Refund Request: Funds stolen due to AugustusV6 vulnerability (October 2025)

Hello everyone,

I want to share my story so that the community understands what really happened and why I’m requesting support.

Back in 19 March 2024, I made a swap directly through the official Velora (formerly ParaSwap) platform. Everything was legitimate and done correctly.
However, the AugustusV6 vulnerability that existed on Velor’s side at that time left my wallet approval exposed.

Fast forward to October 6, 2025, a hacker exploited that old approval and drained my wallet, stealing 20,107.8 USDC from this address:
0x05808Cf9F8aAcFD6a2c2A879326593644F9a339e

I did nothing wrong. I simply used the platform as any normal user would. The vulnerability was on Paraswap’s side.

After discovering the theft, I contacted Velora support on Discord.

Velora sent an on-chain message to the hacker’s address, asking them to return the stolen funds, but there was no reaction or response from the attacker.
You can see that transaction here: https://etherscan.io/idm?addresses=0xe85ad0622a3c5991d1e9b141870a5c23a3d097f9,0xcc3a5dc003b3a58621745a39f706ef9646d5c481&type=1

I’ve understood from Velora support that there were public announcements made across social media back in 2024, and that an NFT message had also been sent to my wallet at that time, warning me to revoke the vulnerable contract approval.

However, I had no idea that on-chain messages could even be sent, and I didn’t notice any NFT because I hadn’t purchased any myself.
I was also taught to never interact with anything unfamiliar in order to avoid scams or hacks, so even if I had seen it, I wouldn’t have known it’s legitimate.

I didn’t check social media either. After making my swap, I simply went on with my life, I had no reason to suspect anything.

It’s unrealistic to expect regular users to constantly monitor social media channels or blockchain messages. It’s not a user’s responsibility to follow social media posts for every single service they’ve ever used. That’s simply not how normal users behave.

Velora support told me that the PEP-07 DAO fund, which had been used in 2024 to refund victims of the same exploit, has already been exhausted, and that they cannot help me anymore.

They also said that if I want compensation, I should create a DAO proposal myself.
But to make a formal proposal, you need 100,000 $VLR tokens, which I don’t have, and I lost everything in this hack that came from this vulnerability.

This is deeply unfair.

Other victims of the exact same exploit were refunded through DAO funds.
It’s still the same vulnerability, and I’m still a victim.

I trusted Velora’s platform and used it correctly.
Now I’ve been left with nothing, facing serious financial problems in real life.

I was directed here by the Velora admins, who told me to post my case on the DAO forum.
I truly hope that the DAO and the community will review this situation fairly and allow me to receive the same treatment as the other victims who were fully refunded.

I’m kindly asking the DAO and the foundation to please submit a refund proposal on my behalf and handle the technical part, since I don’t know how to do it and I don’t own any $VLR tokens, nor do I have the means to buy them after losing everything.
Please make this happen so I can also receive a full refund, just like the other affected users did.

I’ve learned my lesson from this, now I understand that on-chain messages can be used for important notifications, and I’ve already revoked the compromised approval from my wallet.

I would be deeply grateful for your help, it would truly save me from this situation that has caused me enormous stress and real-life financial difficulties.

For Velora, as a foundation in the crypto world, $20,107.8 is not a large amount, but for me, it was everything I had, and this loss has deeply affected my life.

Given that this vulnerability originated on Velora’s side, I believe the fair and honorable thing to do would be to show good faith and offer a full refund for my stolen funds, just like it was done for the other affected users.

For anyone who wants to better understand the technical background of this incident, you can read the official Velora post-mortem here:
https://veloradex.medium.com/post-mortem-augustus-v6-vulnerability-of-march-20th-2024-5df663a4bf01

Thank you for taking the time to read my story and for any support you can provide in making this refund proposal happen.

After on-chain verification, we can confirm that the user did indeed execute a transaction on March 19, 2024, which was one day before the AugustusV6 contract vulnerability was publicly reported on Discord.
Since that event, no other transactions have been made from this wallet, with the next one occurring only on October 5, 2025, more than a year later. This suggests it is likely a relatively inactive address, which did not closely follow community communications or on-chain revocations requested by the team at the time.

In my view, this case warrants a refund.
The user acted in good faith, in the wrong place at the wrong time, without being able to reasonably anticipate the vulnerability or the technical measures taken afterwards. This is not negligent behavior, but rather a consequence of the structural weakness of the current Web3 model: warnings related to vulnerabilities or on-chain revocation requests are not sufficiently visible or accessible to the majority of users, especially those who do not constantly monitor community channels or block explorers. Between official on-chain messages and the constant flood of notifications and spam an address receives, it is practically impossible for an average user to reliably distinguish and verify legitimate alerts.

