GIP-85: Goldfinch Hack Response

Authors : Blake West

Summary :

On Dec. 2nd, anonymous hackers exploited a 5-year old test Goldfinch contract, which resulted in a loss of $330k USDC. We propose to use $250k out of the remaining Bug Bounty budget to cover losses.

Context:

Before Goldfinch launched publicly, in Sept. 2020, we built and deployed test contracts to ensure everything worked. This was prior to audits or any public announcements of Goldfinch. One of those contracts was 0x0689aa2234d06Ac0d04cdac874331d287aFA4B43, which a small number of people tested by depositing, getting repayments, etc.

This contract contained a critical vulnerability that was fixed prior to public release. The full potential of the bug was not fully understood though and the old test contract was not patched.

In short, because the contract was empty and devoid of any real investors, the vulnerability enabled an attacker to take all the USDC in someone’s wallet for themselves by making a false loan repayment (which could be done via the victim’s address), and collecting the “interest” all for themselves. This effectively let the attacker to take up to the amount that the test users had set as their USDC allowance for the contract. Note: Setting USDC allowance to the max available (effectively infinite money) was the default of the contract as was standard industry practice at the time 5 years ago, and still is for many DeFi protocols.

For example, if you had an allowance of 0, nothing was possible, but if you had an allowance of $1078 set, then if you received $2k USDC into the wallet, the attacker could take $1078 without you doing anything. Had there been substantial other investors, the false payment would have gone to all investors, and still been bad, but it would not have been economically very interesting for an attacker.

As soon as the attack came to light, we immediately diagnosed the problem, notified all parties who might theoretically be affected, and also effectively neutered the contract by upgrading it to the zero address to double ensure that no further damage could be done

Motivation

In terms of what to do, because this was a legitimate technical bug on a Goldfinch contract (albeit a non-public contract) that the team asked a small group to use, I think we need to at a minimum maintain the technical integrity of the protocol and show we stand behind our contracts and our users. We had previously allocated $500k to a bug bounty program, of which around $100k had been used, leaving around $400k left. Had this bug been brought forth responsibly, we probably would have given it the a reward of around $250k or maybe even the maximum of $500k. To balance this loss with ongoing needs of the protocol, we propose only using $250k. This would leave the protocol with a year of expenses already pre-paid (through the Annual Budget approved from August), plus with $250k still remaining.

Discussion:

We recognize this is a sizable portion of the treasury and the community has many costs right now, including supporting lenders with the prior borrowers. We need to balance all of these things, and a very important thing is maintaining the security and technical integrity of the protocol. The other costs (eg. legal for loan recovery, community mods, market makers, etc.) have already been budgeted significant funds, and this is coming out of a separate pre-existing budget for security. So we believe it’s an appropriate allocation across the community’s overall priorities that we need to balance.

Specification & Requirements:

Specification

• The DAO treasury send $250k for reimbursement immediately to the community multisig where it will be disbursed to victims.

Rationale

• To maintain the technical integrity of the protocol and help the victims of the attack

Benefits

• The Goldfinch protocol technical integrity is maintained and users are substantially compensated for the theft that occurred.

Drawbacks and Risks

• The treasury has less funds to handle expenses in the future.

Voting :

• YES vote: Reimburse $250k of the losses (about 75% of total damages) from the hack
• NO vote: Do nothing

Resources :

• Hack tweet thread
• Hacked contract on Etherscan

It’s an appropriate use of the remaining security budget and a reasonable response to a vulnerability in an early-stage contract. As noted in the GIP, this step helps uphold the protocol’s technical integrity, which is essential for preserving trust in Goldfinch.

I support this GIP.
// Yes.

As far as I understand, the victim is from Goldfinch team / Warbler (given it’s related to test contracts).

Investors have lost 80% of their money with Goldfinch, and except for Statos backer no one has received substancial bail out. So when the team gets hacked because of their own negligence they ask USD250k bail out from the DAO?

I find it really double standard that team is asking for a 75%+ bail out on that and I think any money available should be dedicated to lender reimbursement before going to the team and affiliates.

I would highly suggest to frame the question as:
a) Use the USD250k to compensate lenders
b) Use the USD250k to compensate test contract victim
c) Do nothing

I find prioritizing test contract victim vs. lenders VERY INAPPROPRIATE

This comment is not true on multiple fronts.

