ParaSwap has no involvement in any crime. If you truly believe in decentralization, then fairness should be absolute—users are either bad actors or good ones, and ParaSwap remains neutral.
Forcing this transaction to be reversed would make decentralization a joke in the eyes of the law, undermining the very principle of "code is law.
I support this wholeheartedly, probably after this proposal gets to vote and we are able to see a way forward this is a good avenue to pursue and include in future developments as per Miro upgrade.
On other comments I’ve seen from the community, I’d be temped to on this ocassion ,due to the source of hack, to incline balance towards cooperation and creating bridges between strong DeFi principles and flawed CeFi, proving to the whole space that we all participate in a responsable manner.
Under no circumstances I advocate for return of funds without the requirements set previously which would protect the protocol and all contributors for any future issues, on top setting a framework or a limit for which any similar case can be pursued in the future, a minimum threshold that justifies contributors time, would also be desirable and of course valid proof from an industry certified party that such cases are valid at the expense of claimant and considering the hacker can’t be held accountable for his actions like in our case that would further result in recovery of such.
Its a thin line, but for the health, visibility and morals of the protocol and the community at large I feel we should cooperate, even more so the hacker can’t be help accountable nor brought to justice which makes this a unique case, in all other potential claims the perpetrator is supposed to be held accountable or to return the funds in full abstracting services used across defi space so it would not apply to even consider such recoveries or past ones we seen.
On another note the faster we get this out of our home the more we can focuse on what is important and next phase for PSP.
Sorry for my ignorance.
As you mentioned in the comment above “Maybe we should start distributing fees (automatically) to PSP Stakers on a daily basis and permissionless maner.”
This is what I meant. Automatic, permissionless staking.
My inputs:
Paraswap protocol should progress towards a decentralized & permissionless protocol. 100% agree with @enerow for the permissionless distribution
If the protocol was permissionless I would be 100% with @enerow’s take: hard no to the refund. However the protocol is not there and there is this grey zone. In this zone, the current discussion is actually sound.
The return without anything back for the protocol is not acceptable.
I would sugget :
to keep a 10% bonus white hat bounty for the PSP stakers - it’s the benchmark
A percentage of the 90% left should be committed by Bybit to enhance the protocol for a period of time to be discussed. I’m thinking of a 12 months period staking. But with Miro’s upgrade, there might me some other opportunities
The consequence of this proposal could have broader implications for the crypto ecosystem hence we are glad to see this discussion unfold. The ethical debate remains unresolved, pitting DeFi principles against practical considerations, and the potential long-term consequences for ParaSwap’s reputation and operations are uncertain.
This is not the first hack and certainly won’t be the last one, hence having a formal policy on how to handle these matters for this and any future cases is an important decision to be made.
Finally, barring a formal legal analysis of the DAOs obligations and the legal consequences of participating in this proposal, we feel obliged to vote Abstain on this proposal.
Hi everyone,
I really appreciate the discussion that is occurring so far on this thread for such an important matter. As a member of the Laita labs team, I will refrain from voicing my personal opinions to avoid moving the DAO’s discussion, but would like to remind everyone of a couple things to stay on topic:
As I am seeing many new faces, I remain open to answering any questions about the current DAO mechanisms, feel free to shoot a DM or ask on Discord and I’ll be happy to help!
This is just an insult to decentralization. How many people have been drained and had their funds swapped on paraswap and no one has done anything? Just because it’s a big player, should we ignore decentralization?
Bybit only puts pressure on small protocols I don’t see any pressure on Thorchain, where most of the money from the hack has been laundered. If the fees generated by paraswap from the ‘hack’ are returned to Bybit then small, medium and large investors should also have to get the fees returned when they suffer a hack.
If this is not the case, then ‘decentralization’ makes no sense when only some matter and others do not.
What if we treated Bybit as just another individual? The debate around this decision would be settled, they are clearly abusing their position. The law should apply equally to everyone.
In the end, this isn’t just about profit; it’s about a loss that will have to be repaid, not just financially, but in trust and integrity across the entire ecosystem. Today, ParaSwap isn’t just about ParaSwap; it’s a symbol of what centralized entities can do to decentralized ones. Just because they’re the bigger fish, does that mean they get to bend the rules?
Good evening, it is not up to paraswap to support the failure of a platform, protocol or other.
A governing body that has discretion over any funds cannot be placed in the same category as a “permissionless” entity. The only permissionless setup would be an immutable fee distribution mechanism that diverts fees to token holders or other dispersed entities.
Clawing back fees from a distributed network of token holders is practically impossible and therefore won’t be enforceable. Any staker who receives a portion of this revenue technically “profits” from the illicit swap, but enforcing paybacks for PSP stakers won’t fly, unless the staker is a large token holder who may be doxxed and can therefore be tracked.
