Should GnosisDAO respond to the Hundred Finance exploit in the following manner?

Abstract

On March 15th, 2022, the Gnosis Chain deployment of the lending platform, Hundred Finance, was exploited. This exploit drained liquidity across all of Hundred Finance’s Gnosis Chain markets, resulting in a loss of the equivalent of around $6.1m USD in user funds. The exploit originated in a vulnerability in the Hundred Finance protocol to reetrancy by way of a non-standard hook in official yet legacy bridged tokens on Gnosis Chain. This hook calls the token receiver on every regular transfer and transferFrom function of the ERC677 tokens, a risk factor inherited from the original version of the TokenBridge created prior to the Gnosis / xDAI merger. While an audit released in November of 2020 prompted the implementation of a fix in subsequently bridged tokens, the new implementation could not be applied to those previously bridged due to the token contracts being non-upgradable. When Hundred Finance deployed on Gnosis Chain, the team was unaware of this non-consistency with mainnet standards and thus the ability to run code after a transfer (callAfterTransfer) was not mitigated. Despite there being a proposal currently under discussion to perform a hardfork to fully address the vulnerability to reentrancy attack present in many of the official tokens still used on Gnosis, it does not cover potential avenues of response to the losses already incurred. Therefore, the Hundred Finance team seeks to put forward a proposal responding to the exploit on behalf of its affected users, in which they and the Gnosis DAO work together to provide amelioration to those who have been adversely impacted. The intention would be to simultaneously build an ongoing relationship between Hundred Finance, its users and the Gnosis DAO, distributing vested versions of the GNO and HND tokens commensurate with the losses suffered. We believe this would, in the process of making them whole, incentivize these unfortunate individuals’ continued participation in the Gnosis ecosystem as evermore projects and developers are drawn to the platform.

Motivation

The loss of funds experienced by those who supplied assets to the Hundred Finance lending markets on Gnosis Chain has been substantial. A total of 72 accounts (that can be assumed to be under the management of a close-to-equal number of individuals) saw figures ranging up to around $1.2m USD illegitimately taken. In some cases, these losses anecdotally represented large portions of personal net worth. Due to the anonymizing actions carried out during the attack (use of Tornado cash and a resulting lack of data on the origins of the transactions, as well as other potentially identifying information), there currently exists no actionable avenues towards fund recovery. What is more, the manner of the exploit of Hundred Finance, as well as the simultaneous and similarly costly exploit suffered by Agave.finance, could be argued to have adversely affected the development environment. In light of this, the Hundred Finance team believes that a jointly carried out release of treasury assets to those accounts that lost funds due to the exploit would demonstrate good faith towards people who have suffered, while also contributing towards the positive appreciation (among both users and builders) of the response of Hundred Finance and the Gnosis DAO, and, by extension, the Gnosis Chain itself.

Specification

Hundred Finance proposes that they and Gnosis DAO respond to the losses faced by users through the distribution of vested versions of their respective native tokens to the extent that the total amounts distributed according to 30-day average prices pre-exploit match the total losses incurred in USD. Due to the disparity in the availability and amount of treasury assets held by the two entities, it is proposed that the value distributed be split disproportionately, with Hundred Finance contributing the maximum it could realistically afford, 20% of the lost value in its own HND token, and the Gnosis DAO contributing 80% by way of the GNO token. In order to mitigate unwarranted sell-pressure created by such a distribution of treasury funds, it is suggested that specially-created vested versions of each token be used in the distribution. We thus propose the following on a per-token basis:

veHND Bonds

In the case of HND, bonds representative of the veHND token (a locked and governance/utility-enabled version of HND) would be granted to those affected by the hack. Unlike the standard 4-year locked veHND they would be redeemable for (the veHND token contract does not allow the token to be moved), these bonds would be tradable and thus provide a means of their holders exiting their positions should a buyer be found willing to purchase them in order to carry out a locked veHND redemption. The precise number of veHND granted to those affected would be established using a 30-day average of the HND price prior to the incident, after which they would be distributed proportional to the loss endured and equivalent with their assets’ USD value at the time of the exploit (minus the value of any borrowed funds outstanding).