• First off, No one from the team was a victim of this attack and therefore no one from Warbler is receiving any of this money.

• Investors have not lost 80% of their money with Goldfinch. All time repayments to the protocol stand at a little under 65% of total invested capital (meaning ~35% yet to be paid back), plus another $8.5M (~7.5% of all time invested) set to be paid back with quarterly disbursements starting next year (these were the deals just announced by the CRO last week). Plus the GFI liquidity mining rewards add another 5-25% depending on when someone sold it. All told, including GFI rewards, we’re in the neighborhood of 80-100%+ of total invested capital going back to investors. Of course that’s an average, and some people made money while others lost money. I’m not trying to defend the overall state of things as good by any means. I’m losing money like everyone else. But actual losses are far below 80%.

• Along similar lines, even the Backers from these late pools who won’t get any principal back received ~50% of their money as interest, plus GFI rewards. All early pools, and even some later pools (like Fazz) repaid fully.

• There has been very substantial help beyond the Stratos situation (which was $5M off of Warbler’s own balance sheet, btw). The protocol paid out $1M for the Tugende situation, and also paid out $1.15M to help with LendEast, plus is about to pay out another 450k GFI ($100k-ish) or so in new GFI this week, according to this proposal which just passed last week. This adds up to over $7M of aid for lenders.

So the $250k here from an existing budget to maintain technical integrity and help victims of the hack is ~3.5% of the total money that lenders have received as compensation for losses. Thus the implication that we haven’t prioritized lenders is simply not true. There is more than that though that the protocol needs to maintain. And at ~0.6% of the remaining Senior Pool amount, this money would be of negligible help to lenders anyway.

Plus I think this situation is simply different. In one case, lenders consciously invested a certain amount of money, and knew what the max loss was. This is something where people were doing test deposits to help the protocol test and then 5 years later had an (uncapped) amount of money simply taken from them by a hacker.

I support GIP-85. This bug came from an old Goldfinch test contract, and people were using it because the team asked them to. Covering the losses with funds already set aside for security feels like the right thing to do. The $250k amount is reasonable, helps the people who were affected, and still leaves enough in the treasury for other needs. Also using funds set aside for security and bug bounties to pay back loans seems wrong, given these funds were earmarked specifically for this purpose

I think a public, live video conversation with both Mike & Blake, plus a Warbler Team advisor, needs to take place on the Goldfinch YouTube page. Community members need to see actual faces discussing what happened. This would give the community confidence to vote on this. Until that happens, I vote NO. Step it up boys…

I’d be interested to know the exact number of victims who incurred losses.

The victim of the hack is only one victim. This person was using test contracts before Goldfinch was publicly launched. So it was someone close or related to the team that took the risk to use unvetted contracts

Victims that used the protocol and lost their principal as lenders are in the hundreds.

I don’t see how we can prioritize DAO funds to compensate one guy vs. hundreds, all the more since the exploit is related to when the protocol was not public.

It was an early user of Goldfinch. Not a current or former team member. They also have very significant holdings in the Senior Pool and as a Backer and are losing principal like everyone else.

We would do the same for any users who suffered a protocol level hack, and I’m sure if you were in this situation you would feel like the treasury should help defray your losses. This also isn’t covering the full amount. It’s covering about 75%. They are still losing $80k on the hack.

Should this money go back to lenders, it would be of negligible benefit (~0.6% of the remaining Senior Pool amount). I’ll also remind that the treasury and Warbler have already given over $7M to lenders, and we are sending out more GFI this week. The amount we’ve set aside for legal fees alone is more than this hack compensation. We have absolutely prioritized lenders and we continue to do so as we hired and worked with the CRO who has brought in $8.5M of recovery with another $8M coming in quarterly installments, and hopefully more from the last borrowers. Prioritize does not mean “to the exclusion of all else” though. The protocol and community have multiple priorities, and helping hack victims, which is a totally separate situation from the lending situation, is a legitimate use of treasury funds.

I support this GIP. It feels fair to help the affected user using funds that were already set aside for security, and it’s the right thing to do to keep trust in the protocol