I understand that the hack occurred in the DAO Discord server, and it’s unfortunate that many people were misled into clicking on phishing links. However, I have a few points to address regarding this proposal
The DAO shouldn’t rush into compensating only few people who are active on the forum. Since this incident took place on the Discord server, it’s important to allow a reasonable time frame, perhaps one or two months, for more victims to come forward and report their losses.
All victims should be required to submit valid proof that they clicked on the malicious link. While this might be challenging, it’s essential to ensure that compensation goes to genuine victims. It appears that @BenAffleck attempted to gather evidence but couldn’t obtain any results.i am sure the dao will not give up on that we should explore other ways
It’s important to remember that participating in web3 involves risks, such as hacks, market manipulation, user risk, and management risk etc. Holding the DAO solely accountable for actions performed by individuals is unfair, as users should be aware of these risks when entering the web3 space.
4. I am partially against this proposal and suggest that the DAO should share the risk with the victims. A fair solution could be for the DAO to cover half of the losses, while victims bear the other half.
Moving forward, it’s crucial for the DAO to establish well-structured terms and policies that clarify its stance on accountability for hacks and related issues. These policies should be transparent and accessible, both on the Discord server and the forum.
while we sympathize with the victims, it’s important to strike a balance between compensation and user responsibility. Establishing clear terms and policies for the future will help prevent similar disputes
Thank you for your thoughtful input on the matter.
I absolutely concur that it’s essential to allow ample time for more victims to step forward. This thread has been active for almost a month, providing a considerable timeframe, but if there’s consensus that more time is needed, it’s certainly worth discussing.
Regarding the evidence and proof mechanism, could you suggest a more efficient or improved method? Or perhaps elaborate on why the current methods might be insufficient or might breed mistrust? It’s crucial that we ensure the right people receive compensation while maintaining the integrity of the process.
It’s pivotal to remember the root cause of this debacle: a security mistake by the Core Team (as seen above) which had repercussions on the community members. While users must exercise caution in the web3 space, the DAO, as the primary sponsor and overseer of the Core Team, should bear the responsibility for its own mistakes. Imagine, for instance, if ssv.network were to be compromised similarly to the Galxe dns hack ? Allowing users to deposit funds into a rogue contract ? Would this not pass responsibility to the DAO ?
I wholeheartedly agree with your suggestion for the DAO to develop well-structured terms and policies on accountability for hacks and related issues. I’ll encourage any community member, to draft a proposal on this, and would be happy to participate.
Your opinion adds significant value to the discourse, and I’m happy to see community members voicing their insights. On a related note, I see that you’ve recently joined the forum – welcome!
I believe the phishing attack was that an “SSV Token Airdrop” was announced on the discord, with an exhortation to “Claim yours now!” It clicked through to a phishing website where they were instructed to connect their wallet and approve a transaction.
An administrator account was hacked and the instructions were posted using that account.
Hello @tx_reverted , I’ve spent time checking if I could come up with something else, but unfortunately I haven’t found any solution. I believe that at the moment, the only solution for the DAO is to determine the time the hacker infiltrated the DAO discord server. People who fell victim to the scam during that specific time interval should be compensated.
So, I suggest following Ben’s advice and moving this to a snapshot proposal. Additionally, include three options for delegate and token holders to vote on
Full compensation.
Partial compensation (for those who believe the DAO and victims should share the losses).
I agree with the suggestion to move this to a snapshot proposal, makes a lot of sense.
However, when it comes to the voting options, I’d like to advocate for a more simplified approach: Compensation or No Compensation. Determining a fair partial compensation would be challenging. How would we quantify the exact share of loss between the DAO and the victims? It’s not straightforward and could open up more complexities and disputes.
I believe it’s important to remember that this isn’t a matter of the DAO versus the victims. It’s about taking responsibility for the mistake made by the Core Team, which the DAO sponsors. If, for instance, the SSV app were hacked, it would again boil down to a question of the Core Team’s competency. The DAO, having put its trust and financial backing into the Core Team, should ideally bear responsibility for such mishaps.
