We deeply regret the situation raised and wish to proceed with great prudence, as this is one of those cases open to interpretation where we believe no entirely objective decision exists.
Web3, unlike TradFi, offers the significant advantages of decentralization, empowerment, and true ownership of funds, without centralized intermediaries acting as obstacles or gatekeepers. However, the trade-off is that it requires more active, informed, and responsible users managing their own assets.
In this particular case, a vulnerability was discovered in the AugustusV6 smart contracts of Velora (formerly ParaSwap) in March 2024, which was quickly resolved, first by temporarily pausing the system, and then by fixing the vulnerability. The exposure window lasted roughly 48 hours.
During this time, ParaSwap acted promptly and transparently, making every effort to notify affected users: it published alerts on Twitter (see here, here and here), sent NFT notifications to affected wallets, and several ecosystem media reported the incident (see here and here as an example).
In parallel, a white-hat hacker helped recover a substantial amount of the lost funds. The total unrecovered amount, around $340,000, led to the PEP-07 proposal in April 2024, which the DAO approved with nearly 97% support, to compensate affected users from DAO funds. This was also communicated by ParaSwap (see here) and covered by various media (see here and here). A claim process was created and widely communicated, concluding with a post-mortem report.
While we empathize with the affected user, it’s important to note that the event occurred over a year and a half ago, and ParaSwap/Velora did everything within its power to communicate both the incident and the claim process. Unfortunately, the user remained unaware of this widely disseminated information during that entire period and made a transaction, apparently losing funds.
We do not agree with the notion that it is unrealistic for users to stay informed. In Web3, self-custody and decentralization inherently require a higher degree of awareness and responsibility. It doesn’t mean monitoring social media constantly, but maintaining at least a minimal level of attention to major ecosystem updates.
Moreover, there is a non-negligible risk if the DAO decides to refund this case: it could set a dangerous precedent that allows malicious actors who had approved the vulnerable contracts in 2024 but never executed transactions, to later “self-hack” by performing one transaction now, divert their own funds to another wallet by exploiting the vulnerability, and claim refunds from the DAO.
This would create a risky precedent with potentially severe consequences.
For all the above reasons, and with genuine regret for the situation, but with the understanding that the issue cannot remain open indefinitely, and that Velora acted appropriately at the time of the events, we believe the DAO should not proceed with the requested reimbursement.