BanklessDAO Incident Report - Governance Sybil Attack

Still not taking responsibility for your actions; and still going with the victim narrative.

Do you think this is a fun discussion for anyone in the DAO to have?

Did this come out of nowhere?

You literally attacked governance, slandered contributors using fake accounts and spread lies about multisig being hacked (are you aware what situation that puts the multisigners in?), tried to lie about it, then when it wasn’t possible anymore, you blamed it on the community, and took quotes from the BanklessDAO’s governing docs and twisted them to serve your purpose.

So many people in the DAO has some issues with you before this. It’s repetitive and continuous.

Joe ain’t questioning your mental stability ffs, he is literally stating your actions and everyone who can read can see those are the facts. Whether you have mental issues or not, well heck everyone has some, is not what’s been discussed here. It’s your actions!!!

Where do they come from - from you not really getting it, or being malicious, or bc you do have some mental issues - we do not care!

2 Likes

Your L2 tag was temporarily suspended as a security measure, which I believe any organization of any sort would have done in this situation. It could easily be restored later if that is the will of the DAO. When this situation came to my attention temporarily pulling the L2 tag was my very first thought. For several weeks now I have started every morning by opening the Discord Audit Log and filtering by your username to see what damage you’ve done.

What bot have you screwed with:
Screenshot 2023-03-20 at 8.14.56 AM

Or deleted from the server:

What setting have you randomly changed:
Screenshot 2023-03-24 at 10.44.33 AM

What channel have you deleted:
Screenshot 2023-03-28 at 7.50.42 AM

Can one person decide this? Yes, probably. That’s reasonable for a system admin to do in a scenario like this. But that’s not what happened here.

6 Likes

I am unsure what is wrong with any of these changes @brianl , but it’s irrelevant.

You should then be able to tell us who modified the @bdaomultisig tag so that it was un-taggable

As an addendum to my previous post:
Work done must be compensated, and as part of the freezing of BANK payments, the value should be converted to stablecoins and paid out in that form to settle the debt.

An offer at market rate for BANK she holds to be bought back, also in USDC/ETH. We cannot nor should we force her to sell, but I believe we should proactively give an offramp to that Bank. She can choose to decline at her prerogative.

1 Like

Vote Options:

Based on the above discussion I’ve Identified these options:

  1. Timeout in the DAO
  2. Temporary ban from the DAO (with a timeout)
  3. Permanent Ban from the DAO (without timeout)
  4. Do Nothing

If there are any others, please respond.
I will leave this on the forum for 1 day, then create a gated poll to L1 to be voted on for 7 days in the DAO.

Open to debate whether it should be L1 or L2 only.
Thoughts?


1. Timeout in the DAO

Temporary Restrictions, but she can stay at the DAO.

This includes:

  • Removal of L2
    • L1 Is maintained as long as she qualifies.
  • Removal from Notion admin privileges.
  • Ineligible for DAO elected Roles and multisig involvement.

This will be rescinded AFTER the timeout period is done.

Suggested 1 Seasons (4 months).

2. Temporary Ban

This is essentially a more serious timeout, that would be rescinded after the ban timeout expires.

This includes:

  • Temporarily banning her account and wallet from discord, with a timeout.
  • Temporarily banning her account from Discourse with a timeout.
  • Removal from Notion admin privileges.

Suggested 1 Season (4 months)

3. Permanent Ban

This is permanent expulsion.

This includes:

  • Permanently banning her account and wallet from the the DAO.
  • Permanently banning her account from Discourse with a timeout.
  • Removal from Notion admin privileges.

4. Do nothing

Self explanatory.


High level, these are the only actions we can take as a DAO.
The others, are the prerogative of their individual units.

2 Likes

I don’t disagree with the points raised or the possibilities for forward movement here.

I would however, like to point out that afaik the DAO still does not have an approved, consistent policy for:

  • offboarding (what to do with member’s permissions)
  • what constitutes a violation that necessitates offboarding (where is the line?)
  • and a written enforcement mechanism for said policies

I have raised the issue in the past and it was an issue of social conduct that the #daoversity workstream that @RedCrystalDragon, @VallentinaC, @Humpty and I were active on in may 2022. These things above are necessary and have been missing from bDAO constitution as a Code of Conduct and have allowed negative behavior to continue and escalate unchecked until it becomes a crisis level issue when things could have been addressed before they reach that level if people know where the line is.

P.S. it appears red has been active in trying to revive the Code of conduct on the forums in the time since :clap::clap:

4 Likes

Thanks for taking the lead on this @Icedcool I agree with the options you have listed.

Since many people call for a 6 month or more “time-off” I’d like to suggest changing the scope of time out and temporary ban to 2 seasons.

2 Likes

I did a code of conduct, if you would have to review - BanklessDAO Code of Conduct - Google Docs

Would love to see what was done and see what can be merged.

I’ve had a lot on my mind in regards to this.

This statement above spoke to me:

During the cooridnape attack, when whales admitted that he stole from the DAO.

Design Guild Paid him out. This is no disrespect to @Reinis , and he put out a sensible point behind why he paid whales out. Even though whales did a major effort to hurt me, hurt the DAO, hurt coordinape (an external project) @Reinis was right in the decision he made in paying whales out.

However, if you discipline projects due to sprinkles, and you didn’t discipline projects do to whales. That’s going to leave a mark. I encourage you to reconsider this aspect of your decisions.

2 Likes

This is really shocking. Thanks for sharing.

