ParaSwap DAO

Abstract

On March 20, 2024, a vulnerability was discovered on the Augustus V6 contract. Immediate action was taken, which included pausing the API and reverting to V5. After these actions, white hat operations were conducted, securing over $3.4 million in assets, followed by a return process of these secured funds for users who had revoked their V6 contract permissions.

Certain users remained vulnerable until they revoked their V6 contract permissions, and some added funds before revoking. Some of their wallets were then drained by hackers, unfortunately.

The hackers have been contacted and some agreed to a partial return after negotiations. However, we have to date not been able to recover all funds taken from the V6 contract. The Foundation has considered it important to provide full refunds to affected users with a view to the long-term sustainability of this project. This proposal outlines a mechanism for those affected by the vulnerability but not covered by the white hat hack and requests a grant from the DAO to help refund users.

Goals and Review

On March 20, a security vulnerability was discovered on the Augustus V6 contract. This vulnerability was considered a critical priority, as anyone who had given permissions to the V6 contract could be affected by it. We have made every effort to communicate at various social media channels to brief users on the need to revoke all their V6 contract permissions immediately.

After the vulnerability was found, developers took immediate action to address the vulnerability, including the pausing of the API and removal of all V6 contracts from the UI. Additionally, Augustus V6 has been self-destructed on all chains where it was possible (Polygon, BSC and Avalanche). Furthermore, core developers and white hat hackers executed a series of follow-up recovery operations, including 0xc0ffeebabe.eth, who recovered approximately $700,000.

In total, the white hat recoveries managed to secure a total of $3.4 million plus reduce any future ParaSwap user from being affected, as the contracts were stopped less than 48 hours after their public release.

Despite these recovery measures, two categories of users were still affected by the vulnerability:

1. Pre-white hat victims: These users were exploited before the white hack operation. In total, $24,000 of assets were lost.
2. Post-white hat asset deposit with compromised V6 contract permissions: These instances occurred when a user deposited funds on a still compromised address, resulting in an exploit. In total, ~$840,000 is still outstanding.

UPDATE: Following new developments, the outstanding amount has been reduced to ~$340k

The list of all affected user addresses can be found here: https://pastebin.com/JiJThtVq.

In the view of the Foundation, to support the community and promote the ongoing vitality of the protocol, it is essential to offer compensation to pre-white hat and post-white hat victims as described in the two categories outlined above, up to the point of this proposal. Accordingly, the proposal sets the following goals:

1. Earmark funds from the treasury to compensate users whose funds were not returned by the white hat operation and have heeded our instructions to revoke V6 contract permissions at the time of this proposal.
2. Design and execute a process for compensation using the earmarked funds.

While we do not believe that there is a legal obligation on any party other than the exploiting parties to compensate users whose funds have not been recovered following the V6 contract exploit, we believe in the circumstances, it is right and appropriate and in the best long-term interest of the protocol that the DAO considers the compensation proposal as soon as possible. As such, the voting window will be 48 hours.

An appropriate post-mortem will be carried out following this proposal. The situation is still ongoing and is being carefully addressed and analyzed.

Means

The ParaSwap Foundation has already been taking an active role in mitigating the consequences of this vulnerability. This proposal aims to request the following assets currently not used by the DAO for complete user compensation:

• The unused wETH/ETH accumulated by the DAO until epoch 15, totaling ~150 wETH.
• The accumulated FTM from Fantom’s Gas Program, totaling to 27,207.53 FTM.

The amount of the assets can be estimated from this bundle.

The requested funds will be allocated towards user compensation and addressing additional expenses from the exploit. The Foundation will cover the remaining costs linked to the vulnerability, including the refunds, the engagement of security analysts, conducting thorough contract re-audits, communication with authorities, and the formulation and execution of the refund process.

Implementation Overview:

1. Transfer of requested funds to the ParaSwap Foundation.
2. Creation of a claims process by the ParaSwap Foundation.
3. Return of funds by affected parties for all who complete the claims process.

While these steps are happening, the team will be dedicated to providing updates and serving the community to rectify the situation.

UPDATE: Following new developments, the outstanding amount has been reduced to 103 ETH