• HND 30-day average price: $ 1.234
• HND tokens required for compensation: 985,520.67 HND

hvGNO Token

GNO tokens granted to those who suffered losses in the exploit would be locked in a specially-created vesting contract with a 6-month cliff and a 6-month vest. This would create a vested GNO ERC20-equivalent token (vGNO) that could then be distributed proportionally to the users’ accounts. A Hundred Finance market could then be created able to collateralize these vGNO tokens, allowing victims to supply the vGNO to receive hvGNO, and in the process gain a measure of liquidity through loans taken out in other assets that the protocol has available. Through being collateralized on the Hundred Finance protocol and used to borrow assets, these vGNO would be liquidatable if their Loan-to-Value ratio were breached, an action carried out using a mechanism managed by Hundred Finance.

• GNO 30-day average price: $ 327.221
• GNO tokens required for compensation: 14,865.54 GNO

Rationale

The rationale behind taking the above approach to rectifying the loss of funds experienced by Hundred Finance users would be the reduction of sell pressure that might otherwise run counter to the interests of holders of HND and GNO that have not suffered losses, combined with a desire to grant those impacted some functional liquidity and governance say during the vesting period. Releasing the generic versions of these assets over months and years would allow affected users to experience a degree of restitution and this proposal’s motivations to be met, while not hampering future efforts to develop and build by the two projects.

Appendix

1266×860 54.8 KB

Very supportive of this – Hundred is an amazing team and I think this creates a path to regained confidence in both ecosystems and sets up a future where the teams and users can get back to building and participating!

ps im a nurse

100% supportive of this proposal. GnosisDAO, please collab with Hundred do something for the affected users. Those are the truly supporters of both Gnosis Chain and HundredFinance.

This proposal would go a long way to re-establish faith in Gnosis chain and provide substantial good will to those affected. I appreciate Hundred Finance and Gnosis working on potential solutions what ever is decided.

I’m supportive of this. I see Agave’s proposal(https://forum.gnosis.io/t/should-gnosis-help-reimburse-some-of-the-lost-funds-on-agave) as making users who have previously been and still are very loyal whole, while I see this proposal as a nod towards protocols and users who are newer to the GC ecosystem. That the approaches between Agave and Hundred differ is also good because it encourages different behaviors of actors in the ecosystem while still fostering long-term participation and engagement in both cases. Having the two different approaches additionally gives Gnosis good insight into which approaches are most effective.
Because the the exploit that affected Hundred Finance was the same underlying the Agave attack, I would suggest that the two proposals be a pair i.e. it should not be the case that one passes and the other does not. The proposals were separated because they each offer custom solutions specific to their protocols context, history and capabilities, but both were caused by the same underlying factor: official bridged tokens allowing reentrancy implemented by the xDAI team.

Hundred Finance users will still have to carry a loss though as well, since the value of much of the collateral has likely gone up quite a bit since the attack, meaning that any appreciation since the day of the attack would have to be written off as a loss by the victims.

Still, the idea of being able to lock GNO and use that as collateral is great and allows many who were already fans of Gnosis/GC to long the token while preventing it to be dumped and at the same time allowing for liquidity on the chain through the lending strategy in the proposal
By moving these two proposals forward it will allow GC to continue to function much as it was before the exploit by restoring users faith in the ecosystem and providing the means(liquidity) to keep the chain healthy. These two lending platforms were essential being the only ones available on GC; their users were in large part fans of Gnosis/GC. By taking action on these proposals Gnosis has the chance to retain these loyal users who are much more likely to stick around long term at a relatively cheap cost compared to an order of magnitude more spent on rewards for less reliable newcomers.

The solution isn’t perfect, every party has to carry some of the burden, but by doing so now we can better delineate future events: when should the community pull together vs. when is it solely due to the negligence of a single protocol. We can learn this lesson while it is still relatively cheap, securing trust and growth at the same time.

