GIP - 127: Should GnosisDAO reimburse liquidity providers in the Balancer EURe/sDAI pool for lost opportunity caused by the issue reported by NolanV?

GIP - 127: Should GnosisDAO reimburse liquidity providers in the Balancer EURe/sDAI pool for lost opportunity caused by the issue reported by NolanV?

GIP: 127
title: Should GnosisDAO reimburse liquidity providers in the Balancer EURe/sDAI pool for lost opportunity caused by the issue reported by NolanV?

author: kpk

type: Funding

created: 2025-07-01

duration: 3 months

funding: 330,000 xDAI distributed over three months, plus 33,000 xDAI bounty for NolanV

This communication aims to address an issue that was identified with the EURe / sDAI stable pool on Gnosis Chain, regarding a misconfiguration of the parameters.

Introduction

The pool has played a meaningful role in supporting Gnosis Pay’s growth over the past 18 months, and we are treating recent reports with the seriousness they deserve.

The pool was created on October 3, 2023, using Balancer’s permissionless infrastructure. The pool design utilized Balancer’s StablePool technology with a rate provider intended to concentrate liquidity around the EUR/USD spot price. However, at the time of creation, the rate provider cache duration was configured to 3 hours. This configuration introduced windows where stale pricing could occur, allowing arbitrageurs to capture value. As a result, we estimate that LPs may have incurred aggregate losses of up to 330,000 USD. The higher volume activity observed during these windows did not translate into sustained fee generation for liquidity providers.

Timeline

• October 3, 2023: Pool was created on Gnosis Chain.
• February 20, 2025: An internal review of Gnosis DAO liquidity positions revealed a loss in the EURe / sDAI pool. This led to a broader analysis of the pool’s configuration. It was determined that the Rate Cache Duration needed to be updated.
• March 4: A BIP was initiated by Balancer governance to grant the necessary permissions.
• March 5–10: Governance voting period.
• April 7: Execution completed. The Authorizer role updated the rate cache duration to 1 second. Community member NolanV surfaced the issue in the DeFi Francophone community.
• April 9th: NolanV submitted a full independent report: Balancer sDAI/EURe incident report - NolanV

Estimate of Loss

With support from the Balancer data analytics team, we assessed the issue by simulating a counterfactual scenario where the rate cache duration had been set to 1 second from the start, to determine the hypothetical losses. This is equivalent to the liquidity providers’ opportunity cost (rather than realised losses to their principal). The delta between that and actual pool behavior formed the basis for our loss estimate.

This required a detailed archive and simulation of all transactions in the relevant period, which has taken us time to perform. We are now finally in a position to share the full analysis, which is available in this repository: GitHub - mendesfabio/eure-sdai-indexer: https://eure-sdai-indexer.up.railway.app/

This differs from NolanV’s approach, which used Binance EUR/USDT prices as a proxy, explaining the variation in estimates. Nonetheless, we are grateful to NolanV for their efforts and transparency, and acknowledge and apologise for the long delays noted in their incident report (which were needed to complete our comprehensive estimate of loss).

In summary, we find that – absent the misconfiguration – liquidity providers in the pool would have received in aggregate up to 330,000 USD more from their positions. Though this is not a loss of principal, the liquidity providers did receive less than they should have, and as such we agree with nesk that a reimbursement is appropriate here (including a bounty for NolanV).

Implementation Plan

We propose this GIP to support LPs affected by this issue by offering a targeted boost, and the Balancer team is working to ensure smooth implementation of the distribution mechanism from a technical standpoint.

Additionally, we are also proposing a 10% bounty (33,000 USD), to be paid in full to NolanV, in recognition of his contribution to the discussion and data analytics provided.

Boost Design

• Eligibility: LPs who were in the pool until April 7, 2025
• Budget: 330,000 USD
• Distribution Period: 3 months
• Conditions: Weekly distributions based on continued participation in the EURe / sDAI pool

Details regarding eligibility, including participation via secondary sources (e.g. Aura BPT and Beefy Vault), will be shared before distribution is enacted.