Granting a refund in this case would not only be a corrective measure but also a strong signal to the community: Velora assumes responsibility for past vulnerabilities and demonstrates that user protection is a core value of the protocol. It would reinforce the DAO’s moral legitimacy, showing that the protocol treats its users fairly, even in complex situations arising from legacy contract issues.

First, thank you for sharing your story, it’s truly a tough spot and I appreciate you trusting the DAO process by posting here. Losing 20k can be devastating, especially as it stemmed from a legitimate swap on Velora, I also echo that ,no one should face real-life financial hardship from using DeFi as intended. Your case tugs at the heart of why we are here and why we continuously contributing to this DAO.

That said, let’s honor the full picture. The AugustusV6 vulnerability was a painful oversight (detailed in the post-mortem), but the team acted decisively:

• Immediate Mitigation: Paused V6 within hours and coordinated white-hat recoveries of ~$3.4M plus ~$800k from hackers via on-chain negotiations (as in your case’s unanswered message).

• Broad Notifications: Public announcements across Medium, X, Discord, and the help center; plus targeted on-chain NFTs and messages to ~thousands of affected wallets. These weren’t perfect (e.g., on-chain alerts can feel obscure), but they reached proactive users who revoked in time.

• Generous Refunds: PEP-07 allocated ~103 ETH for full reimbursements to those who acted in time by a set time, in my humble opinion, setting a gold standard that refunded dozens without quibbling.

PEP-07’s success (passed April 2024 with huge support) shows DAO’s commitment but it also closed the fund to preserve treasury sustainability.
Extending it indefinitely risks straining resources if more late claims surface, like yourself, hundreds were exposed per the post-mortem.

DeFi’s promise is indeed empowerment, which means we all share the load, all protocols strive to innovate securely, but users to, bare responsibility and must stay vigilant (revoking approvals post-swap).
You mentioned learning this lesson and revoking now, commendable, and it protects you going forward. While I am somehow tempted to say it’s not entirely “user error” here but more of a systemic reminder that infinite approvals are a double-edged sword we all navigate.
My proposal for a potential resolution, because judging your onchain moves does make me wonder a little why u haven’t moved the ETH to another wallet and proceed to swap in this wallet, when you did for other occasions, but nonetheless :

1. Verify & Extend Debate - Let’s confirm your txs via Etherscan and ask everyone to use their expertise to examine everything that might indicate a potential spoof claim and extend the 7-day window if needed for thoroughness.

2. Goodwill Gesture - If verified, I am inclined to support a one-time 50% refund (10k USDC) and kindly ask @SEEDGov to assist in pushing proposal to snapshot. This honors PEP-07’s spirit and we must reiterate and along this put a stop to any precedent for unlimited late claims. ( to be included in the header / footer everywhere it makes sense that no future such claims can be taken in consideration )

3. Community Input - Looking forward to see how the broad Velorian comunity reacts, rest of the delegates, what say you? No refund? Partial? Process tweaks? Let’s debate collaboratively.

@justmagic , I am rooting for you and hope on a one off level we come to some resolution but please allow us to scrutinise this claim and dedicate the required time to come to a conclusion, I feel we all and Velora DAO itself thrives on fairness and transparency and dare say - let’s make it right but, of course, within reason.

(Supporting refs: PEP-07 Thread, Post-Mortem)

On one hand, we have a user with a painful and legitimate-looking loss. On the other, we have the core DeFi / crypto principle of user responsibility. This is exactly why these decisions are so challenging—it feels like there’s no perfectly correct answer. Would be able to weigh in better once full verification of the transactions.

Regarding your question about why I didn’t move the ETH to another wallet before the swap: in the past I used centralized exchanges, and in more recent years I started preferring DEX platforms for the extra sense of control and security.
So, I simply used the same wallet I trusted and had used for my previous swaps. I honestly didn’t think this detail could be risky at all and I don’t believe it’s relevant in this particular case.

If the DAO community need any additional information that you consider relevant, I’m more than willing to provide them.

That said, I still truly believe that the fair and reasonable outcome here would be to receive a full refund, just like the other affected users did, since this was caused by the same vulnerability on Velora’s side. I acted in good faith and, with the knowledge I had at the time, there was simply no way for me to protect myself from this.
I don’t want to sound disrespectful in any way, I’m just trying to find justice and closure in a situation that is very painful for me.

Thank you for taking the time to analyze my case.

We deeply regret the situation raised and wish to proceed with great prudence, as this is one of those cases open to interpretation where we believe no entirely objective decision exists.

