PIP-75 - Fund request from a user claiming losses due to the March 2024 AugustusV6 vulnerability

Abstract

This proposal is submitted by the GTF with the purpose of establishing a clear precedent for any similar claims that may arise in the future.

In this post, a user alleges to have been affected by the Velora (formerly ParaSwap) AugustusV6 vulnerability from March 2024 and is requesting that the DAO refund 20,107.8 USDC allegedly drained from their wallet as a result of that incident.

The DAO is asked to decide whether to approve the request and transfer the requested funds, or to reject the request and transfer no funds.

The DAO’s decision will set a precedent for future requests like these:

• If the proposal is approved, similar future requests may be submitted and will need to be evaluated individually.
• If the proposal is rejected, similar future requests will not be considered, based on the precedent established here.

Goals & Review

Case Context

A user has made a fund request in the Velora forum, reporting being affected by the AugustusV6 contract vulnerability identified in March 2024. According to this user, after performing a legitimate swap using the platform, a residual approval linked to that exploit remained active.

On October 6th, 2025, this approval was leveraged by a third party to drain 20,107.8 USDC from his wallet (0x05808Cf9F8aAcFD6a2c2A879326593644F9a339e). The user asserts that the loss occurred without any negligence on his part and resulted directly from the protocol-level vulnerability.

Previous Steps Taken

After discovering the incident, the user contacted the Velora support team. He was informed that an on-chain message had been sent to the attacker without receiving a response, and that the PEP-07 - Grant Request From the ParaSwap Foundation Regarding March 20th Vulnerability, previously used to compensate similar cases arising from the same vulnerability, has already been depleted. See here de post-mortem report.

He was also told that requesting reimbursement now requires submitting a formal DAO proposal; however, the user does not hold the 100,000 VLR tokens required to initiate such a submission.

Request

Given the circumstances, the user is requesting that a community member with the required voting power submit a proposal on his behalf, enabling the DAO to evaluate reimbursing the funds lost, following the precedent established in earlier cases related to the same vulnerability. The GTF, in our role as DAO coordinators, will proceed to resubmit the proposal in order to comply with the requirements of PIP-57 - PIP Lifecycle Improvements

Ampliation

The AugustusV6 vulnerability affecting Velora (formerly ParaSwap) was identified in March 2024 and promptly addressed: the system was paused, the issue was fixed, and the exposure window lasted roughly 48 hours. During that period, ParaSwap proactively notified affected users through multiple channels, including Twitter alerts (see here, here and here), NFT notifications to users, and coverage from ecosystem media outlets (see here and here as an example).

A white-hat hacker assisted in recovering a significant portion of the stolen funds. The remaining unrecovered amount, approximately $340,000, led to the PEP-07 proposal in April 2024, which the DAO approved with nearly 97% support to compensate impacted users through DAO funds. ParaSwap publicly communicated these actions (see here), and it was alsocovered by various media (see here and here). The process concluded with a claim procedure and a comprehensive post-mortem report.

Implications of the DAO’s Decision – Precedent for Potential Future Requests

The DAO’s decision will set a precedent for future requests of this nature:

• If the proposal is approved, similar future funds requests may be submitted and will need to be evaluated on a case-by-case basis.
• If the proposal is rejected, similar future requests will not be considered, based on the precedent established here.

Means:

This proposal does not require any additional Velora, external product or development.

Implementation Overview:

• If the proposal is approved, the DAO will transfer 20,107.8 USDC to the claimant, who must first provide the wallet address where the funds should be sent.
• If the proposal is rejected, no action will be taken by the DAO.

Time of Implementation

If the proposal is approved, the funds will be transferred immediately, within the time required to prepare the transaction (including, if necessary, performing a swap to secure the required USDC) and to obtain the necessary signatures from the DAO multisig signers.

Budget

The budget for this proposal is 20,107.8 USDC, which corresponds to the amount requested by the user. No additional costs will be incurred.

