a hack, an attack, and a preventative
the Tally newsletter, issue 124
welcome back to the Tally newsletter, your weekly source for DAO governance insights. i'm coolhorsegirl and i’m so happy to be here. 🟣
we’re talking the recent attempted attack on Indexed Finance, the unfortunate $48m KyberSwap hack, and what this means for the ongoing battle to maintain secure protocols.
few proposals this week, from Compound, Dope Wars, and NounsDAO. growth programs are starting to pop up—another reason we might be back. let’s get into it 👇
🤿 deep dive
november has seen $300m in stolen funds, from a variety of attack vectors—governance attacks, pure hacks, and phishing. we’re talking the KyberSwap hack (and bizarre treaty) and attempted attack on Indexed Finance, and what saved them.
DEX KyberSwap suffered a staggering $48 million hack across 6 chains on november 23. exploiting a vulnerability in the protocol’s price oracle, they used flash loans to drain pools with low liquidity. this resulted in a 90% loss of TVL on KyberSwap, from $85m to $8m. there’s something even more mind-blowing than the hack itself: the hacker’s response.
the hacker certainly has a flair for the dramatic—they demanded complete control of Kyber company, including its assets, governance mechanism, and even its equity in a treaty with a deadline for the Kyber team to agree of december 10. mudit gupta, chief information security officer at Polygon, called the hacker “unhinged.” this onchain message elicited a slew of onchain responses from hackees, notably including a proposal to reward the hacker with 10% of the stolen funds, contingent on the complete return of all assets to Kyber.
wild stuff. the hack itself, and the bizarre demands of the hacker (you saw “doubling employees’ salaries,” right?), highlight the unpredictable nature of threats in crypto, even nearing the end of 2023. these kind of things are hard to anticipate, and that’s why using the most secure and battle-tested smart contracts is important. we back OpenZeppelin Governor for governance, for example.
but hacks are not always smart contract-related. recently we saw Indexed Finance, the now defunct victim of a 2021 hack, suffer an attempted governance attack. the remaining treasury of ~$90k was at risk after a hacker bought NDX tokens to (potentially) have the majority say in transferring the whole of the treasury to himself. luckily, the 3-person founding team mobilized to put emergency powers in the hands of a 2/3 multisig just in time. the attack was thwarted, highlighting the importance of security councils and other forms of emergency powers aimed at stopping certain types of vulnerabilities.
⌛️ onchain proposals
💚 Compound
summary: 7.77k COMP for a fund aimed at advancing the Compound protocol through targeted business development, integration, and marketing campaigns..
voting ends: december 8th
😊 Dope Wars
summary: 15m PAPER to sponsor the Holiday Game Jam by contributing to prize pools and creating bounty tracks. passed on Snapshot.
voting ends: december 9th
summary: 3 ETH to buy on the secondary market Dope NFTs offered at close to the treasury risk-free valuation. passed on Snapshot.
voting ends: december 9th
🟡 NounsDAO
A Nounish Coffee Shop — A Los Angeles IRL-to-URL Nounish Experience
Summary: 650,000 USDC to establish and operate a Nouns-branded coffee shop in marina del rey. some very vibey mock-ups.
Voting ends: december 11th
📝 what we’re reading & listening to
📄 My techno-optimism by vitalik buterin
tech-driven progress with a side of capitalism? well, we need “active human intention” to drive us to a brighter future, because ‘the formula of "maximize profit’ will not arrive at [that] automatically.”
🎧 Addressing BanklessDAO Drama on Bankless
the Bankless brand suffered a CT meltdown after confusion between BanklessHQ and BanklessDAO had people thinking the Bankless founders were attempting to profit off of the DAO they controlled. this pod addresses claims head-on.
🎧 Inside Gauntlet: The Future of DAO Service Providers w/ Matt Dobel (Gauntlet) on StablePod
DAO service providers are all the rage these days. but are they scalable? they’re talking that, Gauntlet’s B2D model and the significance of Gauntlet and places like it in nurturing the maturation of DAOs.
💫 DAO talk: so you think you can DAO || DT weekly ep 64
🤭 meme of the week
~ coolhorsegirl 🐴
p.s.- comforted by the fact that my top artists on Spotify this year are more or less the same as they were when i was 13.
