Perhaps this discussion should serve as a trigger for exploring a fully decentralized revenue distribution mechanism.
Beyond preventing similar cases in the future, this would also align with the core principles of DeFi by minimizing trust assumptions and human intervention in fund management.
Code is law
Not paraswap mistake, we shouldnât pay the price for bybit mistake
and I agree we should also propose a change on fee distribution and automate the distribution daily.
Could we try aligning our position with Uniswap? They also appear to be similarly exposed.
I find this discussion to be very healthy and interesting, and I appreciate the level of thoughtfulness and engagement from everyone !
My 2 cts
I think it would be wise to freeze the funds for the time being. This will give us the opportunity to have this discussion calmly and thoroughly, without feeling pressured by a tight timeline.
Before any funds are sent, the identity of Bybit must absolutely be verified. At this point, we do not have sufficient proof that the proposer is truly representing Bybit.
I will probably be voting against this proposal.
Ultimately, Bybit is responsible for its own security and should have taken the necessary precautions to protect its assets. Itâs their investors who should bear the cost of their security failures, not us. ParaSwap and its community should not be expected to cover for their mistakes.
When we mentioned legal implications, we were referring to the potential legal consequences for delegates and token holders who vote to retain profits from an NK criminal organization. Each delegate must be aware of the legal implications in their jurisdiction or where their company is registered.
Code is law, but in Paraswapâs code, governance has the power to vote on this proposal and decide whether to keep funds originating from an organized crime group in a restricted country under multiple jurisdictions. Therefore, you cannot argue that âcode is lawâ to justify keeping these funds under your countryâs court if you had the ability to return them.
As some community members have mentioned, itâs worth decentralizing this aspect so the DAO doesnât have to make these decisions. In the meantime, a proposal describing a framework for handling these requests could be a good approach, forming a group to investigate them, with the part affected by the hack being required to fund the group in advance using their own resources.
I agree with your vision.
Was that a threat? WTFâŚ
Your argument suggests that delegates and token holders could face legal consequences for keeping the funds, yet there is no precedent of regulators enforcing such action against DAOs in similar cases. Coinbase kept the MEV fees from the Curve exploiter and faced no regulatory burden despite calls to return stolen funds. Why should Paraswap DAO be treated differently?
More importantly, why should a DAO be punished for a CeFi security failure? Bybitâs security was compromised, yet now the burden is shifting to a decentralized protocol that had no role in the incident. This sets an unsustainable precedent where DAOs are expected to compensate for CEX failures, effectively turning decentralized governance into a backstop for centralized risk.
If the concern is legal exposure, then the logical step is not an ad-hoc refund, but rather a structured, decentralized framework for handling such cases. I support the idea of requiring the affected party to fund an independent investigative process upfront, rather than placing the financial and governance burden on the DAO. That is the only way to ensure fairness and prevent DeFi from becoming an extension of CeFiâs risk management.
This is a case of choosing between morality and legality.
From a moral stand point, returning the said funds after deducting associated cost is the way to go especially when Paraswap DAO has benefited from similar recovery activities during the March 20th, 2023 Augustus V6 exploit.
From a legal stand point, Paraswap protocol acted autonomously as designed and provided a legitimate service which earned it the said funds. Moreover, a refund will create a precedent for future occurrence and might make the DAO liable if it chooses not to intervene in such events in the future.
Conclusively, I think Bybitâs request of full refund is not reasonable and selfish. They are asking the Paraswap DAO to incur direct loss as a result of the cost incured while processing the transaction and further costs associated with the proposed refund.
Instead, I suggest that the proposal be amended to 80% refund and 20% bounty for the DAO. However, we need to follow up with legal procedures that prevents similar intervention in the future.
Your points are valid as one side of the debate. However, as pointed out by @Argonaut:
if we refuse to return the funds, delegates and some token holdersâalong with @Laita (Paraswap Team)âcould face legal consequences. This is especially concerning since we lack clear rules both from a legal perspective and within the DAO itself. Itâs easy to say âcode is law,â but I donât want to put myself or others in a situation similar to that of the Tornado Cash developer.
Mentioning the Coinbase case is relevant, but how can we be certain that Coinbase wonât face legal charges in the future? Even if they donât, how do we know our case wonât be prosecuted? Bybit has sufficient resources to potentially take legal action.
We should note that the Curve exploiter returned the stolen funds, and that case is nearly settled. However, in our Case, the bad actor is from one of the most sanctioned countries and has already completed the money laundering process.
Ultimately, handling this situation is a trade-off between two options:
When it comes to fixing the system, simply creating a DAO framework may not be sufficient. We should focus on automating the system and minimizing governance interference as much as possible to reduce the DAOâs workload while maximizing neutrality. As mentioned by @Ignas here and other community members, the best and most neutral approach is through tokenomics.
If we can automate revenue distribution over shorter periods instead of the current full epoch, along with implementing other necessary changes, we can maintain the systemâs neutrality while preserving revenue and avoiding potential legal consequences.
