Should GnosisDAO respond to the Hundred Finance exploit in the following manner?

Do you know about the Cream exploit? AAVE had the same vulnerability in the code for months, maybe even years. The protocol could have been drained for billions and there was a possibility that we wouldn’t talk about it anymore, but the protocol got lucky and the hacker chose Cream instead. So this makes me wonder, why are you so sure that the AAVE team would have prevented the same exploit?
If they didn’t notice the Cream vulnerability for months, why are you so sure they would have noticed the different token standard? You are just speculating.

2 Likes

At that case, We are speculating, yes. Which should not be a bad thing to do, as we have to speculate it out what would be a proper action now after the incidents.
I didn’t say I am sure AAVE would be aware of the different token standard vulnerability.
But let me ask this from you to put it in your awareness which I believe is important in this case.
Which team finds those mentioned vulnerabilities with higher chance?
Team1 who writes Aave protocol with genious & hard work being done.
Team2 who copies Team1’s codes with slight modifications and names it XY and makes an Ok looking front end, creates it’s token while themselves are heavily relied on that token value as it pays them and they are the biggest holders of it. And than blaming the different token standard and blame the Gnosis chain (which I partionally can agree, it got them by surprise for sure), instead of blaming the copyccopyv work that was done.
As I wrote above I believe GnosisDAO could and should help recover the users funds on ways I stated above, just because as a canary network for Ethereum, it should been possible to copyccopyv any open sourced protocol from Ethereum and bring it over to Gnosis chain without any issue. This is the only reason I support of recovering 30% of all the stole fund by GnosisDAO, with making sure that a couple whale address cannot drain the recovered funds by GnosisDAO, have a withdrawal limit on each address/user, and also add a unlock period over time to the distribution.
There are a lot more issues with forks anyways by either not being aware or by intentionally ending up hurting users by insiders (which I m not saying, nor believe that would be the case now)
What matters for me, is Gnosis taking partially responsibility as a good gesture towards the people who got hurt by the incident, which I canno’t find ideal if it’s more than 30% of the overall stolen funds.
Even that, should be distributed via time locks and withdrawal limits to secure a decentralized way of careful distribution so big whale addresses cannot drain the recovered funds. This way smaller users/addresses (majority of the users of the protocols) can have their portions of the recovered funds.

Oh, and yes. I would wish we can use Aave on Gnosis chain, as most people would not use new forks with the so called ‘bigger bags’ as forks are based more on ‘Trust’ until enough time is passed to start the idea of being reliable. So yes, Aave is something I am rooting for on Gnosis Chain to get those great volumes UP and have a ‘name’ like that to have a great lending/borrowing protocol on Gnosis that is considered one of the most space-leading protocol is very welcomed (Obviously a lot of forks of it happening for that reason)

-Aave v3 will be developed on Gnosis chain- and I hope it comes sooner than later.

There will be several millions transferred to a multi sig under the control of the Hundred finance team (I presume).

Just to note there is no technical reason requiring us to use our multisig at all, Gnosis could deposit any GNO for compensation directly to a smart contract that would distribute hvGNO to users.

Does Hundred finance DAO need to vote on this proposal and will it be binding?

The proposal from our end would not require a vote if we are planning to only use dev funds for the HND part, which is our current plan.

2 Likes

pretty simple answer, the team which gets exploited first. We are talking about the code from the most established defi protocols here. Plenty of people looked at the AAVE and COMP code and they had multiple audits, still people didn’t notice major vulnerabilities until protocols got exploited. Even AAVE V3 can have vulnerabilities and people might be able to exploit it, you can never know until it happens.

Also I disagree with the simple fork assesment for HND. HND offers protocols in the ecosystem a lot of possibilities to build on it. If you look at the Fantom ecosystem (Liquid Driver, Beluga etc.), you can clearly see the possibilities. Other protocols in the Gnosis ecosystem can do the same. The Gnosis DAO can also use a product like Lendly, where they have an isolated lending market and can borrow against their GNO.

2 Likes

I think this is a pretty odd interpretation. I’m a heavy user of Aave and Compound and many of their forks on many chains. It is to these projects great benefit that forks take elevated risk with assets they support and the chains they expand out into.

Had these been live on Gnosis and had billions in AUM, based on empirical experience in exploits that touch these protocols, I think it’s highly likely that the hacker would have stolen catastrophic amounts of money. Enough to cripple defi critical infrastructure. Enough to tarnish the Gnosis chain brand and Gnosis reputation.

Instead of THAT happening, a much smaller attack occurred and lessons can be learned in a much less painful way.

Ultimately though, we want to build tech and products that are good for all of our USERS. And Gnosis/Hundred/Agave should be aligned there – how do we get to that place?

6 Likes

It’s funny how most users say Hundred etc are forks with copy pasta and aren’t work backing. What do you guys think the XDai/Gnosis Chain is? It’s an ether fork and an old one at that with the bridge design. So it is well established that the bridge design puts some of the blame on the chain itself. We are OK to let Hundred community alone, and fix the bridge and go on as a chain?

Well perhaps Hundred would also fix their part on the issue and go on as a protocol.

We should back up both affected protocols or it will be a bad message to the community and potential devs looking to enter the scene. Not to mention users would most likely transfer their other assets elsewhere and thin the already-thin liquidity even further.

2 Likes

I think almost everybody agrees with reimbursing the users in the threads, I think the differences/talking points are the amount and the way it is structured. One possible proposal that takes the feedback into account from my side:

Gnosis covers 50-56%: 3.583.219 $ (with 56%)
HND sells the tokens with a Gnosis auction (around 24%): If we get a floor price of 1.5 $ → 1.500.000 $
Other protocols can bid on HND tokens and use it to boost their stable yield (Beluga, Liquid Driver could increase the liquidity for their products?), Yield aggregators or similar protocols on gnosis chain could buy the HND tokens to boost their stable yields, the Gnosis DAO could use the tokens to boost the stable yields

If the Gnosis protocols would bid on the tokens, we could create a lot of liquidity for stables.
This would reimburse 80% of the lost funds. The users can make up some of the missing 20% with the liquidity mining incentives on Gnosis chain from HND.

1 Like

Just a last feeling I have. We live now in more dangerous world, looming bad prospects for the new future in most of the it. This is a time to come together and help each other grow and achieve greatness. there is nobody else rooting for the greater good of crypto and we need to be more altrusitic / generous with the persons that are in need, like from this exploit, not less.

3 Likes

when are we going to vote on this? Seems pretty clear consensus that people are pro this proposal

4 Likes

Yes, please help both protocols affected in the same way. Both user bases have suffered the same.

5 Likes

Hi there, do we have a decision or update about this issue. I see Agave already approved by gno holders while it has been over a month since the common exploit. Happy Easter for those celebrating it!

1 Like

It’s good to see Agave who was affected by the same exploit had their proposal go through. Is there anything we’re waiting on to move this one forward? It would make sense to support both protocols since they both were affected by the same underlying cause.

3 Likes

We’re currently in the latter stages of creating an amended proposal that we hope will maximally satisfy all parties involved.

4 Likes