I feel sorry for all parties involved.

Mainly because there are a lot of flaws in DAO governance. And this case really opened the can of worms. Whereas previously we have used our human discretion and “good faith” to mull over all the differences.

I guess it’s time to upgrade our systems again.

3 Likes

I’ll create a secondary vote to collect those opinions.

Personally, 2 Seasons would be 8 months and that feels like a long time to me.

3 Likes

I second this. It is why I have stated that it seems like it an emotional reckoning and not one based on written policy. Personally, I feel bDAO has existed long enough to have established more robust processes for this and similar instances. Specially as this is not the first time we are dealing with this type of behavior. I introduced several forms of doing this in the past with Colony, Moloch DAO, and other decentralized tools in the past, but it fell to deaf ears. I’d like to think that bDAO will now take its responsibility to its community more seriously and build better governance. But sadly, I expect nothing will come out of this too.

1 Like

We are responsible for our own initiatives in a DAO. If you want something to happen, why not spearhead the issue? There are lots of people interested, I’m sure you will find others who want to help.

I have. Please re-read, “I introduced several forms of doing this in the past with Colony, Moloch DAO, and other decentralized tools in the past, but it fell to deaf ears.” This was back around Season 3 of bDAO. I would happily collab on this again “But sadly, I expect nothing will come out of this too.”

There is a culture change needed. And reading many of the comments on this forum and on Discord the past few days, I am not sure how open we would be to taking on such a change. Though without it, I see it very difficult to grow beyond where we find ourselves today.

What do you mean by introduced? Did you test them in a project or guild? Are there tests spaces that one can log into to see how it works? That would be awesome and engaging!

Again I say: people are interested in this now, so now is a great time to gain consensus. If you care about this then it’s an excellent time to get others to care as well. Why not start by sharing the lessons you learned while introducing these tools in S3?

But perhaps not long enough when it comes to the attackers mindset.

It took me a bit to wrap my head around what went down. IMHO, I’ve got much respect for @Sprinklesforwinners as a top-notch contributor in bDAO. She has done great work with the Project Management Guild, Treasury Department, and Grant Committee. I bet many people who’ve worked with her feel the same way. My first thought was like, “No way, not her!” 'Cause it’s clear she’s all about this community based on her past actions. However, I strongly disagree with how she tried to show off our system’s vulnerability. That being said, it’s crucial to remain objective when assessing this incident and determining appropriate consequences, considering both her previous contributions and the harm caused by this incident.

Rather than becoming sidetracked by minor disputes in the thread, I suggest we should get our community to focus on the big picture:

  1. Which principles have been violated?
  2. What was her intention, and was it positive or negative? It may also be necessary to consider her recent personal challenges with her family.
  3. What consequences or damages resulted from this incident? What sort of restitution or punishment, both financial and non-financial, needs to happen?
  4. How can we prevent similar incidents in the future?
  5. Verify the frustrations expressed by @Sprinklesforwinners. If found to be accurate, what solutions should be implemented?

In the end, let’s all just chill a bit and handle this thing together. The long-term well-being of bDAO will benefit if we can collaborate with all members, including @Sprinklesforwinners , to resolve the situation.

4 Likes

I’d love to something along these lines with specifics for bDAO.

You’ll notice a big difference in our content moderation approach compared to other major social media platforms.

We’re not building another self-declared “neutral” platform. We believe that far too often, “neutrality” is used as an excuse to allow behaviors and content that’s designed to harass and harm those from communities that have always faced harassment and violence. Our content moderation plan is rooted in the goals and values expressed in our Mozilla Manifesto — human dignity, inclusion, security, individual expression and collaboration. We understand that individual expression is often seen, particularly in the US, as an absolute right to free speech at any cost. Even if that cost is harm to others. We do not subscribe to this view.

We want to be clear about this. We’re building an awesome sandbox for us all to play in, but it comes with rules governing how we engage with one another. You’re completely free to go elsewhere if you don’t like them.

If bDAO does not invest time and energy into specifying when protection from harm supersedes “free expression” then by default “free expression” rules, which I do not believe should be the highest value of any organization. The bDAO Code of Conduct was our attempt to codify where we believed the lines should be drawn. If no one has the willingness to work to define those then nothing will change.

As others have noted, this issue has arisen multiple times in the past (and will continue to do so!)

Lack of enthusiasm for a Bill of Rights for bDAO has meant that I have reduced my involvement as I do not align with the demonstrated beliefs of the DAO. I am not optimistic about it becoming reality either @Humpty.

2 Likes

Here are the final results of this vote.

You can see more details here:
LINK

For the duration the details are here:
LINK

Infosec has implemented the ban, we need to decide on for how long since it was a tie between forever or 1 year.

Follow up items:

  • The Governance Department is investigating sybil resistant tooling
  • Infosec is investigating security measures around roles, especially L2.
    • Expect a write up on this soon.
  • There are talks about updating the code of conduct.
    • If anyone wants to be involved with this, please also join in the governance department discussions.

As a final note on this, I regret that this has happened and we have had to take a course of action around it. Although it is a good reminder that, we can’t control what happens to the DAO, but we can control how we respond.

I think we have overall responded fairly well.
A lot of attention and discussion has developed around our governance and tooling, and this is the best result of this incident. Looking forward to the results from those discussions.

Hope you all have a great week.

3 Likes

On Discord, the poll is split evenly for temporary and permanent ban. Are the results posted here premature?