On the 24th of June, the ribbon.finance domain name was compromised. This was traced to a Namecheap (ribbon.finance domain provider) agent being compromised. As a result, 3 users lost money by depositing into a fake ribbon.finance app.
The total loss was:
- 16.5 wBTC
- 123.7 rETH
- 83.1 stETH
Currently, this is worth approximately ~$540k USD.
We have reached out to the CEO of Namecheap regarding this issue, and they are unwilling to provide any compensation to affected parties. We attempted to upgrade to Namecheap’s premium service afterwards, but discovered that even, the provider did not require a 2FA to change host records. We have moved this domain to a different provider, and highly encourage other projects to do the same.
We propose compensating users who were affected by this from the DAO treasury. The 3 options that we are proposing are as follows:
- Do not reimburse, since this was a 3rd party issue and not a smart contract/protocol exploit
- Reimburse 50% using existing treasury funds, paid out in the asset that was lost
- Reimburse 100% using existing treasury funds, half of which will be in vested RBN over 6 months
We will leave this proposal up for 3 days, before we kick-off a Snapshot proposal.