GIP-34: Should Gnosis DAO support in a reimbursement plan to the Agave Community

I look at the bigger picture here. What is the purpose for Gnosis chain? It’s the canary network for ETH, ETH protocols and new protocols can experiment on the chain with much cheaper costs and users who can’t afford ETH can switch to Gnosis chain. So in general it should attract smaller users.

So I ask myself: Is the current crypto approach really the way we want to become mainstream? The stuff has to be idiot proof and users have to be able to verify things without coding experience. You can’t expect users to check the code of the chain, the bridge, the protocols etc.

Another point is accountability, do we really expect crypto to be succesful if you can lose all your funds in an instant? We had plenty of DEFI hacks, especially recently (Ronin, Inverse), but somehow we don’t question the general approach.

So if we really want to become succesful, we need to work on a few things. Users need a simple way to verify that the protocol they are using is following the best security practices. Maybe as a chain or a DAO we think about certain security measures that we want the protocols to implement and if they don’t follow, they can’t deploy on the chain. Maybe the protocols can found a security DAO, multiple protocols can work together on security and audit the code of the other protocols. They can also pay a certain % of their earnings in a gnosis safe and use this money to cover for a potential hack of the members of the security DAO. It would be similar to the banking insurance which multiple banking institutions offer. Users could deposit in a protocol and could be sure that they will never lose all their money.

In general I think these are important points and I would welcome it if the DAO starts a working group to work on/research these things.

Please don’t claim something which isn’t true. Compound got exploited for over 147 mil, if you don’t want to count spending too many rewards as an exploit, okay I guess, but it is still an exploit in my opinion. And as I mentioned in other threads, it is pure luck that these protocols didn’t get exploited with the CREAM hack. They had the same vulnerability for months/years. Multiple audits/people looked at it and these are the most battle tested protocols on ETH.

Yes I should have been more precise with my words there.

It’s not pure luck. They didn’t list a vulnerable asset. They have asset listing processes & governance which includes looking for vulnerable tokens.

Is it possible they could let a vulnerable token into the protocol? Yes. Is it less likely than if they had no such process? Yes.

Last time I checked Compound still (surprisingly) has this vulnerability in their code. They protect it by not listing tokens that could lead to it being exploited. That is part of the off chain infrastructure I was referring to.

The people who created the code, who know it most intimately, think they need this extra off chain infrastructure to keep the protocol secure and reduce risk.

If forked protocols do not have similar checks and balances to the mother protocol, given the single pool design, they carry more protocol insolvency risk and expose lenders to more risk.

In the last couple of months there has been Hundred finance x2, Agave and Ola Finance with exploits. All forked lending protocols with minimal off chain infrastructure to reduce risk. I’m not sure how many more vulnerable token exploits you need to see to be convinced that there might be an underlying issue here.

Forked protocols of this single pool design need to be able to resource these functions, or have sufficiently effective governance (right skills and engagement) to cover it.

Again… AAVE and COMP had the same vulnerability as CREAM. Mudit Gupta mentions the CREAM exploit in one of his twitter posts. I also remember how one AAVE member mocked the CREAM team for the exploit, but the Yearn/Cream people analyzed the exploit and noticed that AAVE had the same vulnerability. So you can thank these people that they informed the AAVE team. How is this not lucky? Every asset was vulnerable.

thats why the yearn/cream team found the exploit for them?

I don’t know why you count the Meter exploit for HND. It was 100% Meters fault. as far as I remember the bridge got hacked, the people drained the Sushi pools and used the unbacked assets to borrow on HND. The protocol worked like it was supposed to, not the fault of HND if the assets are not backed.

Again people follow this misconception that a team is not as competent because it forks the code. This is not the case. You fork the code to build on established code and don’t have to write the code again and risk potential errors. Why should you write completely new lending protocol code if you can use battle tested code? The scary thing is that these battle tested protocols still have potential vulnerabilities.

Gno star is constantly inserting off-the-topic disinformation. He then selectively responds only to the counter-arguments about these disinformations, while skipping responding to the real arguments which prove him wrong, thereby he is a troll. In the end, someone who looks here would see tons of discussions and would assume there is heated discussion about this proposal whereas all that happens is community members try to explain the reality to a fudder who already knows everything but still tries to start a flame war nonetheless. Please refrain from quoting this person.

