Coordinape Incident Report and next steps

Title: Coordinape Incident Report and next steps
Date: Jan 16, 2023
Author: links#7868
Editors: Rowan#3669, Trewkat#1933, Tertius#8423, MinaHasNoIdea#6706, jengajojo.eth🏴#5896

Summary

  • Former DAO-wide Coordinape Admin, Whales :whale::black_flag::ninja:t4:#7970, has admitted to impersonating 2 DAO members in coordinape: Tomahawk#3011 and Shaun/dancingpenguin.eth#2590
  • During this investigation, it was also discovered that many DAO members had transferred BANK to each others’ wallets to meet the minimum 35K requirement for L1/L2 during signup (i.e. they were not holding 35K BANK)
  • It was also discovered that many DAO members are allocating GIVE based upon relationships and initiatives OUTSIDE of the DAO (i.e. they were not allocating based upon contribution to BanklessDAO)
  • Operations Department needs some DAO consensus to continue

Background

It was recently discovered that our DAO-wide coordinape admin, Whales :whale::black_flag::ninja:t4:#7970, had used his position to steal BANK from BanklessDAO. Whales admitted to impersonating two members of the DAO and allocating himself GIVE. During this investigation, it was also discovered that members were sending each other BANK to hit the L1 requirement to sign up for Coordinape, thus increasing their potential rewards while not holding L1 status. Members were also found to be giving each other GIVE not for contribution to BanklessDAO, but for personal and external business reasons.

The investigation team (infinitehomie.eth :black_flag::hammer_and_wrench::test_tube:#4930, Sprinklesforwinners#1125, links#7868, and LiviuC#7835) brought their findings to the Ops Department. Ops decided not to give a December contributor reward list to the Grants Committee, which means that December Coordinape rewards will NOT be paid out. Ops further decided (with DAO input) to pause the Coordinape workstream until it could be reworked to avoid the issues mentioned above.

There were some issues that Ops Department was not able to decide on its own, as there was consensus that these issue were beyond the Ops Department mandate:

  • Who should decide the consequences for Whales :whale::black_flag::ninja:t4:#7970?
  • What are the consequences for Whales :whale::black_flag::ninja:t4:#7970?
  • How much should the investigation team be compensated for their work?
  • How much should we fund to fix/replace Coordinape?

Proposal

Consequences

Whales :whale::black_flag::ninja:t4:#7970 admitted to using his role to steal BANK. He was removed from his position in the Ops Department. However, Ops Department doesn’t feel it has the authority to unilaterally decide on DAO-wide consequences for this contributor.

POLL: Who should decide the consequences for contributors who are found stealing, or in breach of a position of trust?

Click here to vote in the Discord poll gated to L1 and above

POLL: What do you think the consequences to Whales should be? (Multi-select)

Click here to vote in the Discord poll gated to L1 and above

Investigation Retro Funding

The investigation team (infinitehomie.eth :black_flag::hammer_and_wrench::test_tube:#4930, Sprinklesforwinners#1125, links#7868, and LiviuC#7835) spent significant time (over 70 hours between them, with more to come) to acquire needed data from the blockchain and the coordinape team, pour over all of the transactions to analyze the data, interview contributors to get multiple perspectives, report findings, and gain consensus through forum proposals and sync meetings. How much should they be compensated for their efforts?

POLL: How much retro funding should the investigation team be granted to distribute amongst themselves?

  • Less than 100K BANK
  • 100K BANK
  • 150K BANK
  • 200K BANK
  • More than 200K BANK

0 voters

Contributor Reward Workstream

DAO-wide Coordinape is paused until we can fix the issues with the process, or replace it with something else. How much funding should be dedicated to this effort?

POLL: How much funding should the Contributor Reward Workstream be granted to fix/replace Coordinape?

  • Less than 100K BANK
  • 100K BANK
  • 150K BANK
  • 200K BANK
  • More than 200K BANK

0 voters

Final Thoughts

Although it’s saddening to hear about a contributor taking advantage of the DAO, it’s also heartening to see contributors step up to help solve this issue. Thieves won’t stop BanklessDAO, only contributor apathy can do that.

Let’s use this situation to become stronger, so BanklessDAO can help bring the Bankless message to the world.

