CIP-31: Should the DAO reimburse scam attack victims?

I voted no. My reasoning was that, while this was a sophisticated socially engineered hack, it was ultimately the result of an individual’s error of judgment. It is very unfortunate that this error of judgment was made based on the reasonable assumption that they could trust the username and related information without more careful investigation. I, myself, was the victim of a very similar scam a while ago, where I lost a significant amount of money.

As eeeeethan stated, everyone makes mistakes. That is true. And I strongly believe in empathy. If the community chooses to come together and voluntarily take up a collection, as he says the doodle community did for the owner of a “rare dood” who accidentally sold it below the floor price, that would be fine because it would be the decision of each individual who chose to reimburse. This case is different. This is a vote to take funds out of a shared treasury, essentially taking money away from people without their consent, to give it to someone who made assumptions, however reasonably, and got scammed.

I believe this sets a dangerous precedent. It would mean that every time someone gets scammed, the community treasury could be used to reimburse them rather than for the stated purposes of forwarding CityDAO as an organization.

I like this idea; although I voted partial reimbursement I agree it sets a precedent and to refer to my earlier point the extent to which people contributed to a voluntary collection would in some way reflect how much they see this project as a true ‘community’ as the ‘doo’ owners clearly considered themselves.

My vote is yes, to reimburse the victims fully. including gas fees. The security of the dao was compromised. This was not a situation where victims were personally DM’d by the scammer. The scammer posed as a dev. This is something the team could have possibly prevented if they were aware that this sophisticated type of attack could be possible in the first place. The security of the DAO was compromised.

DAOs and crypto projects are nothing without their community. A strong community watches eachother’s backs. There are plenty of examples of other crypto projects that ask no questions and fully reimburse the victims in similar situations. People don’t leave those communities. In fact, more people join. Alien frens had the same situation happen to their discord server and members were fully reimbursed. This is literally how I came across alien frens on twitter and how it caught my attention in the first place. I’m sure I’m not the only one.

I believe that if this were a situation where victims were personally dm’d it would be full responsibility on their end. The scammer went on to the discord and posed as the dev and announced it to the entire discord. Actions were not taken quickly enough to stop people from clicking on the link.

At the end of the day, this is an insignificant portion of the DAOs treasury. Make things right, and in turn keep everyone excited about the project and spreading the word about CITYDAO.

My vote is to remediate 100% including gas fees. I wasn’t a victim in this scam, but as a member of the Dao, I find it concerning that so many people have voted for no remediation. I didn’t think there would be any hesitation at all to reimburse victims.

If it were due to the poor care and decisions of the people who got scammed, it would be a different story. But because an admins account got hacked and members of the community who trust in the team and project followed the link, they lost their funds. I’ve heard the argument that some people were still getting scammed hours later, which I don’t know how that is possible, since the link was taken down and the discord was blasted with warnings of the scam. But it might be reasonable to have a cut off time for those who get reimbursed. Whether it’s 15, 30, 60 mins… I think some time cutoff should be introduced, looking at the transaction hash to see when someone clicked on the link. Those who were still trying to mint hours later would not get reimbursed funds due to their poor care or lack of attention in the community.

When other communities have had hacks, the communities that didn’t hesitate to reimburse are the ones that thrived. The most recent example I recall is Alien Frens. When Alien Frens paid their members who got scammed, the price of the NFT went from .7 eth to over 4 eth in 2-3 days. When there is trust and confidence in a community, it attracts attention and new interest. When that trust is not there, people unfortunately will leave the project and word will spread through the NFT/crypto community.

I also don’t see the negative benefit to holders for remediating. Someone on discord argued that the treasury is “ours”. But as investors, we aren’t paid from the treasury. There are no airdrops, no way to stake the NFTs to receive rewards from the treasury… I would say that the NFT and it’s price is a much better indication of our investment health and the community’s.

Could you please explain me one thing… If person who is in charge of DAO social accounts and have administrative access to them will become a victim of some trojan or other malicius program that will grant accsess for hacker to those social media accounts, and it will couse biger “eror of judgment”, will that precedent be judged as a DAO problem, or individual’s problem of victims?

As I know, and I’m sure that you know as well, we have no rules regarding “rechecking info even from official sources”, we havn’t even precaution regarding this.

Or I misunderstand you and when you talk about “result of an individual’s error of judgment” you mean that the only responsible person is a core team member that was involved in this not the DAO?

I just want to understand the path of your thoughts.

As for me, If individual’s harmed because of direct hacking actions, It’s the problem of individual’s, but in our case was hacked person who represent DAO and it cause in a lot of victim’s. So, I completley don’t understand why it’s individual’s problem.