Risk Assessment:

Arguments for voting in favor - Pros:

• The AugustusV6 vulnerability was real and publicly documented, and the user’s loss resulted directly from that protocol-level flaw.
• There is a DAO precedent: in 2024 the DAO approved in PEP-07 a compensation program for users impacted by the same vulnerability.
• The user acted in good faith and with no negligence; the loss occurred through normal use of the platform, strengthening the legitimacy of the claim.
• Granting compensation in this case would represent an act of responsibility from Velora and the DAO, reinforcing the protocol’s core values of protecting its users and responding fairly when damage originates from a protocol vulnerability.

Arguments for voting against - Cons

• ParaSwap/Velora acted quickly and transparently during the incident, issued multiple alerts on Twitter, sent NFT notifications to affected wallets, and the incident was widely covered by ecosystem media.
• The PEP-07 compensation fund used in 2024 is now fully depleted.
• The vulnerability exploit occurred over 18 months ago, and ParaSwap/Velora fully communicated both the incident and the claims process throughout that period.
• The user, unfortunately, remained unaware of this widely shared information and only engaged with the affected approval much later, resulting in the loss.
• Web3 provides decentralization, user empowerment, and true ownership, but it also requires users to be more informed, responsible, and proactive compared to TradFi. Staying reasonably informed is part of the responsibility of Web3 self-custody; it does not require constant monitoring, but basic awareness of major ecosystem events is expected.
• The event cannot remain open indefinitely: Approving compensation beyond the original window could establish precedent and potentially generate open-ended liability for the DAO, affecting future governance decisions, and introducing a significant financial risk for the DAO.
• Refunding this case could create another dangerous precedent: Malicious actors who approved the vulnerable contract in 2024 could intentionally “self-hack” today by performing a transaction now, move their own funds to another wallet by exploiting the vulnerability, and request refunds from the DAO.

No further discussion is necessary in this thread (although anyone is free to comment, of course), as the sole purpose of this post is to comply with the proposal requirements of PIP-57 in order to be able to submit to vote the discussion that took place in the original theread.

Firstly, I genuinely understand the frustration the affected user is going through. The amount lost is not small , and I truly hope he’s able to recover it through another opportunity down the line.

Back in 2023, I was working at Hashflow as a community manager. A white-hat hacker discovered a vulnerability in one of our smart contracts and began exploiting it, which resulted in nearly $600K in user losses. He eventually returned the funds to a multisig controlled by our core team, and we reimbursed affected users.

However, once the incident became public, malicious actors learned about the vulnerability and started targeting users who hadn’t revoked their token approvals. Despite repeated warnings and announcements across multiple channels urging users to revoke allowances, it unfortunately wasn’t enough, and some users still ended up losing funds. The worst part was that the core team couldn’t upgrade the contracts and patch the bug.

So what’s the point here?

1. This type of incident wasn’t unique to ParaSwap; Hashflow experienced nearly the same scenario.

2. Comparing the efforts of both teams in notifying users, ParaSwap went even further — from on-chain messages to NFT alerts and multiple public announcements.

3. ParaSwap team also set a clear reimbursement window, and it wasn’t short. Hashflow, by contrast, published an announcement and rejected any claims made after the vulnerability was publicly disclosed. Anyone affected by black-hat exploits after that point wasn’t eligible. In my view, Velora’s core team has shown considerably more responsibility than others in similar situations.

IMG_00111171×1505 157 KB

Link to the original message on hashflow discord

Conclusion: I’m sincerely sorry for the loss and hope the user can recover in the future. But interacting with DeFi always carries inherent risk. And as you mentioned, for the long-term safety of the DAO treasury and to avoid setting a precedent, I’m afraid I cannot vote in favor of this request.

I’ll be voting against this proposal, though I genuinely sympathize with the user’s situation.

The protocol acted responsibly at the time, with multiple alerts and notifications sent directly to affected wallets, media coverage, and a compensation window that received 97% support. That window existed for a reason, and 18 months is a long time to leave an approval unrevoked after such a well-publicized incident.

Beyond the individual case, I’m concerned about the precedent. Approving this creates open-ended liability for the DAO and, as the proposal itself notes, a potential attack vector where someone could self-exploit an old approval and request compensation.

I hope the user finds another path to recovery, but I don’t think reopening this is the right call for the DAO.

