Use SDL from the protocol treasury to remunerate LP’s, establish a security fund, and make a bounty offer to the exploiter to return funds.
This SIP seeks to:
Establish a remuneration plan for LP’s afflicted by the metapool exploit on Apr-30th, 2022.
Offer the exploiter a bounty for returning the stolen funds.
Expand Saddle’s security infrastructure through means of a dedicated fund.
As a result of the exploit on Apr-30th, 2022, ~$10.2m was lost from Saddle’s sUSD metapool, impacting user funds and confidence.
Fast and effective remuneration has proven to bolster the morale of communities impacted by exploits in the past. A common response to an attack by afflicted protocols, in addition to remuneration, has been to “bribe” the attacker– that is to say; offer them some amount in return for their cooperation and compassion. While this has not always been successful, no solution should be ignored. The capital therein would be managed by the Delos HQ multisig and would be used to fund future audits, increase the Immunefi bug bounty awards, bring auditing firms on retainer, run Code4rena contests, and other security initiatives.
For each of the poll choices, division of the SDL is proposed as follows:
- 30,878,431.9 SDL
- 37,740,305.7 SDL
- 44,602,179.3 SDL
- No remuneration
Here’s a link to the relevant post-mortem for anyone else hunting around.
As I stated on Discord,
The ideal situation would be to be able to have an investment round and allow a venture capital or investment fund to bear this risk, and make LP whole with those proceeds, but lacking that, this seems like the second-best solution
“vested linearly over 12 months” is a steep curve. I think that being inclined to a higher $SDL amount would be logical to kinda compensate for the price-risk of the vesting period
$SDL 44,602,179 over 12 months seems logical, but of course that is the total amount, and the proposal specifies that 20% is going to be “set aside for a protocol security fund”.
I’d urge the proposal creator to destine the full amount for repayment, and scratch the “setting aside $SDL for a security fund” as it can be voted upon on the spot were any security issue to arise.
I think that with $SDL 44,602,179 going to the LPs (even though they’ll still be having considerable risk when compared to stablecoins), should be enough to consider the exploited “fully reimbursed” as opposed to “kinda patched up”.
Harvest finance issued debt in a sketchy and difficult to repay way and the project never really recovered. I’d have that stark reminder on-hand
Agree with Tiza_for_the_people.I personally prefer to get remuneration in usd,so why to no try contact VC and try to sell some extra tokens for the new round? For the Remuneration with SDL tokens:
Lets be honest,30 cents per token in nowadays market situiation and the fact that saddle got hacked(even with the fact that team responce was great and fast) its not realistic price,there a lot of other defi project with greater TVL and volume dont have 300mili$ market cup.So even option with 44,602,179 SDL tokens(-20%) its not enough for my opinion to cover the losses of LP’s,Do we have some other options with remuneration in stable coin velue?
If we dont have option with usd Remuneration i think we should gave full amount 44602179SDL tokens to LP without 20% cut,and we need security fund for some reason make extra poll for it after depends of the problem.
If 20% is going to a security fund then why not set aside 120% of the exploit plus a cushion to address volatility of the token? Or even better make the security fund a separate proposal and make the LPs whole. Otherwise you’re not making LPs whole. You’re actually making them pay for the developers’ mistakes. There should be no vesting for LPs. What is the purpose of this vesting? Our upfront support of saddle didn’t have any vesting attached to it. Why should the remuneration then have a vesting schedule?
Lastly it seems the price per token you’re assuming is unrealistic. You should be assuming a much lower price.
This is not a good plan. It’s very disappointing and sends a message that you don’t really care about making us whole. You just care about the optics. Which is true?
I agree with statements above.
I understand difficult situation where we are at and that every LP is responsible for their lost in the end, but would look very good for protocol to make that reimbursement in $ and building up trust before token launching.
I think 44,602,179SDL will be not enough to compensate adequate amount of losses to anyone
Are we 100% sure there is no way how to collect 5-10M $ right now? Maybe mix between SDL and USD would be OK too.
I lost the most here. I would definitely prefer to be remunerated in stables. I think this hack is slightly more egregious than many, on account of the exploit already being known and Saddle supposedly having already patched it. It’s a more egregious error on the team’s part, as it’s not really a zero-day in the true sense.
However, Saddle only raised $7.5m in their last round, so I doubt they have any reasonable capacity to repay $10m upfront. What can be done here? Maybe a bond of sorts? One idea: we could become senior debt to the project, with a 10% interest rate. I would like the debt to be collateralized by SDL tokens backing it.
Another idea: repay in SDL over time. I actually think 12 months is too short (too much sell pressure) and would prefer 24. The amount of SDL that gets repaid is based on TWAP of the SDL emitted until we reach fully repayment + 10% APY on top of that. Im not sure how to implement this. Does Sablier support anything this fancy?
Thanks everyone for the comments so far, really appreciate the ideas and feedback. We’ll work on bringing stablecoins into the remuneration plan, and addressing points raised around % of remunerations going to LPs vs to security fund + overall amount / premium for token volatility to start, and explore the other ideas as well on legal/technical feasibility.
Folks who haven’t shared their perspectives (especially those who lost value from the attack) pls try to do so in the next 1-2 days!
Do liquidity providers have no responsibilities now? I’m not saying they shouldn’t be compensated but I think the whole reason there are good returns in DeFi is because the user must accept additional risk when putting up capital. It seems to be having your cake and eating it if you get yield and then get completely bailed out no matter what.
Plenty of other hacks have compensated nothing to the users or not given complete compensation back.