I already mentioned some reasons in the Agave thread why I think the DAO should reimburse the users:

I think this proposal is very eligant and it would benefit all the parts involved:

1. The DAO is willing to spend 200 m for ecosystem rewards, in the recent Uniswap V3 proposal Gnosis chain offered 10 m in liquidity rewards. The DAO can count this as a part of the ecosystem reward campaign

2. The proposal enforces long term commitment to the chain and the protocol, the tokens are vested and we won’t have initial sell pressure on the tokens. The users also have a direct interest in the success of the chain and the protocol, because a price increase also benefits them directly. My guess is that even after the vesting period is over, the vast majority won’t sell their tokens, they will just keep them in the protocol and borrow against them.

Very supportive of this proposal.

One could say I am biased because I am one of the 72 affected users, and I did loose a significant portion of my networth in this exploit. Yet, I was using Gnosis chain over a year ago when it was still called xDai, and I’m also considerably invested in GNO which I recently locked for a year.

I do believe this is the best solution to rebuild trust in a way that will not have a negative impact on both protocols’ development. I highly appreciate the collaboration between Gnosis and Hundred teams to keep affected users up to date and their efforts to find a solution.

Good proposal, it will make sure that depositors will stay loyal to the protocol and chain

I am supportive of this, it will help establish credibility with users.

TLDR: I do not support this proposal as it is not sufficiently comparative to the Agave proposal (which I think is a reasonably fair proposal); I would support a 56% compensation plan for Hundred finance or consider one that is more comparative to the Agave proposal.

I’m troubled by this proposal, because it asks significantly more of gnosisDAO than the Agave proposal (circa $2m more; and directly covering 56% of loses for Agave vs 80% for Hundred finance), with the reasoning that Hundred finance is unable to contribute more (which I find questionable).

Although the headline figures makes it look like both proposals are the same 80/20, the key difference is that gnosisDAO secures a nearly 25% stake (total supply; approx 50% of circulating supply) in Agave to get to that 80% figure whereas with Hundred we would be covering 80% directly with treasury assets (Update: I believe the investment here to attain that share also includes a significant contribution to the Treasury of ~$1.8m? Although I may have misunderstood that)

I am not convinced that Hundred finance could not do more given (a) they have a much higher market capitalisation than Agave, operate on many chains with significant TVL, continue to earn revenue (I presume) and have nearly 90% of their full set of tokens yet to be minted (according to coingecko) and (b) I just discovered they provided a significantly higher % of compensation (approx. 50%) to lenders in their previous exploit in Feb on the Moonriver chain (I think using the same bond & locked veHND approach they propose here).

It is also of note that the Hundred finance contribution is less valuable to lenders to the one being requested from GnosisDAO given it’s locked for 4 years, can’t be borrowed against and will unlikely be liquid (and if so, probably trade at a significant discount OTC: these forms of compensation are rarely liquid).

The pricing strategy for the HND tokens is also unfavourable given that current HND price is less than half the price fixed for this plan whilst GNO trades above the plan price (at current market prices, Hundred Finance is contributing about $550k to this plan vs $5.3m for gnosisDAO: this does not seem an appropriate sharing of responsibility).

From a logistical perspective, will this proposal be reviewed and approved by Hundred finance DAO? I see the Moonriver exploit compensation plan was discussed and put to a vote, but I can’t see one for this proposal? (This information should have been included in the proposal; from a GnosisDAO perspective we should not vote on this until it has been approved by Hundred finance DAO to avoid wasting our governance process bandwidth if it is subsequently not approved by Hundred finance DAO).

(Incidentally, is it 14,865.54 or 15,643 GNO tokens requested for this compensation plan? Both are cited as the quantity in different places in the proposal. When asking for money, the amount is probably the most important detail to get right…*there is also contradictory numbers for HND)

I support compensation from GnosisDAO for Agave and Hundred Finance lenders who lost money in this exploit but in partnership with the protocols who share blame for this loss. This proposal does not feel like a balanced partnership.

Thus I would support a 56% compensation plan for Hundred Finance (circa $3.5m in GNO), to match the direct component in the Agave proposal.