Web3, unlike TradFi, offers the significant advantages of decentralization, empowerment, and true ownership of funds, without centralized intermediaries acting as obstacles or gatekeepers. However, the trade-off is that it requires more active, informed, and responsible users managing their own assets.

In this particular case, a vulnerability was discovered in the AugustusV6 smart contracts of Velora (formerly ParaSwap) in March 2024, which was quickly resolved, first by temporarily pausing the system, and then by fixing the vulnerability. The exposure window lasted roughly 48 hours.

During this time, ParaSwap acted promptly and transparently, making every effort to notify affected users: it published alerts on Twitter (see here, here and here), sent NFT notifications to affected wallets, and several ecosystem media reported the incident (see here and here as an example).

In parallel, a white-hat hacker helped recover a substantial amount of the lost funds. The total unrecovered amount, around $340,000, led to the PEP-07 proposal in April 2024, which the DAO approved with nearly 97% support, to compensate affected users from DAO funds. This was also communicated by ParaSwap (see here) and covered by various media (see here and here). A claim process was created and widely communicated, concluding with a post-mortem report.

While we empathize with the affected user, it’s important to note that the event occurred over a year and a half ago, and ParaSwap/Velora did everything within its power to communicate both the incident and the claim process. Unfortunately, the user remained unaware of this widely disseminated information during that entire period and made a transaction, apparently losing funds.

We do not agree with the notion that it is unrealistic for users to stay informed. In Web3, self-custody and decentralization inherently require a higher degree of awareness and responsibility. It doesn’t mean monitoring social media constantly, but maintaining at least a minimal level of attention to major ecosystem updates.

Moreover, there is a non-negligible risk if the DAO decides to refund this case: it could set a dangerous precedent that allows malicious actors who had approved the vulnerable contracts in 2024 but never executed transactions, to later “self-hack” by performing one transaction now, divert their own funds to another wallet by exploiting the vulnerability, and claim refunds from the DAO.

This would create a risky precedent with potentially severe consequences.

For all the above reasons, and with genuine regret for the situation, but with the understanding that the issue cannot remain open indefinitely, and that Velora acted appropriately at the time of the events, we believe the DAO should not proceed with the requested reimbursement.

I must respectfully disagree with the conclusion.

The funds were stolen because of a vulnerability that existed on Velora’s side, not because of any mistake or negligence on my part.
I lost everything simply because, in the past, I made a legitimate swap through what was, and still is considered a trusted and reputable platform.

At that time, I had no idea that such an exploit could even happen, that someone could drain my wallet later just because of an old approval. I didn’t share my private keys, I didn’t sign anything suspicious, and I didn’t fall for any scam.

My only “mistake” was trusting a reputable platform that, at that time, had an undiscovered vulnerability, and not following its social media announcements afterwards, since I had no reason to suspect anything was wrong.

Denying a refund in a situation like this is deeply unfair, especially considering that other affected users were fully refunded for the exact same vulnerability.
This loss has severely affected my life and caused me real financial and emotional distress.

I want to make it absolutely clear that I am acting in good faith, not a malicious actor or a “self-hacker.”
If needed, I am more than willing to verify my identity through official documents and even a video call, and to provide any other information you may require to ensure that this is a genuine case.

All I ask for is fairness and the same treatment as the other victims of this exploit.

The reality is that Velora has failed to protect its users and now refuses to take responsibility by issuing a full refund, even for an amount that is very small in the crypto world, yet extremely significant for a normal user.

This situation shows that the platform cannot be considered trustworthy: you can use it in good faith, make a legitimate swap, and still lose everything you have because of a vulnerability that was on their side.

Some have implied that this could have been a self-hack. My question is: how can we be sure that this exploit wasn’t created by individuals connected to the platform itself? The way Velora has reacted now, ignoring victims and avoiding accountability, raises serious doubts.

At this point, given their attitude and refusal to take responsibility, it seems clear that Velora has become complicit, directly and indirectly, in the damage caused to users who simply trusted their service.

When a platform failed to protect its users and refuses to take responsibility for the losses caused by its own vulnerabilities, it stops being a legit crypto project and becomes just another scam hiding behind the blockchain narrative. It’s disgraceful and shows complete disrespect for the very people who trusted it.

Unfortunately, I do not conform with this proposal. It’s a pity that this situation occurred, but the DAO has already taken steps to return the stolen funds related to the AugustusV6 vulnerability some time ago.

Revisiting the same reimbursement request doesn’t align with the previous consensus or actions already executed by the DAO regarding this issue.

While I sympathize with the OP situation, it is not a case where the protocol didn’t do anything. As several others mentioned, an extensive comms campaign was made trying to bring awareness and closure to all users impacted, and an specific budget was also available for it.