As specified in the service provision contract between the Gnosis DAO and kpk, kpk secures its position for not being held accountable in case of any third party risk. So, legally, I see Gnosis DAO assuming risk here and will vote in support of this proposal.

However, ethically, it does not sound great and again brings the heavy reliance on kpk without any responsibility as a service provider due to the fact they handled the situation pretty poorly with lack of transparency until a person affected decided to publicize the fault.

The better course of action in such cases would be that kpk reimburses individuals without going to a DAO vote, which might turn out to be a contested one, and further delaying the reimbursement of affected users. And this is again another bad look on kpk’s part whose main responsibility is to enable a thriving and secure DeFi ecosystem on Gnosis Chain.

So, I would like the DAO to reconsider its relation with kpk as its sole partner for its financial affairs due to an accumulated not-very-ideal treatment by kpk in their provisioning of services for Gnosis DAO.

Following on from @mrtdlgc comment, it seems important that situations like this are resolved so as to reduce the likelihood of the problem’s recurrence, in part by identifying the incentive structures in place. In this case, whoever set the cache duration should be disincentivised from getting it wrong and, at least, share in the downside of a suboptimal setting. If that is kpk (not stated in the original post), then a preferable incentive structure would see kpk face some penalty, an example of which is described by mrtdlgc.

I would vote in favour of this if it sought to address these systemic issues (even if that only involves committing to a meaningful appraisal of the situation with follow-on actions) as well as reimbursing individuals.

Regarding the proposal I am a bit ambiguous, a mistake like this can happen, no one really took a real loss but only less gain, also, as I reed somewhere else, most of the liquidity were DAO funds, so in part this is a refund to ourself.

The Bounty to NolanV is highly appreciated by me, not so much cause the discovery of the incident (which has been known by kpk before) but cause it showed the insufficient communication regarding this.

Looking at this timeline I ask myself what might have been the appropriate time to inform the broader public, at least Gnosis-DAO members. Although I check the balancer forum from time to time I missed this topic there.
Regarding DAO-funds managed by kpk I would prefer a place either her or at kpk site where these issues can be communicated in time. Ofc there might be reasons to withhold info from the public if it might increase harm due to further exploitation and it might also be a valid argument if it would harm some other projects (like gnosis pay). But in these cases it should be clearly emphasized afterwards what are the reasons for delayed communication at which point.

Regarding this case imho, at least at the time of the BAL proposal there should have been some info to the DAO community.
Maybe kpk could add a section for these kind of topics in their monthly reports?

As for me, I used the pool and didn’t immediately realize there was an issue. I took my share and stopped using the pool.

However, regarding the proposal that the Gnosis DAO should reimburse the funds, I would be in favor of it, because liquidity providers are what allow Gnosis Pay to continue operating.

That said, I don’t see why the DAO should bear the full responsibility for this, especially since KarpatKey was behind this pool (along with Balancer and Gnosis, of course).

And should the DAO really have to reimburse something when the team managing the DAO’s treasury wasn’t even informed? To me, that’s a problem.

Even if, factually, KarpatKey might not be contractually liable, I still believe they hold at least some responsibility — especially given the lack of communication with affected parties or even those who could have been affected.

Not to mention that KarpatKey received management fees for DeFi operations while this pool was running.

So in my view, some form of compensation from the KarpatKey entity wouldn’t be unreasonable — far from it.

If that doesn’t happen, I think it should call into question KarpatKey’s management mandate and the significant dependency on Gnosis Chain.

Mistakes happen, and I don’t want to throw fuel on a fire that’s already burning, but responsibilities still need to be acknowledged.

Even if it’s outside the scope of the contract, I believe there’s also an ethical and moral dimension that matters here.

So this is something worth exploring, in my opinion.

I also fully support the bounty for @NolanV , who has been sounding the alarm for a long time and provided an excellent report.

Perhaps KarpatKey should partially compensate him using the entity’s own funds — not the DAO’s.

Beyond this specific incident, I think it’s important that this raises broader questions in the debate — about potential future risks and KarpatKey’s lack of non-contractual accountability when these kinds of things happen, which, in my opinion