For context, the DAO has a substantial financial standing, as evidenced by the values available in the grant program. The idea isn’t to drain those funds but to use them responsibly, ensuring the community’s trust and safety.
Once again, thank you for your insights, and let’s continue working together to ensure the best outcome for our community.
This should not introduce any complexity or difficulty. I still believe it is right for the DAO to shoulder half of the loss, with the victim bearing the other half. Regardless of the fact that the hacker used a compromised admin account , it was the victim who clicked on the link and signed the transaction. Because of this, I strongly suggest you include partial compensation, which means that 50% of the loss will be bear by the DAO. For instance If the victim loses $100, the DAO will cover 50% of it which means the dao will only have to send $50
I also believe that there are delegates and token holders who will vote for partial compensation so this option should still stand
When considering involvement in web3, it’s essential to understand the associated risks, as anyone can fall victim to hacking. Hacks are not frequent but they can happen to anyone due to a single mistake. @jrh3k5 stance is no compensation at all. However, examining factors such as the hack on the DAO Discord server with a compromised admin account, I believe it’s fair to share the reward between the victim and the DAO. Using Galxe as an example, which returned 110% to victims of their recent hack, it’s crucial to note that this decision was made by their team, not the DAO highlighting a significant difference in decision making. Some argue for no compensation, while others support partial or full compensation. Delegates and token holders should have the right to express their opinions, as we can’t decide for the entire community. Additionally, it’s worth noting that not all platforms and companies compensate victims for their losses, and each has different policies. For instance Mexc terms and policies
MEXC states
(d) FORCE MAJEURE RISK: When natural disasters, war, strikes, cyber attacks and other unpredictable, unavoidable and unformidable situations occur, MEXC may not be able to operate normally and this may result in Users’ losses. For the User’s losses caused by force majeure, MEXC will not assume any civil liabilities.
(e) FORCE MAJEURE RISK: When natural disasters, war, strikes, cyber attacks and other unpredictable, unavoidable and unformidable situations occur, MEXC may not be able to operate normally and this may result in Users’ losses. For the User’s losses caused by force majeure, MEXC will not assume any civil liabilities.
Therefore, I strongly suggest implementing three voting options for the community,
full compensation (100% refund)
partial compensation (50% refund)
no compensation (no refund).
This would allow the community to decide based on their preferences.
Thank you for detailing your thoughts, and I appreciate your engagement in this matter. Here are some points I’d like to expand on.
The proposition of a 50% split, while logical at a glance, does not necessarily reflect the core of the matter at hand. This isn’t just about a generic web3 phishing attempt; it revolves around the SSV DAO taking accountability for a mistake made by the Core Team.
To draw a parallel, if the DNS for app.ssv.network was compromised, what standards of responsibility and accountability would we expect the DAO to uphold?
Comparing SSV to MEXC Crypto Exchange is akin to comparing apples and oranges. SSV is not a crypto exchange; its ethos, operation, and governance are embedded in the DAO structure. On the other hand, MEXC, a centralized business entity, serves its clients in a capacity that doesn’t parallel the community-centric nature of a DAO. If this had been a MEXC-centric issue, the dynamics would be entirely different, driven by a client-service provider relationship rather than a communal decision-making process.
Your mention of the Galxe DAO and Galxe Team is noteworthy. It’s crucial to differentiate between the Galxe and SSV in terms of organizational responsibilities. In our ecosystem, the SSV Core Team operates and implements, but the onus of responsibility falls squarely on the shoulders of the DAO, as highlighted in our governance structure and confirmed by @Dean_BloxStaking in the image.
Furthermore, it seems there’s a shared concern regarding the DAO taking responsibility for the actions or oversights of the SSV Core Team, especially when it impacts the community financially. Why do you think this sentiment exists? It’s crucial for us to understand this perspective to ensure the DAO’s operations align with community expectations. If any wallet drainage coming from Discord, WebApp, DNS, or any other Service controlled by the SSV Core Team is brushed away, then the community must know. I believe in its core it’s important to be clear if the SSV DAO wants to have an approach like Galxe or does it wants to have a very different approach like MEXC Crypto Exchange ?
Once again, thank you for your perspective. Constructive discussions like these are what drive our community forward.
