The Path Forward from the Fuse Exploit

Hello Tribe Community

The events this past Saturday have been devastating to the Tribe community, but I am optimistic about the community’s ability to navigate these difficult circumstances. There are many good possible outcomes here as we come together and discuss how best to move forward.

This post is an open forum to continue discussions around moving forward from the Fuse exploit on Saturday April 30. As a community, we will push through these tough times and continue to lead the frontier of decentralized finance. It will be up to the community to discuss, identify, and make a decision on a resolution.

Discussion of Reimbursement

There is currently no active agreement with the DAO to insure Fuse in any way. Fortunately, the Tribe DAO is positioned to pay this back if the community is in support of doing so. This section will discuss the spectrum of possibilities here and provide some analysis of the various options. Inevitably it will be up to the community to weigh these choices and make a decision.

The following section will lay out proposed paths forward for the community to evaluate and use as a guideline for dealing with the $80M hack on Fuse. Note: the hack total includes approximately $30M of Tribe PCV deployments, so this discussion is essentially around the potential reimbursement of $50M, which are the remaining affected user and DAO funds.

Make the Community Whole

This option would clearly signal that the Tribe values its users and partners first. It emphasizes a long-term vision of the Tribe DAO as a responsible and reliable actor in DeFi. The benefits to the Tribe DAO of full repayment are that it keeps its relationships with its numerous users and partner DAOs intact. Repayment creates positive externalities ensuring that partners feel comfortable collaborating with the Tribe in its other product offerings now and in the future. Furthermore, this decision signifies the core values of the Tribe and this community as a whole.

The drawbacks first involve the cost to the DAO. The $50m reimbursement amounts to ~16% of the Tribe DAO’s protocol equity as of 5/03/2022. Finally, this may grow the mandate of the PCV from solely backing Fei to supporting the Tribe’s other products which could be a negative externality for the Fei stablecoin.

The process of reenabling Fuse would require recapitalizing the protocol and paying back the attacker’s bad debt (borrow balances). This mandates an onchain vote and the development of additional software to make the Fuse pools and thus its users whole. If executed, all users could withdraw their assets from affected pools. Therefore this is likely the clearest path towards Fuse becoming fully functioning and healthy again.

Do Not Make the Community Whole

In this option, Tribe DAO would not be spending $50m from the PCV. This option ensures clarity about the PCV’s limited mandate to solely back Fei which may mitigate uncertainty for Fei holders about the strength of its backing.

The drawbacks to the Tribe DAO of non repayment are that the hack victims will suffer losses. Some organizations may default on their liabilities and this could have a systemic impact throughout the numerous protocols built on top of Fuse. The Tribe DAO’s relationships with these affected parties, and reputation in the broader DeFi ecosystem may be severely impacted. Affected Fuse pools or at least affected markets would likely have to be deprecated because of the existing bad debt.

Alternate Solutions

Any options in between full repayment and no repayment are up to the community to propose and discuss. There is certainly significant room for creativity here. Some examples might be reimbursement in Fei or Tribe instead of direct PCV, though these have tradeoffs. We welcome open discussion.

Going Forward

Regardless of this outcome, the Tribe DAO will not be providing any future insurance on Fuse until further discussions are had. There may be additional discussions regarding Fuse insurance as the community moves forward from these experiences.

Each of the proposed paths forward have very different tradeoffs and outcomes that will affect the Tribe DAO’s future. As such, it is important to assess proposed solutions across multiple axes, and decide which tradeoffs are acceptable, and which are not.

For now there will be no voting parameters and this will solely be a forum to ideate on solutions. As the community deliberates and begins to hone in on a handful of options it will move towards a vote. This forum post will remain for at least a full week to foster healthy discussion and the community will decide how it moves forward from here. Thank you all for being a part of these discussions.

On a tangential note, is this an accurate description of what had happened

So, if this codebase had been audited, will the auditor bear any responsibility? And if not, how unaudited code had reached production?

Hoping this includes the Tetranode’s pool on Arbitrum, had a chunk of funds in there, feeling pretty miserable because the borrowing was not paused after the attack on mainnet.

I assume there have been several audits of the Fuse and Compound code base. In any case, the standard is that the damage to the audit firms is only to their reputation and they have no financial responsibility.

As a Tribe Holder, Fei Holder and regular user of Fuse pool(did lose not much, but 5 figure stable in exploits), wish to share some of my thoughts.

