CityDAO has recently been the victim of a hack, and will continue to be a target for hackers and scammers as the DAO grows in visibility.
This proposal is for CityDAO to publicly commit to never reimbursing future scam victims, whether the vulnerability is CityDAO’s fault or not, whether the victims are Citizens or not, etc.
This aligns with the ethos that no matter what, everyone is responsible for their own security and for the transactions they sign. No transaction signed is insured by CityDAO.
It also removes one potential attack vector created by reimbursing victims, which is attackers pretending to get scammed themselves.
Hi @eugene. I wonder whether there is a need to make a blanket statement or rule that will cover as yet unforeseen events. I think one of the best aspects of on-chain governance is that we can make decisions as a community, transparently, as needed. This hopefully could remove the need to make “laws” that will cover situations that have not yet happened.
@eugene I’m curious if you’ve heard of known examples where scammers use pretending to get scammed as an attack vector? I assume this exists and is quite rampant (for example, most NFT project creators who have the money and can easily disperse it have the incentive to quickly reimburse ppl bc of how traumatic these hacks can be for a community).
Also, can we think of a case where the no matter what could box the DAO in in the future? Just want to be thorough while thinking about this.
Thanks for the feedback. The idea here is not to bind CityDAO to any future actions, it is to establish a default course of action, and to signal to Citizens and guests that they should not expect reimbursement for scams, and that they should be cautious when acting in an adverse on-chain environment.
In practice this CIP if passed can still be superseded by future CIPs.
I have not heard of such a case, but it was the first thing that came to mind when thinking of unintended consequences of reimbursing for the previous hack. I assume if this does happen it is often difficult to track down.
As for boxing in the DAO, this CIP can be superseded by future CIPs so in effect it is more for establishing a default and strongly signaling to Citizens and guests that we are generally not the kind of place where you can get refunds for scams.
I know you are trying to use this to raise the security awareness of the community and repel any possible pretend to be tricked attacks. But I think it’s unnecessary to make such a commitment, especially in the early stages of construction. We can provide more security tips and warnings, which is much warmer for citizens.
Future victims may have legitimate rights. Proactively saying “no payouts” could be construed as an attempt to limit those rights.
Short version: far too many variables to consider for all future concerns. While I think part of this is intended to be symbolic, I also believe that a “no” vote sets a similar precedent