But Paraswap’s fee distribution isn’t fully automated—a group manually distributes these fees 80/20 with the stakers and the DAO. Even once the Wakeup Labs setup is instituted, the DAO technically has the ability to pause or alter the fee mechanism. As long as fees are able to be adjusted or redirected in a discretionary manner, we cannot claim permissionlessness. Only if the distribution is immutably set in stone can we claim a permissionless process. Or if the fees are immediately routed to stakers could we argue that the distribution is permissionless. Hence, under the current state of things, we should return the 44.67 wETH.
The downside is upsetting token holders. Paying back fees would also make staking yield retroactively contestable—an issue that could destabilize incentive models. If stakers could at any time have their yield contested, people will likely unstake and sell the token.
So who can be held responsible?
If a DAO can return funds tied to an illicit actor, why stop at direct cases? What about:
I guess the answer is more about clearly identifying who benefits from facilitating the illicit trade.
Therefore, the DAO and its liability is a different story than token holders’ liability. As soon as the DAO has control over funds that have been explicitly earned through facilitating illicit transactions, the responsibility is now on the DAO to determine what to do with those funds—in other words, the 20% DAO take rate is composed of funds that are directed entirely with permission by a clearly identifiable entity. Unlike automated dispersions to token holders, bots, or validators, the DAO is able to be isolated and targeted as an entity that should alleviate itself from tainted income. So under any scenario, the 20% DAO fee must be returned. But as mentioned above, if the 80% fee portion doesn’t automatically go to the stakers, then 100% of the fees are permissioned.
Another potential issue with a repayment would be the snowballing effect it would have on future and past fees earned. Every other transaction linked to illicit activity—directly or indirectly—could now be disputed. Therefore, a framework with clear boundaries should be determined prior to any repayments being made. This could be parsed by size and tracability, for example. If the illicit funds are clearly tracked onchain, so that you can point to a wallet being clearly related to an exploit, and if the size of the illicit trade is over $X, then there is the potential for recourse. In alternative cases, where a clear chain of exploited funds cannot be verified, and if the size of the trade is small, then the DAO is not obligated to pay back the victim.
While this framework is being decided, we are of the opinion that the DAO should set aside the 44.67 wETH and only send it to the ByBit team once a framework for these scenarios has been decided—and as soon as there is explicit verification that the proposal author is in fact the ByBit team through a proper KYC process.
As for fees:
Furthermore, we should consider discussing the merits of making the fee distribution immutable and automated. If this were the case, token holders would not have their yield seized.
I’m sharing this from my personal account because this reflects my personal perspective.
To be clear—I sympathize with the victims and would be open to supporting initiatives that genuinely help those affected. However, in this case, the DAO does not hold the hacked funds, and this request falls outside our responsibilities. As a decentralized open protocol, we are not in a position to cover losses resulting from CEX mistakes.
Moreover, there are several reasons why ParaSwap should not be expected to return these fees:
Paraswap was not responsible for the hack – The incident occurred at Bybit, and Paraswap merely functioned as intended, without involvement in or prior knowledge of the attack.
We are talking about fees, not the stolen funds – These were transaction fees for using the protocol.
This would set a problematic precedent – If Paraswap returns these fees, it could lead to similar demands in future incidents where a protocol is indirectly involved and, like others said, could damage DeFi’s autonomy.
There is no guarantee the funds would be used appropriately – Even if returned, there is no clear mechanism to ensure they reach the victims, nor when or how.
While 45 ETH is nothing in comparison to the total amount lost ( just, 0.0067%), it still represents a significant amount for our DAO.
First of all, I thank my friends @awstian to invite me to participate in this community and in this conversation.
I have to be clear on this: I’m not a user of Paraswap or holder of the community token. Also, I’m a lawyer but you shold not consider this as a legal advice only as my personal opinion to help you to take a better decision.
Having said that, I believe the following facts should be taken into account:
I. The funds corresponding to the fees are not the funds that were stolen from Bybit. From what I’ve read, these were generated by a token swap carried out by a user. These funds belong to and should be distributed to $PSP holders and whoever else is entitled to them.
II. Since Paraswap is a neutral and permissionless protocol, neither the DAO members, nor the $PSP token holders, nor the stakers had any way of knowing that the user behind the transaction was a criminal. Paraswap, as a DeFi protocol, is not bound by the obligations that CeFi platform providers must comply with, such as implementing KYC and AML processes. This does not mean that they cannot be sanctioned in the future, as happened with ThorChain.
