Context:
(taken from announcements channel in Discord)
Regarding the recent phishing scam hack
I wanted to give an update on the recent hack, the steps that have been taken and the next steps.
What happened?
Please see the tweet thread @lyons800#0001 posted above that explains in detail what happened to his account.
Here is another overview by another community that suffered the same hack (it seems like several communities have been hit with this - @calvin#8090 said heās witnessed it happening in 3 different servers ):
Here is a 1-pager that goes over the timeline and extra context that has been found (massive shout-out to @DenverCitizen9#9674 for putting this together! )
Steps that have been taken
**Removed threat: **Our first focus was on removing the threat to the community and ensuring that the Discord was secure. The hacker changed loads of settings (even locked channels so that members couldnāt warn others).
Damage control + coordinate victims: Immediately after the acute threat was removed, our focus turned to assessing the damage to the community. We replied as quickly as possible to messages in all the channels, created a form for people who got scammed to let us know and shepherded scam-victims into support tickets so we had a clear point of contact to provide updates / next steps as we got them.
Contact a professional for assistance: @lyons800#0001 (this is his new account, his compromised account has been banned) then contracted a professional to do a debrief and review of the server to check for any unknown vulnerabilities. That process gave more information on what happened (see lyonsā tweet thread above) and gave some peace of mind for CityDAOās server that this time. That being said, web3 is the wild west and I encourage everyone to be extremely cautious here and in all servers you are a part of. Iāll just say it now: we will never do any āsurprise dropsā. We will always give dates in advance.
Warn others: CityDAO posted a tweet immediately after we felt the server was secure and we have been reaching out to communities to let them know of this situation so they can best protect against it.
**What are the next steps? **
Citizen vote to reimburse scam victims: See the snapshot below. I personally would like to see the DAO take care of those in our community who got scammed, but we feel this is a decision best voted on by the community. Please vote here:Snapshot
Improve security and education in the DAO: as we all know, scams are pervasive in web3 and as the industry continues to grow, this will only increase. We will be looking at ways we can improve in this area and a big focus will be on education around wallet security, notifications about new sophisticated scams, etc.
Letās use this forum to discuss the currently ongoing vote in snapshot. This forum post should have went up before the vote and this is my mistake. I wanted to move quickly on this for the sake of the victims being reimbursed in a timely manner if the vote went that way. People who got scammed are understandably worried they may not be reimbursed and to be honest, not all are the most friendly or civil, so I felt it prudent to solve the situation quickly. I apologize for this mistake. We have this forum to discuss your opinions. The vote will be on for 3 days in total and was put into place 3 hours ago so there is lots of time for discussion.
Reminder: please keep the conversation civil and respectful.
Thanks for putting up this post and providing context @chance .
I think there are a few considerations here:
Of course, it is unfortunate that the Discord was compromised, and that some Discord members and Citizens got scammed.
Doing anything on-chain, one should always operate under the assumption that transactions are irreversible. Part of the risk native to crypto is rugs, scams, etc. If we reimburse this scamās victims, should we also reimburse someone who was DMāed from a fake admin account in the CityDAO server and then gave out their seed phrase? Should we reimburse someone who bought a shit NFT from the CityDAO server?
By reimbursing scam victims, we set a precedent for future attackers. If the Discord is compromised in a similar way, the attacker can send 100 ETH from an anon address to the attacker address, and can credibly claim to have been scammed out of 100 ETH from the attack.
I generally agree with the next steps youāve outlined.
The options in the Snapshot proposal are all reasonable. I donāt agree with the voting thresholdsāthey seem arbitrary and biasedābut thatās more of an implementation detail. The most important piece is that Citizens are the ones voting, ideally after thereās been enough time for discussion here.
Agreed as well, but the DAO canāt be in charge of babysitting and educating everyone in the Discord. At the end of the day, every transaction you sign and every seed phrase you send to a phisher has to be your responsibility.
I voted āNOā on the proposal before this forum post came up, but if I could change my vote I would change it to āPartially remediateā to reimburse verified scam victims for 50% of their scam amount. This was a particularly sophisticated attack and it is easy to sympathize with people who got scammed.
In addition, after this vote finishes, I will put up a CIP to not reimburse any scam victims in the future. If passed, this will codify that everyone is responsible for their own security, and that no transaction they sign is insured by CityDAO. It will also remove some of the incentive for scammers to juice the value of their scams with fake scam victim accounts.
My first response was also to vote no, as it is not the Cityās job to run its citizenās risk profiles.