@tx_reverted
I understand your perspective, and you bring up some valid points. While the core team bears some responsibility for allowing the scammer to misled the community into clicking on phishing link, it’s crucial to recognize that online scams/hacks can happen to anyone, even with tight security measures. The victim also shares some responsibility by clicking on the link without due diligence.
It’s true that users have a responsibility to verify the links they interact with. However, the compromise of the admin account may have made it challenging for the victim to detect the scam. Still, taking precautions is essential.
If the DNS app.ssv.network had been compromised, it would indeed be a different case, and the victim wouldn’t be to blame. In this scenario a 100% refund might be warranted.
The victim should have been cautious and confirmed that the site they were interacting with was genuinely associated with SSV. Am also sure the site you connected to was not app.ssv.network
Why I suggested partial compensation, while the core team member is responsible for the victim’s loss, the victim could have avoided it with more careful verification , confirming the site he was about to connect his wallet to
If I were in the victim’s shoes, I wouldn’t have signed the transaction and would have sought clarification in the Discord server.
I used mexc as an example to show that different companies have different way of reacting to issues of loss and I also love the part you said ssv dao is community decision making,this also solidify my point that there should be 3 options for the community to vote base on how they truly feel about this matter
full compensation (100% refund)
partial compensation (50% refund )
no compensation (no refund )
And let them vote accordingly
Every voices must be heard and majority must be respected
You make a valid point that the Galxe team has the authority to make decisions, but they could have used their DAO for a snapshot proposal. In the case of SSV, the DAO will determine whether there should be full, half, or no compensation, so it’s important not to overlook the option of partial compensation.
Indeed, there is a difference between the SSV hack and the Galxe hack. The Galxe hack was a DNS attack, leaving the victim with no choice, whereas the SSV hack wasn’t a DNS attack, and the victim had the option to exercise due diligence by verifying the link authenticity. In this case, the victim’s lack of diligence should be considered when determining responsibility for the loss.
So both the dao and victim should bear the loss
understanding the differences between the two hacks is crucial because the approaches and circumstances of these hacks were not the same.
This particular hack didn’t occur within the SSV DAO Discord server, nor did it involve the official SSV DAO DNS. The victim neglected their own duty by failing to perform due diligence.
I maintain my stance in favor of a partial refund, as I believe both the victim and the DAO should share the loss. It’s essential to consider the option for partial compensation and ensure that everyone’s voices are respected.
While I grasp where you’re coming from, I feel we’re arriving at an impasse. Your position appears fixed, and while that’s completely valid, it may not leave much room for the discussion to evolve. Happy to discuss this further in Discord.
Few important considerations I’d like to leave:
Galxe vs. SSV Trust Violation: Both the Galxe and SSV situations revolve around a breach of trust. However, it’s essential to acknowledge that in both instances, the victims could’ve possibly prevented the scam by rejecting the transaction.
Hack Origins & Due Diligence: Your claim that “This particular hack didn’t occur within the SSV DAO Discord server, nor did it involve the official SSV DAO DNS,” appears to be misleading. The breach was indeed on the SSV DAO Discord, a space managed and overseen by the SSV Core Team. It’s easy to assert that victims should’ve exercised better caution in hindsight.
Community future: At the heart of this discussion lies a question: What kind of community do we aspire to be? Do we want to shape a community that mirrors the likes of Galxe, where responsibility and trust are paramount? Or will we lean towards a path where responsibility is sidestepped, impacting the day-to-day lives of our members? As we navigate these challenging times, it’s crucial to remember our shared vision and the ethos that brought us together in the first place.
@tx_reverted , I understand you are a victim of the hack and I am truly sorry for that. However, the DAO cannot be fully blame for the hack.
Yes I understand there is a breach of trust over something that can happened to anyone , the admin did not intentionally allowed his account to be hack , I’m also grateful for you to acknowledge the victim should have prevented the scam by rejecting the transaction but the victim did not do due deligence and is also to be blame .for instance yesterday someone sent a link to join a binance feed ,first thing I did was to cross check the link and I saw something not related to binance.com instead I saw something like binnance.com follow by some url
I didn’t have to reach out to binance to know this was a scammer ,so the victim is also at fault and should bear half of the loss while the dao bears the other half
You did not connect your wallet to the DAO Discord server, and you were not hacked on the DAO Discord server. True or false? What happened was a compromised admin account was used to post a link that directed you to a separate site where the hack took place. The site you were hacked on was not an official app.ssv.network DNS; it was something like ‘ssv.community.’
