Compensation for Victim of the ssv.network Discord Hack on 2023-08-30

Summary:

Plea for the DAO to consider compensating a scammed user, who lost 14.9 ETH due to the security breach of ssv.network’s Discord server on August 30, 2023.

Background:

On August 31, 2023, the ssv.network Discord server was the victim of a malicious security breach, as detailed in the Post-Mortem Report. An attacker exploited a Bookmarklet type attack, compromising a privileged Discord account, SSV’s CTO Lior Rutherberg. In the ensuing chaos, key roles were deleted, many channels and bots were manipulated, and numerous users were banned.
The malicious actors further created a fraudulent website (DO NOT OPEN: ssv.community/claim/), scamming users into parting with their funds.

Our community members, unfortunately, fell victim to this scam and lost a substantial amount: 20.104 ETH. Given the magnitude of the loss and the circumstances under which it occurred, we are seeking the community’s support in refunding the scammed amount.

It is important to realize that SSV holds different secure assets where it is expected for users to deposit their assets. A hack on SSV’s Staking APP (instead of Discord) could render a similar loss outcome for users. Users funds would be misdirected when staking if there is a web-app hack that changes contract addresses. Making the outcome of this proposal all more important for the future.

Details of the Loss:

Date of Loss:   August 30, 2023
Circumstances:  During the ssv.network Discord server breach, the user was misled by the fraudulent website propagated by the attackers as legit ssv.network admins.
Hacker Account: 0x00000f312c54d0dd25888ee9CDC3DEE988700000


Account:        0xD50D5C19aD6d57b9f3a5490b5d9769e90B521E3b
Acc Signature:  https://etherscan.io/verifySig/24635
Amount:         14.9 ETH
Transaction:    0xd39694af121f794b36d9461bc6adba6684afbb7e395345c97d8116686893089b
Timestamp:      Aug-30-2023 11:45:35 PM +UTC


Account:          0x644cebcb9e7ee0f753369caebdcde2b12eaff476
Acc Signature:    https://etherscan.io/verifySig/24693
Amount:           5.204 ETH
ETH Price at DoT: $1,705.54
ETH Transaction1: 0xb08bb51b4de468f4ae9a88eb227aa09f436cb402e62ca3146766ed467ab8c065 398.6 UNI - $1,855.81 / $1,705.54 = 1.08 ETH
ETH Transaction2: 0xa428b9678673830d7f212b8eaeb37fc07b99c98be5e918dc189ffc22893c02b7 170.8 UNI - $795.35 / $1,705.54 = 0.466 ETH
Arb Transaction3: 0xf228c781e8bd813fa2b849ad1406f99da71b825839e59041033c2bed636d533b 215.1 UNI - $1,036.87 / $1,705.54 = 0.607 ETH
Arb Transaction4: 0xd7407486cab6108db3a1a5492f160952fa8dbcc60bfb1b094c51fcfac2c45a83 502.0 UNI - $2,158.62 / $1,705.54 = 1.265 ETH
Arb Transaction5: 0x3a42ee852e3de3b969a2d61861c2f0999ad1a9713e3f3b6c7e637968417650d3 1224.7 USDC - $1224.7 / $1,705.54 = 0.718 ETH
Arb Transaction6: 0x8ddb7672aa88c854371b4cc7ecb20acfdf5f128ec37e60eed72f61c6b9f4f134 2857.8 USDC - $2857.8 / $1,705.54 = 1.675 ETH

Reasons For Compensation:

Responsibility: While individual users bear responsibility for their actions, the hack exploited a vulnerability within our community space, and it is paramount to acknowledge that the scam was a direct consequence of a vulnerability within SSV's domain. As such, SSV holds a shared responsibility to ensure its community members do not suffer undue losses due to security shortcomings.

Community Integrity: Upholding the trust and faith of our community members is crucial. By considering compensation, we reinforce our commitment to them, showing that their security and well-being are of utmost importance to SSV.

Future Precautions: Compensating the victim reaffirms that the DAO will stand by SSV’s decisions and actions, even during unfortunate events like hacks. It showcases the DAO’s unwavering support, emphasizing that they will collectively uphold the safety and security of community members now and in any future incidents.

Restorative Justice: It's not merely about returning lost funds; it's about mending the trust and faith of our community. Compensation is an act of bridging the gap that the incident might have created between SSV and its community members, emphasizing that together, we rise above adversities.

Reasons Against Compensation:

While the primary sentiment leans toward compensation, it’s essential to consider potential reasons against such action:

Personal Responsibility: Every individual must bear the consequences of their actions, even in unfortunate circumstances or in securely operated community spaces.

Proposal Mechanics:

Upon a successful vote in favor:

The DAO treasury should facilitate the transfer of 14.9 ETH to the scammed user's address. 0xD50D5C19aD6d57b9f3a5490b5d9769e90B521E3b

Your understanding, empathy, and support in this matter are highly valued. Together, as a community, we can stand united and resilient, making decisions that reflect our collective spirit and ethos.

Hello @tx_reverted!

Thanks for your post. Indeed, you’re the only person who reported falling for the scam, so we want to understand why this happened to you.

Please provide me with the discord handle you used during the hack when the malicious link was posted. Once we have your handle, we’ll look into the Discord logs to check your request.

I’m not speaking for the DAO. I’m here to help you collect all the information needed in case you want to propose a refund to the community/DAO.

Thank you.

Thank you for reaching out and taking the time to understand the situation. Firstly, I wanted to mention that another user has directly messaged me claiming they were scammed as well. I’m currently awaiting further verification from them in the form of the transaction hash and account signature.

Regarding the Discord handle, I’ve messaged you directly to share it privately.