However it is vital that we are educating ourselves before voting, and so I came here to see the whole picture. The core team are highly competent and well-intentioned so it is a surprise when I see a proposal I fully disagree with. Iām glad I did.
I think the key here is for us to be clear and specific about who we assign responsibility for this vulnerability, and who we will hold responsible in future (thanks eugene for introducing the concept).
With the above said, here are my current thoughts:
A person is responsible for their own wallet. If you send anything to another wallet it is no longer yours. Therefore, people should always verify where they are sending something.
We the city are responsible for coming up with a workable verification system. Otherwise we cannot function.
This attack shows that our verification systems were inadequate and need to be fixed (both ENS and Discordās).
Therefore we the city should reimburse the people who suffered under the broken system.
We should also fix the verification system.
Iād also like to thank Lyons.eth and the core team for handling this so well. The problem was discovered and shutdown quickly, focusing on solutions instead of blame. And ownership was taken and information spread to the wider community for the greater good. Thatās top-tier leadership right there.
I also voted no for now. That doesnāt mean I wonāt vote yes in the future but I really thought back to @asincrypto@gugz & @elmo 's discussion about quorum and the size of this disbursement.
I stand by what I said the other day about this being an issue for the council, but a disbursement of this size should have a minimum quorum of more than 100 votes.
I am sympathetic to the size and sophistication of this attack and if we are going to reimburse folks I think we need to better understand the scope and nature of the various claims. I also would frankly rather spend up to 10 or 15 ETH in actually hiring chain analytics to track this scammer down.
But this is still decentralized world where everyone should take care of their own mistake. Yes itās from the official announcement of our discord, this is bad. But I donāt think itās fair for other members to compensate for.
What can be improve here? security and recovery fund is what we can agree with. We can start thing like, 0.1% of our fund (or income?) is for security purpose. Thatās a solution.
DAO is an organization, first of all, and if organization doesnāt care about members than if you will ask me, this organization doesnāt need to exist at all. Especialy If organization members was harmed becouse of DAO weak security.
This should be a lesson for everyone, especialy fore those persons who make a blind YES votes on previus CIPs. And this should be a lesson that we as a DAO have to put higher priority to security issues.
Iām preaty sure that security is the same or even higher priority than mayor position creation
Hi, Iām a victim of this incident. But thinking about the long term benefit of this project, I still believe itās wiser to reimburse the victims. Hope people who have voted can reevaluate their votes after reading.
First, this incident is majorly caused by the inadequate security measures of the DAO, rather than victims not responsible for their wallets.
Folks say people should be responsible for their own wallets. I completely understand and agree.
However, personally I have never been scammed like this. Iāve been in this space for a while and I have always been extremely careful with interacting with websites and contracts.
Why did I fall for this scam? Because I trusted the cityDAO team and the mods should have good security measures and will not share scams within its own channels.
My intention is not to blame people but to hope people can take this into consideration.
Second, the cityDAO Iād like to see is a united, mutually supportive community. When some of our people are hurt because of our own mistakes, do we just ignore them and say āitās your own faultā? Is this the right example weād like to set for future generations of cityDAO citizens? Is this the type of city we are building that can attract more people to come in? Everyone makes mistakes, cannot we all be empathetic and support each other?
Yesterday I read this post on Twitter https://twitter.com/TheMauiWowi/status/1480616994882093056,
āā"
Today, a rare dood (floor 40 E) was sold by accident at 8 ETH. It was then quickly flipped at 17 ETH. Owner of the dood didnāt ask for anything but the @doodles community came together to get him the 9 ETH he needed to buy at cost from the fellow dood. i fucking love the doodles.
āā"
It shows so much love and mutual support within the Doodles community when peers make mistakes. And itās getting a lot of love when being talked about on Twitter.
So ask yourself - do you want to build an emphatic, mutually supportive city, or not?
I think you make a really good point here. However, are we sure that it was the DAOās weak security? As far as I understood, the admins had their 2FAs on. Was there something else they could have done to prevent this? If so, then I will also vote to reimburse but only on this ocassion.
In case the DAO decides to not reimburse, we could open a donation fund and ask citizens to donate however much they want and reimburse those affected with that fund (proportion to their loss). Just a thought.
yes, we must pay for our mistake!!!
what is DAO? how we will build it , how is going our organization?
we will do it together, we will keep our words and do if for longtime
Looking back at the incident, despite the best efforts of the officials and the seemingly inevitable nature of such fraud, both the official and the victims were at fault. Therefore the victims should be partially compensated and comforted.