I cannot justify why we would cover more of the losses for Hundred Finance vs Agave and I would encourage fellow GnosisDAO members who support this proposal to consider carefully these differences in the two compensation plans. Yes, we have a big treasury, but we should not be cavalier in its use. We will need to use every cent wisely to build a successful and viable chain.

I would be open to considering a similar token purchase mechanism to the Agave proposal to increase the coverage to 80%, albeit with a pricing strategy that uses a HND TWAP from the date of this proposal not pre exploit. The market movements post-exploit are relevant.

Also: to commenters you really should explicitly identify if you have a conflict of interest (i.e. you’ve lost money in this exploit). It is unethical to champion compensation without declaring the benefit you would receive from the decision.

Disclosure: I hold a bag of GNO, no AGVE, no HND, and did not lose any funds in this exploit.

*Please do check my numbers before relying on my analysis, it’s very possible I have made errors.

fully agree! we grow together and most that lost funds are GNO holders too.

I wholeheartedly agree with this proposal and think it is needed to re-establish trust in the Gnosis chain itself as this exploit was a native token exploit on the chain and all projects used the same tokens for stablecoins, thus a fork was voted in favor and will take place.

This make the Gnosis loyal HND community that lost big in exploit feel helped and not blamed and abandoned for using and trusting this emerging new chain. I have come to know Gnosis before as it was xDai and used cowswap a lot on ETH mainnet, I have high perspective and hopes for Gnosis success and think a step like the one in this proposal will help achieve a strong user base to grow from. The seeds we plant today will give us the food we need tomorrow. Peace and love for Gnosis and HND shared community!

The conditions cannot be the same for both Agave and Hundred unfortunately, which is why there needs to be two proposals. Both proposals should aim to reimburse the projects in a sustainable way which means that the lending protocols need to be able to survive afterwards.

The suggestion to instead have Gnosis support with 56% compensation instead becomes a question of whether Hundred Finance is capable of reimbursing with and still being able to survive carrying those costs afterwards.

The fact that Gnosis will have a 25% share of Agave cannot be discarded as not counting towards supporting that protocol. Not only does it help AGVE financially right away, but it also ensures that Gnosis has an interest in the Agave’s future which again should be part of the goal of these proposals. Gnosis will however not be directly invested in Hundred so this benefit is not afforded to Hundred. This is also a reason why we cannot treat both approaches in the two proposals the same. The protocols are different in their stages of their maturity, exist under different conditions etc. so I think that comparing the percentages of support is in a way comparing apples to oranges anyways.

This considerably long(4 years) lockup time for the veHND tokens has also caught my eye and I agree. As a compromise I would suggest increasing the vGNO lockup to make both vGNO and veHND lockups more similar, for example making both have a lockup of two years(veHND decreased from 4, vGNO increased from 1). This is also better for gnosis in that it stabilizes GNO for longer, especially if you still linearly vest starting after 6 months.

Again I think so far voices generally agree that both lending protocols should be supported, but at the same time we cannot treat them exactly the same or else they would have been combined in a single proposal to start with, and one size usually does not fit all. I think the proposal is still fine given the different approaches, but would be very open to the change in lockup times.

Thank you very much for taking the time to reply, I am part of the Hundred team and would like to address some misconceptions:

a) HND tokens have all been minted, compensation for users would come from the dev fund which comprises 20M tokens vesting over 4 years. Approximately 2.5M has vested so far and we are very conservative with our spending so we have enough to cover this and the Meter compensation, but no more than that.

b) We are not paying out 50% of the Meter exploit, but 50% of the remaining amount that Meter did not cover with their compensation plan. This works out to circa 500k HND.

c) Our compensation is proposed in veHND bonds, these are freely tradable on the open market and can be redeemed for veHND. So an affected user can sell these bonds to a different user who wants veHND.

d) The pricing strategy is also more than reasonable in my opinion, and a similar strategy is employed by Agave (180 day average I believe).