Could you please clarify what kind of logs you are referring to ? Are you an admin in the ssv.network Discord ?

Thank you for your help and patience!

Hey BenAffleck,
He is not the only one who reported and/or got affected by this scam. I reported this privately to some of the discord moderators and also i’ve posted several times in the general discord channel about this matter.
I am sure there are more poeple here who got affected but they are not aware of this proposal and/or not that active or simply just too shy to come forward.
From what i’ve managed to track on the blockchain, it seems that more than $50k were transfered to the hacker at the time of the hack.

I am glad tx_reverted has raised this issue and i support this proposal.
I think that the security of our community is of utmost importance and by supporting this proposal we reafirm our commitment to the well-being and safety of our members.

Date of Loss: August 30, 2023
Amount: 1,286.67 UNI & 4,082.6 USDC
Circumstances: During the ssv.network Discord server breach, user was misled by the fraudulent website propagated by the attackers as legit ssv.network admins.
Account: 0x644cebcb9e7ee0f753369caebdcde2b12eaff476
ETHTransaction1: 0xb08bb51b4de468f4ae9a88eb227aa09f436cb402e62ca3146766ed467ab8c065
ETHTransaction2: 0xa428b9678673830d7f212b8eaeb37fc07b99c98be5e918dc189ffc22893c02b7
ArbitrumTransaction3: 0xf228c781e8bd813fa2b849ad1406f99da71b825839e59041033c2bed636d533b
ArbitrumTransaction4: 0xd7407486cab6108db3a1a5492f160952fa8dbcc60bfb1b094c51fcfac2c45a83
ArbitrumTransaction5: 0x3a42ee852e3de3b969a2d61861c2f0999ad1a9713e3f3b6c7e637968417650d3
ArbitrumTransaction6: 0x8ddb7672aa88c854371b4cc7ecb20acfdf5f128ec37e60eed72f61c6b9f4f134
Acc Signature: Ethereum Verified Signed Message

I’m sympathetic to the loss, but I don’t feel like the DAO should be responsible for financial recovery here for a number of reasons:

  1. This was not a flaw in infrastructure owned by the DAO (e.g., the recent proposal for covering CDT loss). This was someone falling victim to a malicious external site spread by a compromised admin account. The DAO should not be providing protections from people connecting their wallets to websites.
  2. This establishes a worrying precedence of the DAO as an insurance fund for members when there’s no such financing of it as such.
  3. Further, it creates an avenue of exploit where a malicious user could execute a similar attack again and then claim they were drained and have the DAO cover their ‘losses’.

While we should be empathetic toward people affected by attacks (I think it’s only a matter of when, not if, anyone falls victim to such an attack), the DAO is not formed as an insurance policy nor is it set up to be funded by those who would seek coverage.

Recovery of these stolen funds in concert with law enforcement and, for example, capturing the funds should they reach egress at an exchange is what those affected should pursue.

Thanks for coming forward @gob .
I have validated the transactions, timestamp and values and have updated the main post.

@BenAffleck Can you check @gob logs in Discord too ? Any additional info helps.

Thank you.

Hey jrh3k5,

Thank you for sharing your concerns. I believe that your voice, like every other community member, is valuable to the DAO.

Addressing your concerns in order:

  1. Infrastructure Responsibility: As the image shared clearly highlights, our ssv.network Core Team Discord Admin Dean pointed out, “As for the vulnerabilities and the call for compensation, it’s important to note that these matters are typically addressed by the DAO, as the Discord server belongs to the DAO community.” We all understand that decentralization doesn’t necessarily absolve responsibility. When infrastructure is under the responsibility of the DAO, any vulnerabilities or issues therein should be addressed with the utmost priority, and appropriate responsibility should be taken.

  2. ssv.network & Its Role: The ssv.network also serves a staking platform, a pivotal piece of our ecosystem where users are expected, to deposit their stake. It’s not merely an information or community portal. The core team, which is directly backed by the DAO, has created and manages this infrastructure, bears a profound responsibility towards the users. Should a hack occur on the platform, we believe it would be prudent for the entity, in this case, ssv DAO, to assess and potentially compensate victims. It’s not merely about financial restitution, but more about the trust and faith users place in the platform. Standing by the core team means standing with them both in their successes and in times of adversity. If we expect the community to trust the infrastructure we recommend, then we must also stand by those recommendations in good times and bad.

  3. Potential for Exploitation: Your point about setting a dangerous precedent is valid, and the concern for exploitation is understood. However, transparency and scrutiny are our best weapons in such scenarios. Through rigorous audits, transaction analyses, and community vigilance, we can ensure that genuine victims are identified, and any malicious actors are swiftly caught.

Look, the realm of crypto is built on the principles of decentralization, trust, and community strength. Transparency has to be our goal when guiding us through the challenges. This incident is not just about addressing an isolated scam but about reinforcing the trust that binds our community. We rise and fall together. It’s important to see how actively and passionately members like you participate. And on that note, may I ask if you registered just to voice your concerns in this thread? Your forum history seems rather new. Happy to chat on the #dao-updates channel if you have more questions.

Thank you for being a part of this. Together, we define the future of ssv.network and community governance.

tx_reverted

Thats some good points @tx_reverted . thanks for elaborating on this.

I agree, we should acknowledge that decentralization doesn’t absolve responsibility, and when infrastructure is under the responsibility of the DAO, vulnerabilities and issues should be addressed promptly. I believe that the Discord server, being part of the DAO community, should be considered the responsibility of the community, and vulnerabilities within it should be addressed accordingly.

I think that financial assistance to memebrs in cases of severe loss is important to maintain trust and solidarity within the community and reflects the DAO’s values and mission.