Thanks for putting up this post and providing context @chance .
I think there are a few considerations here:
- Of course, it is unfortunate that the Discord was compromised, and that some Discord members and Citizens got scammed.
- Doing anything on-chain, one should always operate under the assumption that transactions are irreversible. Part of the risk native to crypto is rugs, scams, etc. If we reimburse this scam’s victims, should we also reimburse someone who was DM’ed from a fake admin account in the CityDAO server and then gave out their seed phrase? Should we reimburse someone who bought a shit NFT from the CityDAO server?
- By reimbursing scam victims, we set a precedent for future attackers. If the Discord is compromised in a similar way, the attacker can send 100 ETH from an anon address to the attacker address, and can credibly claim to have been scammed out of 100 ETH from the attack.
I generally agree with the next steps you’ve outlined.
- The options in the Snapshot proposal are all reasonable. I don’t agree with the voting thresholds–they seem arbitrary and biased–but that’s more of an implementation detail. The most important piece is that Citizens are the ones voting, ideally after there’s been enough time for discussion here.
- Agreed as well, but the DAO can’t be in charge of babysitting and educating everyone in the Discord. At the end of the day, every transaction you sign and every seed phrase you send to a phisher has to be your responsibility.
I voted “NO” on the proposal before this forum post came up, but if I could change my vote I would change it to “Partially remediate” to reimburse verified scam victims for 50% of their scam amount. This was a particularly sophisticated attack and it is easy to sympathize with people who got scammed.
In addition, after this vote finishes, I will put up a CIP to not reimburse any scam victims in the future. If passed, this will codify that everyone is responsible for their own security, and that no transaction they sign is insured by CityDAO. It will also remove some of the incentive for scammers to juice the value of their scams with fake scam victim accounts.