These are minor points though, the crucial thing to consider is how different our proposal is in the method of compensation from Gnosis. Agave is suggesting 55% instantly credited to user accounts, while we are proposing 80% with a 6 month cliff, 6 month vest, and crucially with a way to earn APR during this vest, making it a lot more likely that users will retain some or all of their hGNO at the end of the vest. Personally I believe this is well worth the 45% premium (80/55), but it should be pretty clear that it is worth more than a 2% premium (56/55).

Further from that, the Agave proposal does not mention anywhere that the Gnosis DAO would own 25% of their protocol. If you are referring to Gnosis purchasing the AGVE tokens at auction and users being reimbursed that way, then of course we wouldn’t be opposed to doing the same too (swapping HND tokens for GNO and reimbursing users fully in hvGNO).

It seems you are trying to hide key points such as agave is asking for bluechips directly without any lock, whereas hundred finance is asking for GNO options that will be locked till six months and linearly unlocked within the next six months, also hundred finance is providing lending and yield on those GNO option tokens.
Agave proposal doesnt disclose that they are OTC selling their agave to gnosis at double the price.
Hundred finance do not have 90% of tokens still left to mint, the amount is being contributed from dev funds.

Additional to vfat’s reponse:

Apologies for the inconsistency between the text and image amounts within the proposal. If it is preferential, a moderator with the necessary privileges can correct the text of the original, replacing the numbers with those from the image, or grant this account the ability to do the same. We can, however, confirm here that the final calculation means that the following two items within the text:

• HND tokens required for compensation: 985,520.67 HND

• GNO tokens required for compensation: 14,865.54 GNO

Should instead be:

• HND tokens required for compensation: 1,037,095 HND

• GNO tokens required for compensation: 15,643 GNO

Thank you for your post! It is very important to get other opinions and questions, so we can discuss the issue and find a common ground. The whole purpose of this thread is to find a good solution for all the parties involved.

1. As people already mentioned the gno will be illiquid and vested, so the users will have the illiquidity risk, whereas the Agave users will get their funds back and have instant liquidity. It is up to the debate how much the illiquidity bonus is worth, but it incentivizes the users to stay on the chain and commit to the long term success.

2. Hundred uses a 30-day average for the prices and the crypto markets bottomed during that time. The users already took a hit with the rising prices + take on the risk of a future market dump. Agave users get the nominal value of the tokens at the time of the payout, this means the higher the prices go, the more the users will get paid. So the difference in the amount which is proposed by HND and AGAVE is not as big as it looks and it can even get smaller over time (if the market continues to pump).

I always feared that we will get issues with different proposals and therefore pushed for a unified proposal, but the point is that the protocols have different issues and different benefits, that is the reason why we see different proposals. In the end is it up to the DAO to find a good solution, we should be open to suggestions and adjust the proposal if it is necessary.

Excellent discourse here, I don’t think I can add better points so I won’t comment on details, however as a user of these protocols (and several others which have suffered exploits in the past), I feel it is important to brand reputations to find a workable compromise. I too was unaware of this longstanding potential for exploit, I feel it’s the fiduciary responsibility of the protocol that did know (Gnosis) to make sure that unmistakable and continual notice is provided to prospective partners and customers that the risk was not yet mitigated. Hundred has been growing rapidly but perhaps that community needs to focus a bit more on risk assessment / security planning. That’s expensive and slows growth down. Ultimately, splitting some of the burden now among many stakeholders costs both protocols (and all users of both protocols) in both coins and potentially the pace of progress, but that may better support long term objectives.

Very much in favor of fully compensating affected users in HND + vested GNO tokens. As stated above, it might result in a very long-term aligned mindset for these individuals, and generally send a very positive signal about the Gnosis ecosystem.

Thank you for the constructive responses.

A key question I posed that I didn’t see a response to was regarding the voting of the proposal by the Hundred finance DAO. GnosisDAO needs to understand the dependencies.

The suggestion to instead have Gnosis support with 56% compensation instead becomes a question of whether Hundred Finance is capable of reimbursing with and still being able to survive carrying those costs afterwards.