Legally, if you want to look at it, the DAO is not directly linked to your hack because you didn’t connect your wallet to the official DAO Discord server or the official DAO DNS. The DAO is indirectly involved in this hack because a compromised admin account was used to post a link, and the victim had a chance and a choice not to interact with the scammer’s link by doing due deligence to see this was not the dao official dns . So both the DAO and the victim should share the loss.
If you look at the Galxe hack, the official Galxe DNS was hacked, and Galxe was directly involved in this. So the issues of the two hacks are not the same. In the case of Galxe, the victim had no choice because he or she was interacting with a link that officially belonged to Galxe.
I completely disagree with the victim’s standpoint for the following reasons:
The victim seems to be taking a sentimental approach and doesn’t want to accept blame for not exercising due diligence and failing to take responsibility for interacting with a link that doesn’t belong to the DAO.
The victim is comparing the Galxe hack to the SSV hack, even though the two hacks are fundamentally different and shouldn’t be treated with the same level of compensation. The Galxe hack occurred on the official Galxe site, while the SSV hack took place on a separate platform, where an admin account was used to lure the victim. However, the victim also bears responsibility for not conducting sufficient checks to verify that the link did not belong to the DAO. You don’t need to do much when interacting with a link; just examining the domain name, such as “ssv.community,” should have alerted the person that it wasn’t associated with the DAO.
The DAO should also take responsibility for allowing a hacker to use an admin account. Still, the victim should recognize that they didn’t do enough to verify the legitimacy of the link.
I’m presenting a proposal that will define a critical aspect of our community’s identity and approach to collective responsibility.
Before delving into the specifics, I wish to take a moment to extend my sincere gratitude to each community member who dedicated their time and effort to unravel the intricacies of this unfortunate hack. Your diligence ensures that all claims are verifiable and that we can proceed with a clear understanding of the facts. Thank you for your unwavering commitment to transparency and justice within our community.
Proposal:
Summary:
On August 30th, 2023, our community faced a dire challenge when Lior Rutherberg, SSV’s Core Team CTO, became the target of a cyberattack, leading to his Discord account’s compromise. For over seven-plus hours, our Discord server unintentionally spread fraudulent links for token claims and airdrops, deceiving community members and causing significant financial loss.
This proposal is presented to ensure that SSV DAO takes a stance on the consequences stemming from the Discord hack—namely, whether to compensate the victims of this incident. The choice before us is not merely practical but a profound reflection of our values and the future we envision for our community, much like the precedent set by the Galxe community (which continued to grew) following their own security breach.
Mechanics of Vote:
For: Refund the Victims
SSV DAO to transfer 14.9 ETH to 0xD50D5C19aD6d57b9f3a5490b5d9769e90B521E3b
SSV DAO to transfer 5.204 ETH to 0x644cebcb9e7ee0f753369caebdcde2b12eaff476
Against / Abstain : Do Not Refund the Victims
No further action will be pursued.
Detailed Mechanics:
These transactions occurred during the period when the SSV Core Team’s control over the Discord was compromised.
A thorough verification has ascertained the authenticity of the affected accounts and designated them as victims.
Compensation amounts are based on the liquidation values of not just ETH but other tokens as well, translated into ETH at the Date Of Trade prices.
The extensive discourse and verification process have been meticulously documented in our forum threads, open for community scrutiny.
Conclusion:
This decision extends beyond monetary implications; it’s a declaration of our community’s image. The path we choose now will set a standard for how SSV DAO manages its accountability, safeguards its community, and upholds the trust our community places in it. Today’s decision will certainly resonate far beyond this moment, setting a precedent for our collective ethos and actions.
I encourage every member to actively participate in this pivotal vote. Your voice will define the course of our community.