1.Despite I was using FeiRari pool, I do think alternative repayment like only imburse the FeiRari pool is not a good idea, even worse than no Reimbursement, it will definitely exile most existing partners and users. The core of sucessfully for a StableCoin is intergration and usage in the broader DEFI ecosystem, and fuse take a great responsibility for FEI’s expanding and usage as planned. I believe most normal users in other affected pools don’t know much difference between different pools, therefore supposed been treated equally.

2. As for make it a whole or not, I prone the Full Reimursement proposal. Considering the 50M debet, it’s did a large amount, cost like 8% of total PCV, but would’t endanger the Peg of FEI yet. Under roughly estimate, i assume the Collateralization Ratio will still above 200% using the previous accounting method, which is still strong supportive for the FEI’s peg.

3.As for furture plan, I think after very carefully audits and reviews, TribeDAO could vote for a insurance fund for Fusepools, but the insurance will only responsible for the exploit caused by the Global Code Fault, like the current case. Any oracle contract mistakes or token contract mistakes would not be considered. And the insurance amount should be linked with the revenue generated by RARI protocol.

Overwhole, since the merge of FEI and RARI, RARI is already part of TribeDAO, not just normal partners, the rari protocol should be treated equally as Fei protocol from the point of Tribe’s view. If FEI protocl endure somthing bad, I believe Tribe DAO will reach it’s hand, so should be same as RAI. If we discard RARI, then it is most likely lead to the deadth of RARI protocol, like CreamFinance. 50M is did a big amount, but still under control, A professional soltion might bring good things out of bad situation.

for those interested here is a quantitative overview of what happened during the attack

https://rari-hack-report.vercel.app/

(I have no affiliation with Rari/Fuse/Tribe. Just a random contract security guy.)

Yes, Hacxyk’s thread is accurate on how the attack worked.

Auditors in general bear no financial responsibility.

The code was audited, but it’s a longer story. Here is the auditor report on the specific chapter: CEther Manual Review Findings | Omniscia Rari Capital Audit

• The auditor requested that the team remove a layer of security against ETH based reentrancy attacks.
• The team removed that security.
• The auditor approved the change, and commented that the team should see to see if something bad would happen as a result
• Neither the team nor the auditors noticed that the overall codebase was now vulnerable to the attack that happened.

" Do Not Make the Community Whole" doesn’t capture the perspective of a tribe token holder PCV value is directly proportional to the token price. The solution to this should not affect one or the other. Giving PCV assets to hack victims clearly affects the tribe token price and tribe holders. There should be some form of KPI-based reimbursements. Based on tribe DAO performance and growth of token price or growth of liquid (which can be liquidated at any time) token assets.

I know about the general practice regarding auditors. Yet auditor negligence is a known grounds for a lawsuit, although in this case we’re in a far greyer area.

More importantly the question about path forward must include some investigation into the malpractices that led to what has happened and measures to fix them, if Tribe wants this breach of security to be a rare exception. It’s not just a technical issue, but rather an organisational and cultural one. How can Tribe DAO make sure that something like this won’t happen in the future? I would actually suggest nominating a special DAO commission with a mandate to produce a report with recommendations for such measures. Today it’s a $80M issue. Tomorrow it may well be a survival issue for the DAO.

Shit happens is not an answer to such debacle.

Seems to me the big red flag here isn’t that there was a hack (shit happens), but rather that in making the community whole, you’re showcasing the fact that the backing can be diluted by a vote (of probably a handful of people). If you do go through with the reimbursement, I just hope that this risk gets removed in the future.

I’m surprised to hear it’s only 16% of TribeDAOs equity. I was a victim of the 1st Rari hack in May 2021. I was optimistic after months of hearing nothing, that the Tribe/Rari merge would finally make victims of the hack whole. That still hasn’t happened to my knowledge. This is frustrating when you see millions of dollars in “partnerships” being thrown around month after month.

Most of us understand the risks of DeFI. I’m not trying to hold some dev accountable to a bug in open source software, I choose to run and risk my money with. On the other hand, Tribe is effectively operating a business. It wants to take a fee of every transaction, then use token equity voting to choose how spend treasury to expand its product line and TVL. Tribe DAO wants to grow with new users, but retention is critically important. Why would any past/existing user continue to trust your protocols if you don’t take care of them in situations like this? It’s not about how fast victims are paid back, or if it’s through equity dilution, but that the DAO leadership cares about their users.