If the vote on compensation does not pass, we can give priority to the victimsā addresses in subsequent plans, such as automatically listing the wallet addresses of victims with citizenship status as eligible addresses in the next land NFT lottery.
We cannot let people who love and participate in citydao activities suffer because of incidently scam, and taking care of all citizens as much as possible and reflecting warmth is the ideal country that people seek
I vote for partial compensation. This is due to both the nature of the attack and the necessity for risk management that is up to the individual themselves. I say this, as a person who lost .1 ETH in the incident. The announcement came from an account who I have interacted with directly in the past (though obviously hacked in this moment), and the funds lost was something that, if it went to zero- like it did, I would be 100% okay afterwards.
In fact, I would like funds to be used to tighten security measures, and request that the DAO forward everything to Discord as well, so they may patch their software to have better security measures.
This vulnerability was known at least for 1 month, itās not a 0-day.
My opinion that, if personās that represent DAOs official information chanelās, trough Discord as an instrument, doeāsnt know about such a great vulnerability of itās instrument then yes, we can talk about DAO weak security.
Iām not atacking core team guyās, I am talking about DAO. Every citizen (including me) was able to sugest some security mesure in CIP. Everyone was able to say āHey, what about DAO security?ā, but nowone did.
Obviusly that core team has a lot of thing to do, so I understand why they can miss info about that vulnerability. But no one think why there is no person in DAO that is responsible for DAO security, whoes only responsibilitys (relatively speaking) is to find such an info and explain it to everyone (especialy for those, who representās official DAO information chanels.
Thetās why Iām saying that everyone responsible for thet incident.
Thatās why I think that victims have to be reimburs comlitley.
Thatās why Iām sured that DAO at least have to add one new rule āVerify all the official info trouhg all possible chanelsā.
Also if DAO going to pay some salary to paid ārolesā than with mayor we have to find some kind sheriff (with a small part of those sugested money we could hire nice security specialist on a full time basis).
This is addresed to everyone who read: Just to make it clear, iām not a victim. Iām just a person with 10 citizen nftās Be kind to each other, greed leads to poverty
A lot of citizenās from neighbour thread was inrested to vote YES for 50k$ allocation to send our core team members to some big crypto event. We talked in that thread about DAO representation. Only around 100k$ is needed to fully reimburse.
What will we represent if we will not help to harmed victims? Just think about itā¦
+100 on this. We should really hire someone to take care of security on daily or at least weekly basis (updating new type of scams, posting recent hack happened in other communities, etc.) We have a budget for that for sure considering that 50k package which are likely to pass. Moreover, I would suggest that we open a new channel dedicated for this purpose and let everyone to dump anything they feel related to security issue also. In fact, Iāve read that at least 2 two our community members have heard about this kind of scam before but were not encouraged to post it in our DAO prior to the incident. This will open the door for many to participate especially those from our many local-communities in which many members are not really find comfortable to contribute in other roles (dumping possible security issue is easy for everyone to do, in my opinion).
I agree with my friend @Blackacres, spend the money to tighten security and reimburse the remainder to the victims equally. I think this is the most fair way.
I voted āpartialā; I was not a victim of the attack (afaik!). A couple of points I would like to put in the mix.
How do we view our fellow citizens; are they part of an important community or just looking to flip this like any other NFT? Clearly one group warrants more sympathy than the other! If the affected parties are in the first group, how might they wish to thank the community if they are helped outā¦ maybe emptying the trash or watering the plants for the next year?
How much is in the DAO Treasury and therefore what % would be spent on a (for example) partial reimbursement?
What more can be done to ensure that a future attack could not possibly scam us collectively out of the groupās treasury funds. Is our Governance here sufficiently robust - a question for the Council?
This is an important test of this embryonic group I hope we pass!
P.S. Looking back at āThe DAOā in 2016, perhaps we can ask the Ethereum Foundation for a hard-fork to fix this
Under the rules stated the process would be as follows:
Eliminate āNo remediationā, as less than 50%ā
Eliminate āPartialā, as less than 50% of remaining
āRemediate + gasā, wins as > 50% of remaining
So even though 65% of people have voted for partial or no remediation, the result is full remediation? Wouldnāt it make more sense in that scenario to either:
a) run again without the āNo remediationā option
or
b) go with āPartial remediationā
Perhaps Iām misunderstanding, but if not, do you mind explaining why youāve gone with the rules as stated?