We will likewise vote against this proposal for the reasons that has already been mentioned. It is unfortunate that this happened, but the time window where this could’ve been addressed has passed and, arguably, provided more than ample time to submit such a request. As noted, it’s not like this weren’t properly communicated from Paraswap/Velora’s side. Again, it is unfortunate the user was not aware of this, but at the same time, one could also argue that there is personal responsibility to keep up with one’s investments.

@Sov @Avantgarde

Hello everyone, I am the user affected in this case, and I want to clarify an important part of my situation.

After the swap I made in March 2024, I was completely inactive, I didn’t trade, I didn’t interact with any contracts, and I wasn’t even following the crypto space.

When I returned in October 2025 and made the swap because I urgently needed the funds, my wallet was instantly drained through the old AugustusV6 approval.

Before this incident, I didn’t even know that on-chain messages could be sent to wallets. I had no idea that I should be checking for something like that during the time I was away. So I wasn’t ignoring anything, I simply had no knowledge that such warnings existed or that this kind of risk was possible. I didn’t know that a past interaction with a trusted platform could put my wallet at risk after I stopped using it.

I also want to add that I never saw any announcement about the vulnerability. I had no reason to follow social media’s announcements, because from a normal user’s perspective, once you use a trusted platform and complete your swap, you simply move on. Most users don’t keep monitoring a service announcements after using it, especially when they have no reason to suspect anything went wrong.

The funds I lost were my personal savings. I am facing financial difficulties in real life and returned to withdraw the money.

If necessary, I am fully willing to verify my identity or provide any additional information the DAO may require to confirm the legitimacy of my case.

I believe there should be a space for fairness when someone acts in good faith and loses everything because of a vulnerability that was not their fault and I hope the DAO can look at this case individually, based on its own circumstances and not as a generic precedent.

Thank you!

Thanks for sharing your perspective again @justmagic and thanks @SEEDGov for making space for this proposal to reach snapshot.
I’m genuinely sorry for the loss you experienced, nobody wants to see a user hurt by something that ultimately traces back to a protocol-level vulnerability.

That said, I will also be voting against this proposal, for reasons already outlined by several delegates among which some of them are:

1. The protocol handled this incident transparently and in a timely manner with public alerts, direct NFT notifications, a claim window and DAO-approved reimbursements.
   That process was communicated, executed, and closed.

2. We cannot reopen the window this long after the fact without creating an unlimited liability surface for the DAO. As painful as it is, governance must avoid a precedent where claims can be submitted 12+ months later based solely on a delayed interaction.

3. Even though you were inactive and unaware of the broader ecosystem messaging, self-custody also requires periodically checking approvals, especially when returning to an old wallet after a long break.
   It’s not about blaming the user, it’s simply a core security practice in web3.

4. If we extend refunds beyond the original claim cycle, we open the door to abuse (including intentional “self-draining”), something no DAO can sustainably absorb.

I do empathise deeply with your situation, and hope this experience becomes a reminder for many others as well:
revoking contract approvals should always be the first thing we do and check when returning to an inactive wallet or using DeFi, convenience < safety

But in the interest of Velora’s long-term health, governance integrity and the fairness of precedent across all users, I cannot support reopening compensation after the window has formally closed.

Wishing you strength, losing funds is always hard and I genuinely hope you recover from this setback.

I respect the governance concerns you brought up, but I want to clarify something important regarding the precedent and “self-draining” risk you mentioned.

Evaluating this case individually does not mean opening an unlimited window for every future claim, nor does it imply that the DAO must automatically reimburse anyone. Every situation can be assessed on its own merits, especially when a user is willing to verify their identity and provide any documentation needed to prove the legitimacy of their case.

I didn’t know that that an old interaction could be exploited later. If I had known, I would have absolutely checked and revoked it, but I simply did not have that understanding back then.

Ultimately, this loss was the result of a protocol-level vulnerability that existed on Velora’s side, not a mistake or malicious action on my part.

If the DAO cannot consider exceptional cases individually, then governance becomes rigid to the point of injustice, and good-faith users end up abandoned precisely in the scenarios where they needed the protocol’s protection the most.

This amount may not change anything for the DAO, but for me it changes everything.