Next Steps

  1. Gain consensus on these pressing issues
  2. Delegate consequences to the group(s) identified above
  3. Get our Contributor Rewards back to help us pursue our mission
9 Likes

Has a number been arrived at to assess just how much BANK was exploited? By Whales that is and not the gaming of the system.

Was any of it returned?

We did not disburse December coordinape, which had a smoking gun of Whales impersonating 2 BanklessDAO members. It also had some sketchy activity of members sharing BANK and giving GIVE for non-bDAO reasons. So no BANK was lost there (1.5M was up for grabs, ~60K for whales)

That being said, we did not find a smoking gun for previous coordinape rounds, mainly because we didn’t have access to some of the data which would have helped. Whales used his own Tally account for coordinape signups, and hasn’t given us access to it. I personally asked him if he did this in other coordinape rounds and who else he worked with, and he stated he worked alone and this was the only time he did something like this. I asked him if he would return the money he stole, and he said he didn’t get any money since the December coordinape payments did not go out. Whether or not you believe him is up to you.

I know you’re asking about Whales, but the gaming is just as much a concern. It’s very difficult to assess how much BANK was exploited, because many members are doing things which are technically not against the rules, but against the spirit of the rewards program.

4 Likes

Derp, I should’ve thought of that. Of course the funds weren’t distributed.

I’d like to share a bit of my rational for how I responded to the above polls.

Forum Polls

I voted for 150k in the investigative retro funding, for the 4 contributors, for the following reasons. In Links’ above comment, this intervention saved the DAO an immediate 60k BANK that we know about, with a reasonable probability of more being lost in future seasons plus other exploits.At 70 hours, x1000 BANK, we get 70k BANK. So total is at least 120k of value added to the dao.

100k is just too low, common fam. I might even change it to 200k. 150k/4 is 37.5k BANK to each contributor.

For the second poll I voted for more than 200k. Coordinape hasa been 4.5 million BANK per season, 4.5/0.2 is just over 22 work streams funded. But less than 100k is the current most voted option!?

This might just be the most opinionated statement I’ve made since joining the DAO but seeing the state of both these polls at the lowest value options having the most votes… I’d almost want to scrap coordinape and use that “Less than 100k BANK” to fund Ela Dane’s cNPS survey seasonal reports.

I missed more than half the Coordinape sign ups I’ve been around for so it wasn’t the biggest deal to me really. These votes for compensating the investigative team and funding a new work stream are really telling.

Discord Polls

Moving on, the two polls in Discord about consequences for Whales, and others, I didn’t vote because I didn’t feel the options represented how I’d approach it.

I would vote “The DAO, on snapshot” but with the caveat that the vote should be based on a procedure in the constitution (which doesn’t exist yet), but really my solution would be a mix of B D & E. For similar situations as this I would think this should be the responsibility of Ops(maybe Om Buds?) that once an incident has been deemed to have occurred to then assign a contributor to fill out a template, like the bDIP template, and post it to the forums.

It would contain things like, evidence, damage report, funds lost, cost of repairs (including the cost of funding this report), etc. As well as a criteria for doing right by the DAO, a path to redemption (amount of BANK to return to the DAO, probation from L2 status and holding roles, etc.). Once that vote passes the forums, send it to Snapshot.

Very similar to the bDIP process. The path to redemption, except in the most extreme circumstances, should be required to make sure we’re focusing on restorative justice rather than retributive.

This leads me to the second poll on Discord, What shoiuld the punishment for Whales be? I don’t think a Discord ban is warranted. They aren’t spamming, have already left the server anyway, aren’t phishing, none of that, so the door should remain open if they did want to return and do right by the DAO; with the following requirements.

A & B, removal of L2 & and block from holding rolls should both happen. Indefinitely until repairs are made to the DAO. After repairs are made a probation period would start (1-2 seasons maybe?). Repairs would entail repaying the DAO the 60k they provably attempted to exploit, plus the amount awarded to the investigative team, plus an amount for the unknown amount they exploited previously (I would say this should be the amount of BANK Whales received total across all seasons from Coordinape due to a complete loss of trust, but it lacks evidence, so I’m still a little unsure on that point)

This is a bit of a wall of text so I’ll stop here.

3 Likes

I agree with everything @AustinFoss said. My additional 2 cents is that there needs to be some sort of reputation slashing so that other projects / DAOs are aware of his unethical actions.

2 Likes