I think we can debate all day to assign ‘how much’ responsibility each party bears (individual vs Core team), but it’s largely irrelevant. I think there is general concensus that both parties are simultaneously victims and neither bears sole responsibility for being victimized.
Bottom line is that we need to decide how we want to remedy this fault as a community.
To do everything will probably be close to 50ETH (including gas and our gas costs).

Approximately 30ETH was lost and I think we have clear concensus on the following actions:

1. Spend up to 30 ETH to fix the issue.
2. Spend (5 to 10 ETH??) of this budget to Improve DAO security.
3. Establish a voluntary victims fund to bridge the gap.
4. Allocate 2 ETH to @denvercitizen to do a chain analysis, work with other DAOs and track down what we can.
5. Reimbursements on at a MINIMUM (pro ratia/ or equal by person/full/full plus gas?) basis to the victims.

After that is completed we can bridge the gap with a volunteer victims fund.

This was an error that was missed. You are correct.

One failure doesn’t define anyone. We’ve already achieved as first project to step in CityDaos.

However, for this hard time i voted ‘Partial pay’ we should support suddenly for the one who lost it in proper way, doing confirmation and audited an evidences to make sure that it’s correct). More than that, i’m talking about “Significant” things it to be awared of malicious persons/program and fortified against those scams , for the future. Let’s set the system and guard for them because these will be ruined us if it’s happended again where we cannot be projected for magnitude.

Hi all, appreciate the mentions and think it’s really cool that we are looking out for our people.

For this scam, and for the vote, I think it was difficult to sort out while we were reeling from the attack. I also think the vote was a little diluted between a “hard no” and 3 possible options with ambiguous specifics. While well intended to get something out there very quickly, the effect was maybe counterproductive in that only gut reactions had a chance to be heard.

I propose we spend up to 4.5 ETH to compensate victims 0.1 ETH each, if they were citizens at the time of the scam.

While this doesn’t make everything right, it does skew towards benefiting victims who are in this for the community / who may have had limited choices but believed in this project over others; we don’t want to loose them. For “bigger fish” who lost more this probably won’t be satisfying, but the point for this first pass is not to fix everything, but to see if we can get one thing passed which has a good chance of actually helping citizens.

Please pay the victims

The applications this project uses to support the ecosystem “DISCORD” it is common knowledge that it is hackable

Devs here would know this from day 1 with previous project hacks within Discord itself

I’m also very biased on the long detailed comments from others saying “don’t pay them” are these mmbrs victims? Or just sitting on the sidelines adding input?

My opinion is this, every project here that doesn’t refund ppl die wether it’s a slow one or a drawn out one

People want to make profits which is cool, but in the back of their minds they always remember to be careful or more money will be lost

Hacks are hacks wether an inside job or not and as far as I’m concerned hacks are 79% insider jobs

Please be the project people can talk about for years from now

DISCORD

Here’s the story of how I ended up actually talking to the Hacker (on Discord) while this hack was live, along with my opinion;

Firstly; After this embarrassing situation and numerous recommendations to ignore the announcements channel, I ignored the announcements channel for a little bit to let things settle. Today I checked in and see I missed the snapshot vote, it only had 2 days of being live and was posted in the same chan as the hack chan…I don’t agree with those 2 important decisions. I wonder how many other people did not vote who would have otherwise.

I do not agree that the results of this current vote reflect accurately a community opinion.

The full story, with background info:

Parcel0 NFT’s were supposed to launch but were postponed, this created anticipation among the minds of many people eager to participate, I was one of those people. Also, we all know there’s website work in development and sometimes that affects how domains, sub-domains or new url’s are setup.

I saw the announcement sent from Lyonns compromised account about the hackers NFT drop on a new domain url. Being in the announcements channel and sent by an admin gives a lot of credibility to the message. Being on a different url seemed potentially to align with some web work that may have been underway, but still seemed a bit odd, so I messaged Lyonns to see what’s up not knowing that his account was compromised. The not-Lyonns-Lyonns replied to assure me it was fine. This was part of my diligence to verify authenticity, and since the hacker prevented other admins from responding there was no other info to go off of.

Site note but relevant; when I joined ConstitutionDAO, their initial website was a lot worse looking than the hackers fake nft drop site, and ConstitutionDAO was, it seems, pretty legit. Expectations for professional looking presentations is set very low in crypto.

Being eager to participate in Parcel0 + having missed the last town-hall meet for Parcel0 info + understanding there was active web work in progress + having a 1-1 chat with admin to verify created a scenario to me + referencing the low quality ConstitutionDAO site to reason away the hackers low quality site = bit surprised but this is crypto so probably ok.

I’m not saying that we should or should not have scammed funds reimbursed to victims. What I’m saying is that the recent vote imo might not reflect a proper consensus.