RGP-21: Reimbursement for Namecheap DNS Attack


On the 24th of June, the ribbon.finance domain name was compromised. This was traced to a Namecheap (ribbon.finance domain provider) agent being compromised. As a result, 3 users lost money by depositing into a fake ribbon.finance app.

The total loss was:

  • 16.5 wBTC
  • 123.7 rETH
  • 83.1 stETH

Currently, this is worth approximately ~$540k USD.


We have reached out to the CEO of Namecheap regarding this issue, and they are unwilling to provide any compensation to affected parties. We attempted to upgrade to Namecheap’s premium service afterwards, but discovered that even, the provider did not require a 2FA to change host records. We have moved this domain to a different provider, and highly encourage other projects to do the same.

We propose compensating users who were affected by this from the DAO treasury. The 3 options that we are proposing are as follows:

  • Do not reimburse, since this was a 3rd party issue and not a smart contract/protocol exploit
  • Reimburse 50% using existing treasury funds, paid out in the asset that was lost
  • Reimburse 100% using existing treasury funds, half of which will be in vested RBN over 6 months


We will leave this proposal up for 3 days, before we kick-off a Snapshot proposal.

I would prefer to either reimburse 50% using treasury ribbon or no reimbursement

Firstly i think those affected should pursue Namecheap directly through the courts.

Clearly we need to try and make them whole. But i wonder if we could do a hybrid where reimburse zero but put the equivelent assets in the vaults and pay the yield to those affected parties? Maybe not worth it for either party…

Reimbursing 100% will give a lot of confidence to other investors. It’s more like an insurance fund compensating for the unfortunate loss, and it’s an accident.