III. If there are doubts about the legal implications and confusion among community members about whether it is ethical or moral to profit from illicit funds, I believe the DAO members should proceed as follows to make a quick decision that protects everyone:
A. Not freeze the funds and distribute them.
B. Freeze the funds for a “X” period, until there is greater legal clarity on retaining and distributing the funds obtained from illicit money. This will also allow verification of whether Bybit makes similar requests to other involved parties and to observe the decisions they make regarding these requests. After the fixed period, the tokens can be distributed to the appropriate parties.
If the option is A, there is nothing more to discuss. The DAO has made its decision.
If the chosen option is B, it would lead to the next step.
A. Wait to see how other involved parties react and adopt a similar approach.
B. Hire legal counsel and gain more clarity on Paraswap’s responsibility for retaining the funds.
If the chosen option is A, then all that remains is to wait and then make a decision.
If the chosen option is B, you should evaluate the risks involved in retaining the funds. IMHO, the lawyers could said that you must have to preserve the integrity of the ecosystem and carry with possible sanctions like Tornado.
A. Do not return the funds and assume the risks. Code is Law.
B. Return the funds, not as a practice to be repeated in the future, but as a gesture of goodwill from the protocol and as a way to protect its users, safeguarding the integrity of the ecosystem.
If the chosen option is B, a new vote should be held to determine what percentage of the funds will be returned.
A quick and Solomonic solution to the issue would be to return 50% and keep the remaining 50%. However, based on what I’ve read in this discussion, something that should be put to a vote is whether this protocol is a neutral and permissionless tool ruled by code or a tool with morals and ethics ruled by humans behind the code.
For me, Paraswap is not guilty and have no obligation to return anything. It’s more a moral and ethics discution.
As this discussion likely is going to span for a long period of time, I believe we should move forward with a parallel proposal (as several members here suggested, and echoing part of @criptocounsel reply) to set aside those funds, effectively “freezing” them while the discussion evolve.
This would also serve as a “temp check” regarding of the willingness of the DAO to discuss the matter further or proceed with the “semi-automated” distribution by the end of the current epoch. (i.e., if the proposal to “freeze” the funds fails, that signals the direction, without directly voting PIP-59).
We support returning the 44.67 wETH to Bybit because we believe it’s the right thing to do, especially since these funds are tied to an illicit transaction. Returning the funds reflects our commitment to integrity and responsible governance.
That said, we also understand @AranaDigital ’s concerns about fairness for our stakers. Many stakers have trusted the system by actively participating and earning fee distributions, and it’s important that any actions we take don’t unfairly affect their rewards. We need to carefully address the risk that staking rewards, seen as a legitimate income, could be retroactively impacted.
Additionally, we feel it’s crucial to fully explore the legal implications of our decision. We need to clarify whether not returning these funds or keeping a portion of it might expose the DAO to future legal consequences or even litigation. A thorough legal review will help ensure that everyone understands the risks and liabilities of both returning and retaining the funds.
To move forward, we suggest giving additional consideration to the following areas:
1. Establish a Clear Framework:
Develop a Transparent Process for Handling Funds Tied to Illicit Activity. We propose establishing a clear and open process to identify and manage funds linked to illicit activity. This framework will clearly outline roles, responsibilities, and the steps required to ensure fairness for everyone, just as @AranaDigital mentioned. To cover the costs associated with setting up and maintaining this process, we could charge a fee. For example, a modest fee (say, 2-5% of the returned funds) could be allocated to cover the necessary administrative, legal, and operational expenses (if applicable).
2. Legal Review:
Hire a proper legal counsel to:
Hi @Bybit thanks for your response to our concerns and for your proof of the legitimacy of the Bybit forum user.
We have a few questions for you:
Thank you.
Let me start saying that I think almost nobody feels indifference to Bybit hack and don’t support or encourage such criminal activities. All support should be given to Bybit to recover as much as their funds as possible, where it is due.
ParaSwap is a permissionless service and did what it was supposed to do at the time. It delivered a service as expected. That’s is what users mostly expect from such services.
Code is law and law was obeyed as expected.
Imagine how disastrous would have been if Ethereum Foundation have given ears to the idea of blockchain rollback. Similar pressure could still be on their shoulders. Just think for a moment the implications and precedents for such actions. It is not much different.
The fact those funds came from criminal activity is more difficult for ParaSwap to know in a timely manner in order to prevent any operations to be done in advance.
What I believe it should have been a legitimate proposal was for ParaSwap blacklist and do not trade with known wallets with those stolen funds. Not only ParaSwap but several other services. This avoids encouragement of such criminal activities.
In a analogy we can use examples of previous bankrupted exchanges that disappeared with customers funds and while they were healthy they used to sponsor major events to exhibit their brand. Should those marketing suppliers return those funds to creditors of these exchanges after the marketing services for the sponsorship were delivered ?
For more sorry we can all fell for this case I can’t simply see a reason these wETH should be returned in this case.