Fully supporting this proposal.

I’m not sure if you’re really arguing against my point that you’ve focused on here: that Agave should build up their off chain infrastructure and governance to reduce the risk they list vulnerable or risky tokens which put the whole lending pool and protocol at risk again. It can be modelled on what Aave or Compound do (an appropriately lightweight version) to save reinventing the wheel. And that needs to be in their plan and resourced.

No this doesn’t guarantee anything, it just reduces the likelihood that tokens with known risks and vulnerabilities will be listed in future, and reducing the risk of the protocol becoming insolvent again. If GnosisDAO is to invest 25% to 50%, that is looking after our interests.

On some of the specific points you raise:

Mudit Gupta mentions the CREAM exploit in one of his twitter posts.

We’re talking at slightly cross purposes with 2 different cream exploits.

The one that Mudit Gupta recently referred to in the context of this gnosis exploit, was caused by the listing of a non-standard token (AMP) which led to a reentrancy attack and a drain of the pool. No luck involved here for Aave or Compound because they don’t list these non-standard tokens.

Incidentally, Cream (Compound fork) who listed the AMP token took 100% responsibility. No fault was assigned to AMP for the design of their token, despite it allowing for this type of reentrancy attack.

The other recent Cream exploit you refer to (which Mudit Gupta wrote a thread on as well) did expose an Aave vulnerability but it was economically unviable to exploit at the time. A bit lucky? Sure. It’s the system that is anti-fragile more than any one protocol.

that’s why the yearn/cream team found the exploit for them?

I don’t know why it matters who discovers a vulnerability whether it be an audit, a white hat, a random Joe, another protocol’s devs or an exploit. That is all part of the system we have. And I don’t see how that undermines the argument that the team that writes the code almost definitely knows their code better than a team that forked it. It’s not about competency, it’s familiarity and knowing where the bodies are buried (in this context, knowing about the reentrancy vulnerability with non-standard tokens). But of course there is also lot of value in independent eyes reviewing and attacking code.

A key for protocols is to learn from every relevant exploit in crypto and make sure they’re not vulnerable to the same type of attack. But few do. Post Cream/ AMP every lending protocol should have been wary of listing non-standard tokens (particularly the compound forks where it is almost unforgivable that they didn’t pay attention to this).

I don’t know why you count the Meter exploit for HND. It was 100% Meters fault.

I’m not that familiar with the Meter chain exploit, but at a quick glance at that BNB token I can see that on any lending protocol risk score I’m familiar with BNB on Meter chain would have been flagged as high risk and unlikely to be listed by those protocols (certainly not to be used as collateral). Smart contract, liquidity, volume, counterparty assessments would all probably flag it as high risk.

A good asset listing process is assessing the likelihood of this kind of (and other known) attack against a token given its attributes (and market risks to determine risk parameters)

Honestly I don’t see a reason to continue this discussion with you. You don’t accept the points/arguments we make and continue to argue the same position. Don’t get me wrong, I respect your position, I just don’t think you acknowledge the points made.

If you are not familiar with the issue, why do you claim these things? I don’t think it is beneficial to claim certain things if you don’t know the details. You are hurting the protocol and the effected users with faulty claims.

No, if we want to create a good game theoretic scenario, fighting is the last thing we need. It would only lead to a prisoner’s dilemma where all parties involved would lose. And if we want to unite to slay moloch, collaboration and, in our case here due to the exploit affecting all the parties (Gnosis Chain, Agave, and its users - well, actually almost all the users are, in fact, contributors of Agave DAO as it is not some pseudo-DAO where big whales determine the decisions or depend on a core team in a payroll) a compromise by all parties that will hopefully lead to a win-win-win solution is necessary.

Also, I would like to point out here is that diverting the topic of discussion from the solution offered here asking a compromise from all the parties to irrelevant protocols without offering a different solution just to ridicule the discussion is a malicious attempt to muddy the waters.

And I can clearly see that the investment to Agave is evaluated by those who seems to be against this proposal from a conventional perspective where a company invests into another company. No, Agave is not a company, and investing in Agave is not investing into the code nor its core team. Simply put, Agave is a community of contributors who have been working to better the ecosystem since before Gnosis and Stake merge.

