Summary
Proposal to pay 10% of the ETH received to Gabagool.eth by way of bounty for securing the funds for the DAO.
Abstract
On the 8th October 2021 community members noticed large and consistent selling of RBN tokens for ETH which appeared to be coordinated.
Gabagool.eth connected the joint control of the wallets and identified the owner. Furthermore Gabagool was able to determine this user was a team member of the VC firm Divergence Ventures. This VC firm was an early funder of Ribbon Finance, the very platform they had sybil farmed airdrops to dump in this coordinated sell off.
It is believed the selling stopped (having reached circa 700eth) when team members from Divergence Ventures noticed Gabagool’s work posted on twitter.
Divergence Ventures sent the Ribbon Finance DAO the circa 700eth that they had gained to bring the matter to a close.
This RGP proposes that Gabagool.eth is paid a bounty for his work totalling 10% of the eth the DAO received. Whilst Gabagool has indicated these funds would be used to market buy RBN tokens the funds would be his to do as his wished.
Execution
If this vote passes the multisig will need to initiate payment to Gabagool.eth.
Vote
If this RGP receives positive feedback here it will be taken as a snapshot.
10% at the current valuation of what was returned so far (700 ETH) may be a tad high but I believe is in line with what a white hat effort would be paid in bounty for an exploit of that size.
However if more funds were to be returned there should be a capped payout, at which point I’d say 70E is more than fair. But I also see the benefit of joining this proposal with RGP-6 as more collaborators are joining the efforts.
It’s still on par from a damage level to the protocol. I say this because of the capped deposits on the vaults, and the unknown number of potential depositors (see: would be community members) these airdrop farming deposits kept out.
IMO the best of both worlds is combining RGP-5 and RGP-6 for a total of 10%; allocations to gabagool & others that provide future info set by the community. I’d propose 5%/5%, or a dynamic award based on the proportion of total ETH recovered from the findings after a set period of time.
10% is fine considering he’s gonna spend it on RBN, if he never reported his findings the treasury would nothing and the vc’s would still be dumping
We will create a governance proposal to reward Gabagool with a 20,000 RBN bounty from the Ribbon DAO Treasury for identifying the airdrop farming transactions and bringing this to light.
At current price, that is 70k usd.
This proposal at current eth price is 250k usd.
Any thoughts on how this changes your thinking @bberry259 ?
I applaud the efforts of those in the crypto community at bringing this malfeasance to light, but 10% is insane given the scope of tokens involved, and frankly how easy it was to track the offending party’s fraud. 1% is fair, 2% is generous.
It’s not an contract exploit or bug, but it is akin to a loss to protocol in terms of marketing/user retention funds. I’m using sushiswap’s immunifi bounty tier list as a guideline to reward 10% of economic damage up to a cap of $1m. In my opinion 1-2% is far too small, but I’m fine with the RBN reward proposed by the team.
Imo this kinda thing is as hard as a bug to track down. Bugs have a clear rule set in a clear defined environment. Sybil attacks have unclear rule sets in a murky L0 environment. Finding the one tweet linked to a single address and finding the many linked wallets takes real effort.
Furthermore, this sybil attack had a large economic impact giving the attacker a significant amount of the supply and creating a large negative perception of the project across the market. The release of information matched with price movement shows a clear correlation between the resolution of this event is and market price.
The attack adds uncertainty which unlike smart contract bugs cant be cleared up onchain with audits. Linking accounts to physical people greatly reduces our ability to build up certainty. Any clarity provided is tremendously valuable in such an arena. 100% of the recovered value benefited off the information Gabagool provided.
I feel sybil attacks add great uncertainty which is harder to recover from than smart contract bugs. A new code base or audit can’t make the smell go away. But Gabagool’s efforts are creating reactions which have led to reduced smell. I think that is worthy of the same fee commonly distributed to smart contract bug disclosures.
Both for the Ribbon community and this space as a whole, rewarding such work can only be beneficial.
10% of whatever tokens got returned to the multisig is prolly fair imo, maybe with a $1m cap per cronii’s reply. a lockup on the tokens would be preferable too.
Yeah… 10% is a bit excessive but Gabagool definitely deserves a percentage of that! if not we would all be scrambling asking what happened and voting on a different proposal of how to fix it.
Without a market rate for this sort of work, it is hard to reason about what and what isn’t “fair”. However I just wanted to provide two comparisons here as I think that 10% is quite reasonable
Standard whitehat payout is 5-10% (sorry I don’t have a source for this). From the perspective of the protocol, funds returned are funds returned and it’s not clear to me why Gabagool’s valuable analysis would be paid any less that more traditional whitehat contributors.
In season 3 of The Sopranos, after Christopher gets made, he has to pay 10% of his earnings from the sportsbook up to Paulie, the capo he works for. So there is a strong precedent of 10% for gabagool related commissions as well. It’s the gabagool standard.
That being said, this would set a clear precedent - people who are able to take action to make/save the protocol money will be compensated fairly, if not generously. This will create a strong incentive for people to track token emissions closely and ensure they are being allocated effectively. Let’s say we set a precedent that you only get 1% for work like this. What happens if someone were to find evidence of a 100 ETH issue with the protocol. Would they bother doing the work to dig into the data and notify $RBN holders and argue in the forums to get paid? For the type of people with the skills to complete this sort of work, my guess is no.
Quick note: The views stated here are my personal views - I’m not commenting on behalf of Gauntlet here