Since Bybit haven’t acknowledged those points, I would like to reiterate the importance of obtaining a formal legal release and indemnity from them, before proceeding with any return of funds.
Given that ParaSwap operates as a DAO with no formal legal structure, there is no clear precedent for handling such cases.
Without a release, the DAO, delegates and voters are exposed to significant legal uncertainties including:
-The possibility of a DAO member raising a legal challenge against the return of funds.
-Uncertainty regarding the hacker’s true identity, if this is indeed Lazarus or if another party could later emerge with a competing claim.
-The risk that @Bybit itself could still pursue legal action against the DAO for inadvertently facilitating the swaps, even after the funds are returned.
-A lack of clarity on whether the DAO is legally entitled to retain any portion of the fees generated from these transactions.
In the absence of a clear legal release from @Bybit I feel the DAO would be fully justified in choosing NOT to proceed with the return, as doing so without adequate legal protections could expose it to unnecessary risks.
I strongly encourage @Bybit to engage on this matter to ensure a responsible and secure resolution for all parties involved.
The central question would therefore be: do we want to remain a decentralized and trustless structure? I do.
I understand the different point of view of the community and have to admit this isn’t an easy choice.
After thinking this carefully, my vision is ParaSwap is a permissionless protocol; however, the ParaSwap DAO retains sovereignty over the Treasury funds.
I really like the community’s idea of automating the system to redistribute fees to PSP stakers. This could address such cases by reducing the scope of governance. On a related note, if a specific framework—considering factors like fee size or other criteria—is desired, such events could be managed in the future with a Kleros Constitution for Paraswap DAO. Transactions violating the rules or framework could then be vetoed by Kleros, acting as a neutral third party. However, as mentioned by some community members, it is better to address this topic, in a separate thread.
Regarding how the DAO should act in the short term, I support returning the funds to ByBit while retaining 10% as cost coverage for the governance process of the DAO and industry standard.
I also believe it’s important that Bybit include a formal legal release & indemnity to bring clarity and protect the interest of the DAO as explained by @citizen42.
I’d appreciate @Bybit’s input on these last two points to ensure the DAO process can proceed under the best possible conditions.
Let’s be clear: Crypto marketing is already challenging, and this situation severely impacts both ParaSwap’s reputation and PSP token’s credibility, eroding trust and creating significant uncertainty. Who will take responsibility for this? Have we fully considered the irreparable damage caused by Bybit’s self-serving proposal?
We must acknowledge that Bybit is receiving preferential treatment, not because it was hacked, but simply because it is Bybit. This is neither ethical nor fair. Would the same decision be made if this were an individual? No. This response is being driven by fear rather than principles.
In this case, the party responsible for the mistake should bear the greater responsibility, and that is Bybit. If they want their 44.67 ETH back, which was earned through a smart contract, then the truly Solomonic solution would be for them to recover it through another smart contract.
ParaSwap already offers an Earn program with an incredible APR. A fair approach would be:
At the current APR, Bybit would recover their 44.67 ETH in approximately 8.4 months. (also can cover activity that we lose by this event)
This ensures fairness, protects decentralization principles, and holds the responsible party accountable.
However, due to the future financial impact caused by this dispute, loss of user trust, reduced capital inflows, and increased competition from alternative swaps, as well as the attempt to legally implicate an entity with no legal responsibility, it is crucial that compensation is considered.
This situation has already harmed ParaSwap’s reputation and business, and the ideal way to uphold decentralization principles while ensuring fairness would be a one-year commitment.
Let’s hope this is the case, not just a self-serving maneuver wrapped in technicalities to protect their image in the crypto space without taking real, meaningful action.
And dont ever act or think by fear, don’t act or speak out of fear, if this conversation took Bybit as an individual it would never have gone so far.
Let me remind you: this dispute is a poison, slowly seeping into the very foundations of this swap. Every moment it lingers, it corrodes trust, weakens the token, and drives away those who might have once believed in it. Tell me, who would stake their assets in a protocol drowning in uncertainty?
And should you choose to end this ordeal by bending the knee, by violating “code is law,” know this: it will not save ParaSwap. No, it will mark the beginning of something far worse.
This is bigger than personal ethics. Morality, in a decentralized world, must rise above the whims of the few. Is it just for a decentralized protocol to submit to the will of a centralized exchange that failed to uphold its own security?
No. This is how it begins. A single exception. A single compromise. And soon, the floodgates open. Centralized exchanges will see their path cleared, governments will craft “regulatory overseers” that dictate which transactions live and which die, which refunds are granted and which are denied. And when that day comes, decentralized governance will be nothing more than a hollow facade, a puppet show where the strings are pulled by those with the deepest pockets.
So, I ask you: will you stand by and let this precedent be set, or will you fight for what decentralization truly means?