Speaking of track record, although again irrelevant in this case as I mentioned Agave is not a traditional company; however, before the exploit Agave, the platform, has seen some steady growth in terms of TVL, which actually made this exploit attractive to the attacker. So, it is at least as valuable as a black-hat hacker to spend some time to take advantage of a long-known but not communicated vulnerability. And if you really wonder the track record, Agave was bootstrapped with 50 HNY from 1Hive’s Common Pool just to create the initial Liquidity Pool and relied on its token’s success without being able to hire full-time contributors under its payroll, hence a true grassroots organization.

Regarding off-chain governance when listing tokens, Agave does in fact have this as the listing of Shapeshift’s $FOX token was agreed to be delayed before having “sufficient” liquidity on Gnosis Chain although the snapshot vote had passed unanimously in order not to adversely affect the health of the protocol. So, I would like to remind that the exploit was not made possible because Agave has not done due diligence when listing tokens, and it was merely due to mostly both the lack of communication by the Gnosis Chain regarding the token standard and negligence by Agave’s part by assuming that the tokens on the chain would act similarly to those on Mainnet. And in the end, Gnosis Chain is to have a hardfork to change the structure of the tokens in order to make them compliant to the standard. Therefore, solely blaming Agave shows either ignorance or is outright malicious again to divert the topic of discussion under this proposal as it has already been discussed and agreed by all the parties involved before this proposal that we all share the responsibility (Gnosis Chain by not extensively communicating the status of tokens, Agave by neglecting to check the token by assuming blue-chips on the Gnosis Chain would be the same, and the users by trusting both Gnosis and Agave to have solid code).

So, I would like to kindly ask everyone, both those who may be against or who may be for the proposal to keep the discussion around the topic of this proposal, which is the reimbursement of lost user funds, a loan plan to Agave, and investment of Gnosis into the leading money market on the chain. I would like to see arguments whether the compromise between all parties here seems reasonable or not, instead of blaming protocols or ridiculing the users who have lost funds in the attack. Or provide an alternative solution that would be as close as to a win-win-win conclusion, if you believe you can come up with a better alternative. Yes, bringing criticism to the table without offering an alternative does not resonate good intentions.

And obviously, I think it is clear that I am fully in support of this proposal as I think it is a compromise as reasonable as possible, which in the end, will lead to a win-win-win scenario for everyone involved. I know the core contributors of Agave have the sufficient skills to better the platform, and even with part-time commitment, it was the largest money market on Gnosis Chain. With an injection of some funds, I am sure that they will overdeliver what is promised here.

However, as Luigy mentioned above, if there are people who really wants Agave to die, users to be left without their losses covered, and Gnosis to lose a huge number of long-term contributors of the chain, they are free to ridicule and fight or outright get rid of their GNO bags as it is obvious that they are holding tokens of a community, the values of which they have have never even bothered to learn.

Just wanted to re-iterate a very valid point brought out in earlier discussions: Agave has its roots in 1Hive DAO. Without a a doubt in my mind, 1Hive DAO has done more for the entire xDai chain than any other single DAO or project. It can be argued that without 1Hive’s innovations and projects on xDai chain, Gnosis quite possibly might have never had interest in taking the xDai chain under its wings. I.e. the merge never would’ve happened. The Gnosis chain supporters, stakeholders, and all those involved should first and foremost recognize this and show some respect and gratitude to 1Hive DAO and all its sub-DAOs, including Agave.

I’m writing this because at the moment it seems that most of the vocal posts have been coming from the xDai chain side, and we haven’t really heard the opinions, concerns, and voices of those from the Gnosis side that are holding significant influence in terms of voting power.

Gnosis whales, I hope you keep this in mind when voting time comes.

If you are not familiar with the issue, why do you claim these things? I don’t think it is beneficial to claim certain things if you don’t know the details.

Because I don’t need to be familiar with the exploit details to be able to assess the risk of listing a token using a framework I’m already familiar with. The assessment is independent of any exploit, and arguably at least somewhat protocol independent.

I made my main suggestion. Split the proposals into two: one for the 50% compensation as-is that can go to vote immediately (GnosisDAO compensation obligation met) and one for the investment. Prioritize refunding the lenders who lost money this 50% piece over investment.

By tying the compensation to the investment you increase the risk that lenders get no compensation.