I kindly ask you to reconsider your vote based on a fair assessment of my situation. I trusted the protocol, I acted in good faith, and I am fully willing to verify anything needed. I don’t believe someone like me should be placed in the same category as hypothetical self-draining attackers. I hope everyone can take a moment to imagine being in my position, with the same level of knowledge I had at that time, and consider what the genuinely fair decision would be, not a robotic one, but a human and reasonable judgment.

Thank you!

A very tough decision.

A moral obligation vs my duty to protect the DAO as a delegate.

It is also a lose-lose situation and we need to chose the lesser evil.

So I am voting No on this proposal.

While I have sympathy for the user’s loss (truly), I believe approving this sets a dangerous precedent for the DAO.

• Finality is necessary: The exploit happened over 18 months ago. The DAO already ran a compensation program and successfully closed it. We cannot leave the treasury open to liability indefinitely.

• Security risks: As mentioned in the proposal, refunding this now creates a loophole where someone could intentionally trigger an old approval today just to claim a refund from the DAO. We can’t verify if a hack is genuine this long after the fact.

• User responsibility: DeFi requires active monitoring. It is unfortunate the user missed the notifications, but it is not reasonable for the DAO to cover losses for users who haven’t checked their approvals in over a year.

We need to respect the deadlines established in the previous governance votes.

The situation is very clear. My boyfriend lost all of his remaining money after using Velora. If he had not used your platform, he would not be in the position of having lost all the funds he had left.

I ask everyone involved to reflect honestly and put themselves in our situation. Please consider whether it would feel acceptable to lose all your savings under these circumstances. I respectfully ask you to vote in a way that reflects what is right, so that my boyfriend can recover his funds. For us, this amount means everything, even if for the DAO it may seem insignificant.

It is not fair to treat my boyfriend’s case as if approving his refund would automatically result in abuse or attract malicious actors. This is a real and verifiable case. Both my boyfriend and I are fully willing to verify our identities and provide any necessary information to demonstrate that this loss is genuine and that the funds are essential to us.

We have been patient and have waited for this situation to be resolved. We sincerely hope it can be addressed fairly and responsibly within the DAO process.

Sorry for the ping @Citizen42 @Ignas @Sov, but I would like to briefly bring one additional point into consideration.

I want to clarify one important point that keeps being framed as “user responsibility”.

This loss was the result of a protocol-level vulnerability that existed on Velora’s side.

I am being told that I should have checked and revoked the old approval. I did not know about token approvals, how they work, or that I was supposed to actively look for them and revoke them later to protect my funds. I had no understanding that a past interaction could leave an open permission that someone could exploit in the future. I had no reason to believe that using a reputable platform could expose me in the future for past swaps.

If the protocol had been secure, this exploit would not have been possible in the first place. Instead, the responsibility is now shifted entirely onto the user, retroactively, by arguing that I should have understood how approvals work, how long they persist, how to revoke them and how they can be abused.

I did not use suspicious platforms. I used Velora’s official platform, which had a strong reputation for being safe and trustworthy.

If the “user responsibility” argument is applied this way, where does it stop?
Even if I had revoked the approval, and the funds had been stolen before I managed to do so, the argument could still be made that I should have read and understand the code, audited the smart contract myself and detect the bug in advance before I interact with it. That is not a realistic expectation for normal users.

Expecting every user to understand how the smart contracts works, approval mechanics, and potential future exploits effectively shifts all responsibility away from the protocol and makes user protection meaningless.

This was not a case of carelessness. It was a case where a trusted platform had a vulnerability, and a regular user paid the full price for it.

Thank you for continuing to engage with us and explaining your perspective in more detail.

I want to respond carefully, because this is clearly an emotional situation and I do not question the hardship and emotional rollercoster you going through.

That said, I think it’s important to clearly distinguish what the DAO is responsible for versus what cannot reasonably fall on the protocol or its governance, even in exceptional cases.

First, to clarify once again a few key points:

The AugustusV6 vulnerability was a protocol-level issue, true, and that is precisely why Velora paused the system, fixed the issue, communicated broadly, recovered funds (where possible) and most importanlty ran a DAO-approved compensation program with a scope and time window.