There is a reason Axie, Wormhole, etc… are diluting their equity to cover massive losses. Customer trust is critical for a DAO to grow its services and retain customers. Look at the leader in this space Aave and their equity dilution insurance model. As a user this makes me feel safer about trying new versions and services. Maker has an insurance model and has diluted themselves to cover losses in the past. Anchor was proactive with a Buy Insurance button on the homepage for a year now. Trust is the most critical component of any organization. Has any DAO suffered a hack, not taken care of users, and continued on to be successful?

A more thorough explanation of what had happened as described by @danielvf Basically, a Rari engineer opened the window for a hack, it was a known issue. This must not happen again in the future.

To cite Hacxyk:

Having said that, it’s once again exposing a weakness in smart contract audit, that is, once an audit is done, nobody cares. Had someone taken little time to compare the deployed contract, they would have spotted it.

You can claim your FEI reimbursement here from the 1st Rari hack.
https://reptb-swap.vercel.app/

The Tribe DAO has shown tremendous support to all users of all of its products. Trust is something crucial as the community decides paths forward, as you put it.

I would also suggest devising some kind of an insurance mechanism (buffer) to cover up for future possible losses of this kind.

You’re right on spot there.

Priority right now is to fix the state of the protocols and gather public opinions about hack repayment, but rest assured that these process/culture issues are being addressed by core contributors and most internal meetings are being spent discussing this.

There are a few advantages to immediate reimbursement from a technical and financial perspective.

1. Without a reimbursement directly into the Fuse bad debt, those pools remain unusable.
2. following from 1, the Tribe DAO’s net loss increases by an additional ~20m of unwithdrawable assets that would otherwise be collateralized by the other assets in the pool. If the pools remain bricked, borrowers won’t repay.

Good to know that it’s being discussed, but it’s hard to look into your own issues and external oversight would be in the best interests of the protocol. Maybe even hiring people from outside of Tribe. It’d be a perfect job for the DAO and good handling of the crisis PR-wise.

Not just cover up for the losses, but rebuild trust: what we have done to make sure this will never happen again.

A lot of great points from everyone. I am a huge believer in the team, the community, and the protocol. What happened was extremely unfortunate, especially at this pivotal moment when we are just about to launch Turbo.

From the discussion about, I think we all agree on making the community whole is important for the future growth of Fei Protocol but how we do it might be extremely complicated since different options have distinct tradeoffs. So for full reimbursement with PCV, we have the following tradeoff if my understanding is correct:

• Pro: PR (related with DAO customers and individual customers), recoup ~20mn loss for Fei, immediate normal operation for Rari pools.
• Con: Bad precedent (should PCV be an insurance fund for Rari Pools?), Fei stablecoin collateralization gets hurt.

Note: one thing I did not fully understand is @joey 's point that if we do not repay in full, Fei would lose another 20mn from non-recoverable loans? Does it mean that if we pay back the $50mn, we would recoup the 20mn? Therefore, we actually paided 30mn in effect? In summary, if the Fei Protocol does not pay back, we lose 29.7mn by the hacker and another 20mn from bad debt, in total 49.7mn. If we pay back the 50mn, we still lose the 29.7mn by the hacker, but recoup 20mn, so we in total lose 59.7mn. Is this math correct? If so, there seems only a 10mn difference instead of the 80mn number in the press.

Also, following this logic, it seems like although the hacker only took 80mn, the second-order loss of funds is actually greater than 80mn, if so, what is that total amount for all participants involved?

In the discussion of mechanisms for reimbursement, I think we could think about the mechanisms through a few lenses:

1. Where does the fund come from? (PCV, $TRIBE)
2. What is the payment period? (lump Sum, over some period)
3. Who do we payback? (everyone, selected)

Is there anything I am missing in these categories?

As for the next steps forward, I think organizational changes and other risk mitigation methods are important but I think that should be reserved for another thread since those concepts are much more nuanced than the reimbursement itself. I personally think reimbursement should be the top priority here.

Kydo

Im in favor of a full refund that protects the brand of the project. And from there begin to build the new FUSE that was discussed in the twitter spaces, with space for other projects to build on FUSE and provide some kind of guarantee.
It is a long road, crypto is still a niche, it is essential to protect the brand to project into the future, rebuild the trust of users/partners.
I would also like to propose that bounties be implemented for white hat hackers.

It is not a direct payment to users. Rather, the PCV is used to pay back the bad debt in the affected Fuse pools. This would replenish the liquidity in those pools, allowing users to withdraw their deposited collateral.