Then spend some time putting together a compelling proposition for GnosisDAO to invest in where we can believe you can get to $300m TVL and become financially independent and resilient. You need to justify why we should invest in Agave vs focus on attracting mainnet lending protocols; how can you better help GnosisDAO reach its objectives? If the team is as talented as you claim, this should be feasible.

I also made several suggestions for some things to think about in creating a compelling and investable lending proposition. Oh and grow a tougher skin, not everyone who has a different view is out to get you!

If Agave wants to remain a grass roots only protocol with limited ambition and folksy values, great I respect that, but then you shouldn’t be asking for significant investment. I know you’re in a bind but you take some responsibility for that. If you desperately want to compensate your lenders the remaining 50%, you could find a way to do it out of your own pockets. Skin in the game.

I don’t think you comprehend the consequences of asking for investment like this, it inherently means compromise, you can’t just take the GnosisDAO money and carry on like before. It’s noble that you want to compensate 100% and get the protocol back on its feet, but without any real financial contribution from Agave or the founders. Fine, but the cost is you need to help GnosisDAO achieve its objectives and be the thriving and resilient money market we need. We need evidence to see that you know how to get there. This has not been presented so far.

You’re not in Kansas anymore, Dorothy.

To the GnosisDAO community (especially those without vested interests in this exploit) the different frames here are:

Do we treat this like a public good? Reward the team for their hard work and commitment to the chain so far, signalling that we appreciate them and hope they can survive and thrive. But with little expectation of ever getting any financial return and unclear if this will become the thriving money market GC needs to get to the next level.

Or do we treat this like an investment. Be open and willing to invest as a recognition of the loyalty and commitment to-date, but also recognise that we need a lending supermarket not a corner shop. And look to the Agave team to demonstrate that they have the ambition and capability to become a supermarket, before we’re stuck on the sidelines whilst the next wave of chains explodes. In recent months, both on Metis and Aurora/Near money markets have launched and reached significant TVL quickly (protcols both with funding, and community bootstrapped).

I would caution GnosisDAO community about any comments that are trying to paint this situation as a black or white: you’re either with us or against us. It’s populist rhetoric that aims to over simplify and shut down any nuanced debate (I don’t think it is really intended that way here - I see no malicious intent - but that is the message). It’s quite possible to want to compensate users appropriately, and be open to support Agave going forward, but to think the team has not shown enough in this proposal to justify an investment.

if there are people who really wants Agave to die, users to be left without their losses covered, and Gnosis to lose a huge number of long-term contributors of the chain, …

I would suggest you avoid strawmanning, it’s not constructive and reflects poorly on you and Agave.

You may not see (or believe) it, but I am trying to help you. Do with it as you please, I’ll wish Agave and team the best however it proceeds.

So if we look at the scenario:

1. Over 500 tokens had the fallback function which enabled reentry attacks
2. The bridge changed the token standard, the newer tokens had the normal token standard. So we had tokens on the chain with different token standards
3. The bridge didn’t inform you that you change the token standard while bridging
4. A big treasury from the Gnosis DAO

And yes, these things are no “mistakes” (for a lack of a better word), but they are certainly not ideal

vs

Not the specific fallback function checks from the protocols

The protocols are also much smaller and have much smaller treasuries, so I don’t know why they should share the same amount of the burden. Especially when you consider the treasury sizes, it is reasonable that Gnosis shares the bigger burden. I don’t know if this is clear, but the protocols offer the maximum amount they can offer. If Agave could cover 100% alone, they would do it.

It is a difference if a protocol offers almost all of their resources vs a relatively small amount from the treasury. Gnosis doesn’t have to help, but the people ask for the help because they know Gnosis can help.

We had a lot of defi hacks in the recent weeks, almost every protocol tries to/wants to reimburse the users. This should be the same goal here. I personally don’t think it would be beneficial for the longterm growth of the chain if we don’t reimburse the users. Lets be real, a vast majority of the users would be burned.

I also don’t get it why people are willing to spend millions in LM rewards for other protocols, but don’t want to help the current users. You spend LM rewards and get the mercenary capital? Do you think they will stay when the rewards end? Some yes, but the vast majority will leave.

And here we have the quintessential problem of a DAO, people with different economical and personal interests try to find a common ground. The problem is that this can only work if the people in power either behave altruistic or they understand/accept the longterm benefits of accepting the proposal.

Could not agree more. First compesate hacks and then do liquidity mining events so people actually are not afraid to use their funds.