for future generations of cityDAO citizens? Is this the type of city we are building that can attract more people to come in? Everyone makes mistakes, cannot we all be empathetic and support each other?

Yesterday I read this post on Twitter https://twitter.com/TheMauiWowi/status/1480616994882093056,
“”"
Today, a rare dood (floor 40 E) was sold by accident at 8 ETH. It was then quickly flipped at 17 ETH. Owner of the dood didn’t ask for anything but the @doodles community came together to get him the 9 ETH he needed to buy at cost from the fellow dood. i fucking love the doodles.
“”"
It shows so much love and mutual support within the Doodles community when peers make mistakes. And it’s getting a lot of love when being talked about on Twitter.

So ask yourself - do you want to build an emphatic, mutually supportive city, or not?

5 Likes

I think you make a really good point here. However, are we sure that it was the DAO’s weak security? As far as I understood, the admins had their 2FAs on. Was there something else they could have done to prevent this? If so, then I will also vote to reimburse but only on this ocassion.

In case the DAO decides to not reimburse, we could open a donation fund and ask citizens to donate however much they want and reimburse those affected with that fund (proportion to their loss). Just a thought.

4 Likes

The reason is that the team member number problem caused other people to lose

2 Likes

yes, we must pay for our mistake!!!
what is DAO? how we will build it , how is going our organization?
we will do it together, we will keep our words and do if for longtime

Looking back at the incident, despite the best efforts of the officials and the seemingly inevitable nature of such fraud, both the official and the victims were at fault. Therefore the victims should be partially compensated and comforted.

If the vote on compensation does not pass, we can give priority to the victims’ addresses in subsequent plans, such as automatically listing the wallet addresses of victims with citizenship status as eligible addresses in the next land NFT lottery.

We cannot let people who love and participate in citydao activities suffer because of incidently scam, and taking care of all citizens as much as possible and reflecting warmth is the ideal country that people seek

3 Likes

I vote for partial compensation. This is due to both the nature of the attack and the necessity for risk management that is up to the individual themselves. I say this, as a person who lost .1 ETH in the incident. The announcement came from an account who I have interacted with directly in the past (though obviously hacked in this moment), and the funds lost was something that, if it went to zero- like it did, I would be 100% okay afterwards.

In fact, I would like funds to be used to tighten security measures, and request that the DAO forward everything to Discord as well, so they may patch their software to have better security measures.

2 Likes

Thst’s a realy important question! Thank you!

This vulnerability was known at least for 1 month, it’s not a 0-day.

My opinion that, if person’s that represent DAOs official information chanel’s, trough Discord as an instrument, doe’snt know about such a great vulnerability of it’s instrument then yes, we can talk about DAO weak security.

I’m not atacking core team guy’s, I am talking about DAO. Every citizen (including me) was able to sugest some security mesure in CIP. Everyone was able to say “Hey, what about DAO security?”, but nowone did.

Obviusly that core team has a lot of thing to do, so I understand why they can miss info about that vulnerability. But no one think why there is no person in DAO that is responsible for DAO security, whoes only responsibilitys (relatively speaking) is to find such an info and explain it to everyone (especialy for those, who represent’s official DAO information chanels.

Thet’s why I’m saying that everyone responsible for thet incident.

That’s why I think that victims have to be reimburs comlitley.

That’s why I’m sured that DAO at least have to add one new rule “Verify all the official info trouhg all possible chanels”.

Also if DAO going to pay some salary to paid “roles” than with mayor we have to find some kind sheriff (with a small part of those sugested money we could hire nice security specialist on a full time basis).

This is addresed to everyone who read: Just to make it clear, i’m not a victim. I’m just a person with 10 citizen nft’s :slightly_smiling_face: Be kind to each other, greed leads to poverty :wink:

2 Likes

A lot of citizen’s from neighbour thread was inrested to vote YES for 50k$ allocation to send our core team members to some big crypto event. We talked in that thread about DAO representation. Only around 100k$ is needed to fully reimburse.

What will we represent if we will not help to harmed victims? Just think about it…

+100 on this. We should really hire someone to take care of security on daily or at least weekly basis (updating new type of scams, posting recent hack happened in other communities, etc.) We have a budget for that for sure considering that 50k package which are likely to pass. Moreover, I would suggest that we open a new channel dedicated for this purpose and let everyone to dump anything they feel related to security issue also. In fact, I’ve read that at least 2 two our community members have heard about this kind of scam before but were not encouraged to post it in our DAO prior to the incident. This will open the door for many to participate especially those from our many local-communities in which many members are not really find comfortable to contribute in other roles (dumping possible security issue is easy for everyone to do, in my opinion).

I agree with my friend @Blackacres, spend the money to tighten security and reimburse the remainder to the victims equally. I think this is the most fair way.

This isn’t a bad idea. We could issue a POAP to the victims and they could get some kind of special access in the future.

1 Like

I voted ‘partial’; I was not a victim of the attack (afaik!). A couple of points I would like to put in the mix.

  1. How do we view our fellow citizens; are they part of an important community or just looking to flip this like any other NFT? Clearly one group warrants more sympathy than the other! If the affected parties are in the first group, how might they wish to thank the community if they are helped out… maybe emptying the trash or watering the plants for the next year?
  2. How much is in the DAO Treasury and therefore what % would be spent on a (for example) partial reimbursement?
  3. What more can be done to ensure that a future attack could not possibly scam us collectively out of the group’s treasury funds. Is our Governance here sufficiently robust - a question for the Council?

This is an important test of this embryonic group I hope we pass!

P.S. Looking back at ‘The DAO’ in 2016, perhaps we can ask the Ethereum Foundation for a hard-fork to fix this :slight_smile:

Hi @chance,

I’m looking through the snapshot text and the current rules for the results don’t seem to make sense to me.

Let’s say the result is as follows (the current values in the snapshot):

No remediation: 48%
Partial remediation: 17%
Remediate: 15%
Remediate + gas: 21%

Under the rules stated the process would be as follows:

  1. Eliminate ‘No remediation’, as less than 50%’
  2. Eliminate ‘Partial’, as less than 50% of remaining
  3. ‘Remediate + gas’, wins as > 50% of remaining

So even though 65% of people have voted for partial or no remediation, the result is full remediation? Wouldn’t it make more sense in that scenario to either:

a) run again without the ‘No remediation’ option

or

b) go with ‘Partial remediation’

Perhaps I’m misunderstanding, but if not, do you mind explaining why you’ve gone with the rules as stated?

Thanks.

2 Likes