What happened later, in your case, was not an active protocol exploit but the use of an old approval that remained valid long after the incident had been mitigated and communicated.
At that point, the risk no longer originated from the protocol’s ongoing behavior but from residual permissions that are a known and permanent property of ERC-20 approvals across DeFi.

This distinction matters for governance.

On the argument that “ there is limited knowledge” should warrant somehow an exception, ill say that, DeFi, by design, operates under self-custody and users themselves have responsibility over actions and risk appetite.
This is not unique to us, it is the same reason why every major centralized exchanges, where funds originate most ofen, explicitly warns users that funds can be lost and that protections are limited. A lack of awareness about approvals, while understandable, cannot become a retroactive basis for compensation otherwise governance would have no objective boundary to operate within.

If the DAO were to adopt “the user didn’t know” as a criterion, it would effectively require the protocol to insure all past interactions indefinitely something no decentralized system can sustain without collapsing its treasury or governance legitimacy.

This is not about expecting users to audit code or predict exploits. It is simply about recognising few basic concepts like:

• approvals persist unless revoked,
• returning to an inactive wallet carries risk,
  *** and that finality is essential once a remediation and compensation process has concluded.**

I also want to be very clear:

This vote is not a moral judgment on your intent, your honesty or your personal situation. Multiple delegates, myself included, have expressed genuine sympathy. But governance decisions must protect fairness for all users, including those who followed the original claim process and deadlines.

Approving this request now would not be a “human exception”, it would redefine the DAO’s liability model retroactively with consequences far beyond this single case.

For those reasons, and with respect and sympathy, my position remains unchanged.

I truly hope this experience serves as a painful but valuable lesson that helps prevent future losses not just for you, but for others reading this thread.

DeFi can be unforgiving, and this reality is exactly why strong boundaries in governance are necessary, even when they are difficult.

We want to start by acknowledging the human side of this case. If a similar loss had happened to us, we would likely feel the same frustration, confusion, and sense of unfairness. Losing personal funds long after believing a transaction was safely completed is deeply unsettling, and we genuinely empathize with the user’s situation.

At the same time, it is important to recognize that the DAO and the protocol did not remain passive in response to the AugustusV6 vulnerability. The issue was publicly disclosed, mitigated, and communicated through multiple channels, including direct onchain notifications, social announcements, and ecosystem media coverage. A white-hat recovery effort significantly reduced the total losses, and the remaining amount led to a DAO-approved compensation program under PEP-07. That process was clearly defined, widely communicated, and formally concluded following a post-mortem.

Our hesitation comes from the long-term implications of reopening compensation after that process has closed. While this case appears genuine, governance decisions must be robust to situations where intent can no longer be verified and where exceptions, once granted, are difficult to contain. Creating a special case at this stage risks weakening the finality of prior DAO decisions and exposing the treasury to ongoing and unpredictable liability.

We do not take this decision lightly, and our vote should not be interpreted as a lack of empathy or concern for the user. Rather, it reflects the responsibility of governance to balance individual hardship with the need to protect the DAO, its precedent, and its ability to make durable decisions over time. For these reasons, we will be voting against this proposal.

It is good to see this topic brought to a formal vote, as it helps ensure process clarity and transparency. Thanks to Seed for pushing this forward.

As mentioned previously in the original discussion thread, my vote will also be No.

Crypto gives users a high degree of agency and autonomy, but that autonomy comes with an inherent increase in responsibility. Self-sovereignty means that users retain full control over their assets and permissions, and, as a result, the consequences of our actions carry greater weight. This includes understanding what approvals we grant, how long they remain active, and how to protect ourselves over time.

In this specific case, while the AugustusV6 vulnerability was real and clearly documented, the incident was handled in a timely and transparent manner by ParaSwap/Velora. The protocol was paused, the issue was fixed, affected users were proactively notified through multiple channels, and a formal compensation process (PEP-07) was established, approved by the DAO, and executed. That process had a defined scope, timeline, and budget, which has since been fully exhausted.

Reopening compensation well beyond the original window introduces meaningful governance and financial risks. It would effectively create an open-ended liability for the DAO and establish a precedent that similar claims could be brought indefinitely, even long after incidents have been disclosed, remediated, and communicated. This would weaken the finality of prior governance decisions and complicate future incident response.

While the user’s loss is unfortunate, and there is no suggestion of bad faith, the broader Web3 model requires users to maintain a baseline level of awareness of major protocol incidents and to actively manage residual approvals. This does not imply constant monitoring, but it does reflect a fundamental aspect of self-custody that differs materially from traditional financial systems.

For these reasons, and with the long-term governance implications in mind, I believe rejecting this request is the correct decision, even acknowledging the legitimacy of the underlying vulnerability and the user’s experience.

I will be voting against.

First, I want to acknowledge the situation and express genuine empathy for the losses experienced. Events like the AugustusV6 incident were difficult for the entire ecosystem, and it’s understandable that affected users continue to seek closure and support.

That said, it’s also important to recognize that multiple reimbursement initiatives and remediation efforts were already implemented at the time to address these losses. Revisiting individual compensation requests now introduces significant governance risk.

Approving this reimbursement would set a precedent that effectively leaves the DAO open to unlimited and retroactive claims, without clear boundaries in time or scope. This creates long-term uncertainty and exposes the protocol to potential abuse, which ultimately harms the sustainability and credibility of Velora’s governance.

For these reasons, while I deeply respect the individual situation, I believe the DAO should uphold the previously defined frameworks and timelines, and I will be voting against the proposal.

I do not believe this situation represents a “reopening” of the original compensation program. At the time of PEP-07, compensation was provided to users who had already been affected up to that moment. Naturally, it could not account for future exploits of residual approvals, because those had not yet occurred and the future impact was unknown at that time.

What is being discussed now is not reopening an old window, but assessing one specific case that materialized later, involving the same vulnerability, the same root cause, and a single affected user who came forward in good faith.

It is important to look at this in practical terms. The number of wallets that were ever exposed to this vulnerability is limited and has been steadily decreasing over time. Many users have since revoked approvals, moved funds, changed wallets, became inactive, lost access to their private keys, or simply no longer hold meaningful balances. Others may never come forward because the amounts involved are too small, or because they don’t know. As time passes, this pool only continues to shrink.

The fact that, after such a long period, only my case has been brought forward strongly suggests that this is not an open-ended or unmanageable situation for the DAO. It is entirely possible that I am among the last, if not the very last, user to come forward with such a claim. In this context, rejecting my case out of concern that many others will come forward seems disconnected from the actual reality on the ground.

From the DAO’s perspective, the amount requested is relatively small in the context of the broader crypto ecosystem. From my perspective, it represents everything I had. The asymmetry here is significant and worth acknowledging.

I fully understand the need for governance boundaries and finality. But I believe it is reasonable to distinguish between reopening a compensation program indefinitely and addressing a single, verifiable case tied to a known protocol-level vulnerability.

Good evening, please watch this video about the situation with the boy who lost the 20,000 dollars on VELORA - https://youtube.com/shorts/aCyet1xtdRw

Given the minimum 7-day debate period for this proposal has been met, we communicate that, in accordance with the PIP Lifecycle approved by PIP-57, we are ending the debate stage and initiating the 2-day frozen period. After this period we will submit the proposal to snapshot.

Thank you all!

The Snapshot voting is alive!

Cast your vote! → Snapshot voting

Thanks for bringing this forward, we’ve taken a while to digest and contemplate our opinion here; we genuinely empathize with the frustration and hardship involved when users experience losses. That said, we are not in support of PIP-75 at this time.

The AugustusV6 issue was we believe adequately publicly disclosed, actively mitigated, and communicated through multiple channels. A significant white-hat recovery effort was undertaken, and the DAO previously approved a compensation process under PEP-07 that was formally concluded following a post-mortem of the incident. Reopening compensation now risks undermining the finality of that prior governance decision and sets a difficult precedent where exceptions could create ongoing and unpredictable liability for the treasury.

Our focus should remain on protecting the long-term health and stability of the protocol and respecting the outcomes of clearly defined DAO processes. We recognize the genuine nature of the situation, but for these reasons will be voting against the proposal.