I look at this differently. I think a roughly 50/50 split for compensation reflects the responsibility of the exploit, and it is on the GnosisDAO and the protocols how to fund their respective share.

I don’t think it is the responsibility of the GnosisDAO to ensure lenders are compensated to 100% if the protocols are unable to find a way to fund their half.

I think the proposal to help Agave fund a chunk of their half is a pragmatic but reasonable solution, given the situation. GnosisDAO takes the risk of Agave but also gets the potential upside. A similar solution could work with Hundred finance.

b) We are not paying out 50% of the Meter exploit, but 50% of the remaining amount that Meter did not cover with their compensation plan. This works out to circa 500k HND.

Perhaps my data is wrong. Looking at the posts on your forum, my understanding was the total hack was for $2.144m (after some coins were returned), Meter package would cover ~$680k, and Hundred finance would compensate $1.1m. So 51.3% (1.1m/2.144m) covered by Hundred finance. Is that incorrect? As per https://forum.hundred.finance/t/hundred-finance-meter-exploit-compensation-response/69

I understand with prices moving significantly all of these calculations in $ are in constant flux. The point was at the time of the final decision post regarding compensation, Hundred finance was willing to cover 51% of the exploit, by the chosen TWAP calculations.

On the surface, the Meter exploit and the Gnosis one have some things in common, with both parties sharing responsibility. This would support a similar approx. 50/50 arrangement here.

c) Our compensation is proposed in veHND bonds, these are freely tradable on the open market and can be redeemed for veHND. So an affected user can sell these bonds to a different user who wants veHND.

I understand, and this portion is not really my business. My experience with these components of compensation is they’re often not very liquid, with few buyers and big discounts demanded.

d) The pricing strategy is also more than reasonable in my opinion, and a similar strategy is employed by Agave (180 day average I believe).

I have the same issue with both proposals, averaged prices are a good way to smooth things out but when there is significant short term change to the price, these cannot be ignored. Also excluding the post exploit price movements is not a good approach. The exploits have happened and the market is pricing how it now values the protocols. By including those periods into the average it takes the markets view of value both pre and post exploit.

Unfortunately for these proposals, since my last post, we’ve seen a big movement in the price of GNO, which also cannot be ignored, if we are denominating the compensation plans in $.

Agave is suggesting 55% instantly credited to user accounts, while we are proposing 80% with a 6 month cliff, 6 month vest

I think there is an important component you are missing.

The GNO from the treasury in the Agave proposal is to make the GNO depositors 100% whole (my understanding, I have sought confirmation on this), hence there is no need to lock because it’s to existing GNO depositors. They are just getting their assets back as if they were withdrawing from the protocol. I would not anticipate any abnormal selling pressure from this.

Which is different from someone who has deposited stablecoins being compensated in GNO, which probably would lead to a lot more selling pressure and need to be subject to a lock and vesting, as in your proposal.

It’s an important pragmatic element to protect short term price action but it’s far less important than the total $ leaving the GnosisDAO treasury.

Further from that, the Agave proposal does not mention anywhere that the Gnosis DAO would own 25% of their protocol.

Correct this is form the auction bit. We will take that stake if there are no other bidders. If market price is below the floor price we are guaranteeing, I think it’s likely we will end up with the full amount.

The 55/56 difference is just rounding. It’s stated as 55.6% in the Agave proposal, so I rounded up to 56%

Hundred uses a 30-day average for the prices and the crypto markets bottomed during that time. The users already took a hit with the rising prices + take on the risk of a future market dump. Agave users get the nominal value of the tokens at the time of the payout, this means the higher the prices go, the more the users will get paid. So the difference in the amount which is proposed by HND and AGAVE is not as big as it looks and it can even get smaller over time (if the market continues to pump).

Yes, and with the sharp market movements, unfortunately this needs to be looked at again in both proposals. Some denominated in coin and some in $ has made this a little messy.

Both GNO and HND have moved significantly since the exploit, and the boundaries for the averaged price currently excludes that, and that needs to be addressed.