Until then, given the lack of legal clarity and the absence of a clear framework for handling such situations within the DAO, it would be wiser to avoid unnecessary risks, learn from past mistakes, and focus on improving the system.
Bybit expects a full refund at no cost.
Based on Bybitâs announcement here, I believe we are entitled to a 10% bounty. The Bybit proposer should confirm this in the proposal and verify ownership of Bybitâs address to ensure the funds are properly returned to them.
We should take this discussion to the public and seek legal counsel. This isnât just about Paraswap, the entire DeFi ecosystem is at stake. Today, Paraswap represents a much larger fight: Will DAOs be forced to cover CeFiâs failures, or will we defend DeFiâs core principles?
Bybitâs case is setting a dangerous precedent where centralized entities can pressure DAOs into returning funds at their discretion. If we allow this now, what stops future cases from forcing similar interventions?
Instead of bending to pressure, we should:
This is bigger than one DAO,itâs about the future of decentralized governance.
A practical solution would be implementing a consent agreement stating that once a smart contract is signed, Paraswap is not liable for any actions taken by the user. This disclaimer should be presented upon accessing the platform, ensuring full transparency.
With expert legal counsel, we can draft clear terms and conditions that protect the protocol and its governance from future liability claims. If users interact with a smart contract under âcode is law,â they must accept the inherent risks, just as they do with any other DeFi protocol.
We have to be sure and not guessing about âcould face legal consequencesâ. But just return funds is too simplistic for our case.
We hear the DAO communityâs concerns and want to reassure you â this proposal is legitimate and comes directly from Bybit. Please refer to our X post.
Things evolve over time, as well the regulatory/laws landscape.
Iâm currently not advocating any course of action for now, Iâm just stating that the DAO should seek legal counsel on this matter and have (maybe not for this specific case), a proper framework on how to deal with situations like this.
Thank you @Bybit for confirming the validity of your post. With this clarification in place, it is now essential to ensure that the remaining key points are also fully addressed.
Without proper cost recovery acknowledgement and a legal release & indemnity, the DAO could be exposing itself to future legal and governance risks. These steps are not just procedural but fundamental in safeguarding the DAO from potential future liabilities.
To move forward responsibly, I encourage further alignment on these outstanding points so the DAO can proceed with confidence in structuring and preparing proposal for community vote.
I want to reiterate once again: under no circumstances should we rush to return the funds immediately, as this would cater to CEX interests at the expense of DeFi philosophy. However, the controversial origin of these funds cannot be ignored, given the significance of the hack for both the DeFi and CEX sectors.
I also want to emphasize the consequences of holding/receiving these funds in your wallets. Even a tiny fraction of these assets will impact the rest of your holdings, complicating matters or even leading to the blocking of your account on any CEX where you attempt to transfer them. Your previously flawless AML score could be compromised.
Therefore, these funds must be frozen in a separate wallet (we have to vote only for this), and a broad discussion should be initiated to align our position and next steps within the legal framework. Additionally, coordination with other key playersâsuch as Uniswap, which also appears to have been involved in the exchange of stolen fundsâshould be considered.
Unfortunately, any simple solution would be the wrong one.
I donât see where there is an issue or even a consequence of receiving those fund. Paraswap offers a services, itâs not money laundering, itâs just swap that are 100% traceable.
Itâs like you are saying that your local baker, who sold pancakes to a criminal, must return the money because the money was coming for criminal activities. That doesnât make sense.
And Iâm pretty 100% sure that paraswap DAO allready gain fees from hacked / illegal fund previously because well, there is no way to tell at the moment of the swap if the fund are illegal or not.
Once again, returning those fund would set a dangerous precedent and will open the door to every single one person who had their found stolen in the past that went through paraswap.
At the end of the day itâs just a moral issue, not a technical or legal one.
I agree though on the fact that we should wait to see Uniswap move and continue this discussion after that
This represents my point of view and not that of SeedGov. I like the examples, but I donât think itâs that easy to compare this to a bakery. On the other hand, I am not a lawyer, but it seems pointless to debate the morality of each person writing here. The most reasonable approach, in my view, is to hire a legal service (expenses on Bybit), freeze the assets, and proceed to do the right thing (rather than making guesses)
As mentioned, if we approve this, are we setting a precedent for DeFi? We have a moral and ethical obligation to protect this space from bad actors.
A DAO profiting from a hack presents bad optics. Returning the funds shows support for another industry player against a sanctioned state actor.
I agree that a legal expert should assess the situation. For now, I support returning most of the funds, minus a proportional fee, with a contract to avoid future legal issues.
This is a valuable lesson for Paraswap and DeFi in general. An automated fee distribution modelâsuch as buybacks, burns, or revenue sharing via stakingâcould have prevented this headache.
Edit: by ârevenue sharing via stakingâ I mean automated revenue sharing to stakers. From previous enerow comment I understood that those are manual right now.
We already have revenue sharing via staking ON