Keeping 1hive safe

Proposal Link

https://gardens.1hive.org/#/xdai/garden/0x8ccbeab14b5ac4a431fffc39f4bec4089020a155/proposal/109

Proposal Information

Proposal description:
I would like to request a compensation in honey for everyone who helped securing 1hive after the Honeyswap domain hijack and after the discovery of critical vulnerability that was found in the Hooked Token Manager.

  • In the honeyswap domain hijack, we secured the domain, pushed a new frontend so everyone’s browser cache would be flushed, and returned the funds of everyone who got rekt.
  • More recently we received a bug report on a critical vulnerability on the token manager that could obtain most of the funds of the Unipool contract of a Boboli Garden. Presumably the problem has been solved before it could be exploited by anyone.

Proposal Rationale

Keeping 1hive, its services and the rest of the gardens safe is a must. We passed proposals to return the funds to the people who lost the funds and to reward the people who reported the token manager bug, but we haven’t rewarded the people who solved the problems from the 1hive side yet.

Expected duration or delivery date (if applicable):
N/A

Team Information (For Funding Proposals)

Names, usernames, and/or relevant social links for team members (Twitter, Github, 1Hive Forum, etc.):

Honeyswap domain hijack (based on the chat messages, maybe I’m leaving somebody outside unfairly, please tell me so if it’s the case):

  • lkngtn - was the one who dealt with the domain company, and got the most troubles by the incident.
  • gabi - one of the first people to act, and who dealt with the migration of the services to more secure places (cloudflare, ens…)
  • sem - worked non-stop all the week to secure the site and return the funds to everyone.
  • luigy - brought a lot of expertise on top of the table to deal with the problem.
  • mrtdlgc - dealt with the communications with the community.
  • DogeKing - conducted initial research of the hack, dealt with communications and people who didn’t receive the reimbursement the first time.
  • solarmkd - dealt with communications and helped people who didn’t receive the reimbursement the first time.

Token manager exploit:

  • sem - performed the changes in the contracts, redeployed them, and created the upgrade votes with EVMcrispr.
  • gabi - reviewed the changes, found the address who could upgrade the token manager.
  • will - reviewed the changes, executed the transaction to publish the new version in the APM.

Funding Information (For Funding Proposals)

Amount of HNY requested:
385 HNY (~$15,000 at current price)

Ethereum address where funds shall be transferred:
0x946fF42F745b2573c540fDAaE584e3DE48bE77C0

More detailed description of how funds will be handled and used:

We will perform two coordinapes to distribute the funds between the people who helped mitigate the issue.

  • $10,000 worth of HNY will be distributed among the people who contributed solving the 1hive domain hijack.
  • $5,000 worth of HNY will be distributed among the people who contributed solving the token manager exploit.
5 Likes

This is the type of funding proposal that 1Hive Harvest is meant for.

385 HNY would be ~25% of the Harvest pot if all 5 Harvest proposals go through, so it’s not an unreasonable amount this proposal could get, given how important it was. Would you consider holding this off until Harvest for HNY that’s dedicated for Retroactive Funding?

To my understanding, 1Hive Harvest is a method to reward people and groups for their accomplishments, not for paying for their jobs. People have been paid regularly for doing their job well, and when the Harvest comes, based on their impact on the community, they receive an extra reward on top of what they got working.

We have not yet paid our contributors for their hard work on those two occasions. But, putting myself as an example, I do not mind doing pro-bono work for 1hive sometimes, although when I work for an entire week on a problem like the honeyswap domain hijack, I would expect some remuneration in HNY. I didn’t talk with the rest of the people involved in the rescue of honeyswap; I do not know what they think.

Harvest is more than just a bonus! It’s a better way to pay people for work because it happens after the fact when it’s more clear how valuable the work was, and gives the community more signaling power on amounts vs. flat rate binary yes/no proposals, and is streamed which both protects the price of $HNY and aligns everyone on 1Hive’s long term value.

Yes people need to have a more reliable income stream while they work and be able to pay living expenses - which is why we do Basic Income at the Gardens swarm - but ideally those are funded through grants, revenue, or at the very least converted from $HNY to stables with Hedgey

I realize this proposal is unusual since it’s funding work that a) was an emergency, and b) wasn’t handled by a swarm that has a budget, but we do have a small 1Hive stablecoin treasury of ~$15k now that might make sense for this too. As it stands, if 385 HNY were to be market sold for stables on Honeyswap, it would cause a 13% price slippage in the price of $HNY.

I think the best route for 1Hive would be a combination of funding sources - something like:

  • $7.5k in $HNY in this funding proposal, converted to xDAI using Hedgey any tokens the team doesn’t plan on holding as $HNY (we’re converting 100% of HNY to xDAI in the Gardens swarm).
  • $5k in xDAI from the Treasury Swarm
  • Apply for Retroactive Funding in the next 1Hive Harvest.

I’d imagine this actually ends up being a good amount more money for the people in the proposal since the work was super valuable and likely to be rewarded well in Harvest.

I do not have any intention of selling HNY, and I don’t think lkngtn, gabi or will who are the three other people who may receive more compensation for keeping 1hive secure will sell either.

I think $15k is a very modest amount for all the work that was done in these two cases. I’d like to keep the proposal going on in the Garden, and if people supports it, I’d like to receive the HNY and distribute it using coordinape as it was already planned.

If people didn’t support it, it wouldn’t be a drama either.

OK, if no one is selling the HNY and there won’t be a Retroactive Funding proposal for it then all’s good. It’s easier to trust you guys since you’re seeds - I’m just trying to encourage good DAO habits.

The coordinape distribution for the work done dealing with the honeyswap.org domain hijack is as follows (luigi opted out):

Coordinape Map

This is the evmscript used to distribute the funds:

set $solar 0xe54bee8258a2fe65095516f199034a08c02e35fe
set $doge 0xed0f0c4de6150b7e3262e537d9691fc750b2ba23
set $gabi 0x47e4c324bc5539be3dd8588ecc6ce31295b693e5
set $sem 0xf632ce27ea72dea30d30c1a9700b6b3bceaa05cf
set $mrtdlgc 0x14d92832265eeafdef9e526356fefc90105966c3
set $lkngtn 0x625236038836cecc532664915bd0399647e7826b

set $totalHNY 256e18
set $token.tokenlist https://tokens.honeyswap.org

exec @token(HNY) transfer(address,uint256) $solar ((32*$totalHNY)/300)
exec @token(HNY) transfer(address,uint256) $doge ((33*$totalHNY)/300)
exec @token(HNY) transfer(address,uint256) $gabi ((55*$totalHNY)/300)
exec @token(HNY) transfer(address,uint256) $sem ((93*$totalHNY)/300)
exec @token(HNY) transfer(address,uint256) $mrtdlgc ((17*$totalHNY)/300)
exec @token(HNY) transfer(address,uint256) $lkngtn ((70*$totalHNY)/300)

And these are the transactions generated:

The other 129 HNY for fixing the Token Manager vulnerability will be distributed separately.

2 Likes

I’m sorry, I didn’t check the sender address properly and the rewards were not sent. Thanks @DogeKing for the heads up!

These are the transactions distributing the rewards: