Firstly, I genuinely understand the frustration the affected user is going through. The amount lost is not small , and I truly hope he’s able to recover it through another opportunity down the line.
Back in 2023, I was working at Hashflow as a community manager. A white-hat hacker discovered a vulnerability in one of our smart contracts and began exploiting it, which resulted in nearly $600K in user losses. He eventually returned the funds to a multisig controlled by our core team, and we reimbursed affected users.
However, once the incident became public, malicious actors learned about the vulnerability and started targeting users who hadn’t revoked their token approvals. Despite repeated warnings and announcements across multiple channels urging users to revoke allowances, it unfortunately wasn’t enough, and some users still ended up losing funds. The worst part was that the core team couldn’t upgrade the contracts and patch the bug.
So what’s the point here?
-
This type of incident wasn’t unique to ParaSwap; Hashflow experienced nearly the same scenario.
-
Comparing the efforts of both teams in notifying users, ParaSwap went even further — from on-chain messages to NFT alerts and multiple public announcements.
-
ParaSwap team also set a clear reimbursement window, and it wasn’t short. Hashflow, by contrast, published an announcement and rejected any claims made after the vulnerability was publicly disclosed. Anyone affected by black-hat exploits after that point wasn’t eligible. In my view, Velora’s core team has shown considerably more responsibility than others in similar situations.
Link to the original message on hashflow discord
Conclusion: I’m sincerely sorry for the loss and hope the user can recover in the future. But interacting with DeFi always carries inherent risk. And as you mentioned, for the long-term safety of the DAO treasury and to avoid setting a precedent, I’m afraid I cannot vote in favor of this request.