Decentralized Crisis Management, Problem Solving, Coordination: Agave, the DAO of Gnosis Chain
Intro
Alright, in this issue, I will be writing the story from a personal experience: How moloch struck. How Agave got rekt. How Agave, Gnosis and the community worked to find a resolution. How a reasonable compromise from all affected parties contributed to this resolution. How we organized to slay moloch. Critique of some practices. The way forward.
We, humans, are inherently irrational beings. And we are all used to reading stories since ancient times about how this irrationality results in destruction, in a very wide range of tragedies from a king’s life to the extinction of communities. Yes, all rekt stories we have seen in DeFi are tragedies, the actors of which share the same hamartia of those kings in the plays of Sophocles. And for that matter, I feel obliged to thank rekt.news for turning these stories into laughing matters and for rejuvenating yellow journalism. Otherwise, without humor, how can we keep trying new things if we are not going to have some fun in this space?
DeFi is still taking its baby steps. It has been only 2 years since Compound Finance started allowing decentralized lending and borrowing on-chain; then, a huge influx of other people tried their hand at experimenting with different stuff to make things better. Of course, there have been plain scammers and sociopaths trying to benefit off of people’s greed; but on the other hand, it brought about the rise of open-source, which used to be limited to a few nerds before crypto became widespread, allowing local networks (local in a sense that DAOs consisting of people sharing same values) to build stuff that would fulfill their own needs unlike the SaaS mindset of web2.
No, there’s no TL;DR.
A Little Bit of History
1Hive Deploying on xDai
When gas fees on Mainnet rendered it non-feasible for DAOs experimenting with on-chain governance after the famous DeFi summer of 2020, DAOs such as 1Hive decided to migrate to a chain where people would not hesitate to participate on-chain voting. As the first DAO to experiment with a novel, whale-resistant, participation encouraging governance system, namely Conviction Voting, 1Hive deployed its tools, which constituted the framework of what is today called Gardens, on xDai Chain.
Along with its governance tools, it was obviously necessary to deploy an automated market maker, which is Honeyswap, still in use by most DAOs on Gnosis Chain. And all these things happened before everyone and their grandma started popping up with alternative L1 EVM-compatible chains, the security and stakeholders of which are still questioned today.
And it was not only 1Hive, but other DAOs such as DXDao and DAOhaus doing experiments with on-chain governance practices also deployed their tools on xDai back in the day, which made the well–known argument that Gnosis Chain is the DAO-chain. These were all true DAOs, not your Daniele Sesta-and-0xSifu cash-grab projects leeching off of the retail with fraudulent practices.
Money Market on xDai
Well, when you deploy your own governance mechanism on a chain, you need other tools. That is exactly when discussions about having a decentralized money market on xDai began within the community, and specifically within 1Hive. And this was before Aave deployed on Matic (which is today’s Polygon after their rebranding). The basic idea was to have the tools to go on with our own business while allowing people with smaller portfolios to have the opportunity to experience decentralized finance. As punk as possible, after asking Aave to deploy on xDai, we had to make the decision ourselves and it turned out to be a Do-It-Yourself thing. That is how Agave was born with almost no funding at all! (The only funding that Agave received was 50 $HNY from 1Hive to create the first liquidity pool on Honeyswap.)
An xDai native project, providing decentralized borrowing and lending to the tight-knit community of the DAO-chain, Agave was embraced and used by the very people who have been working for again the very chain they have embraced as their home. Around 700 people from 1Hive, DXDao, Symmetric Finance, DAOhaus, BrightID, Giveth, Token Engineering Commons were using the native money market when the exploit happened. Even 1Hive native project NFBeez deposited their own revenue from the minting of the NFTs to Agave. Not to mention people with relatively small portfolios enjoying low-gas fees (when I say low, I literally mean low, like fractions of a cent)
Gnosis/xDai STAKE Merger
Back in November 2021, xDai STAKE community were surprised to see a proposal offering a merger between Gnosis DAO and xDai while they were expecting a rebranding of xDai, which had been supposed to be carried out by RaidGuild. To be frank, there was a little bit of a backlash from the STAKE holders upon this proposal. The reason was, mainly, that most holders of STAKE believed that xDai could also find its place in the race among the L1 EVM-chain considering the market cap of STAKE token was rather low compared to its competitors such as MATIC. In fact, there were even some people accusing this move by Gnosis DAO as a hostile takeover of the chain, as Gnosis DAO was given a grant of a considerable amount of STAKE tokens that they could use in governance. As a result of these discussions and arguments whether this is a takeover or not, huge drama within the community, an AMA session was conducted in the xDai/STAKE discord with the participation of people from both parties.
No one was against the merger, actually; the main concern was the short time period for the TWAP prices that would take place for swapping STAKE tokens into GNO. There were also a few other concerns and all were addressed during a rather heated session. In the end, the proposal was amended, and passed with overwhelming support on the Snapshot votes of both DAOs.
Thence began our journey with Gnosis DAO under the name Gnosis Chain!
Agave Hack and How It Got Resolved
Day of the Hack
This is exactly where the story gets personal. 15th of March 2022, I woke up to this message:
What could I do? Sit down and cry as I lost my life savings? Well, as a non-dev person, after figuring out what was actually happening, the only thing I could do was to provide community support while the developers were trying to understand what exactly was the core of the issue that allowed the exploit to happen netting the hacker around $4.5M of non-utilized liquidity in the platform. Hence, I wrote this premature message on Agave Telegram:
At the same time, another lending protocol, Hundred Finance, fork of Compound Finance, was also being exploited on Gnosis Chain. Although the attacker used a separate addy, we believe the attacker is the same person or entity.
Technicalities
Meanwhile, while checking Twitter to see the takes of other individuals who may be relevant to resolve the issue in addition to experts of solidity, we have seen these tweets:
Mudit Gupta’s take on technicalities:
Shegen’s analysis and reflections (btw, she also lost a considerable amount in the hack):
Yeah, Shegen’s Tweet is the one that correctly explained the issue. Anyways, these are the technicalities, and I will also include the post-mortems by both Gnosis Chain and Agave if you are curious for sure. But I’m also sure that you’re not here for the technicalities but the social aspect as the reader. You can go, check out what the technical background was that allowed the exploit to happen in these post-mortems:
Post-Mortem from Gnosis Chain’s Side:
Post-Mortem from Agave’s Side:
Okay, there’s a TL;DR for these post-mortems as I have already explained this to many people in simple terms before. The tokens from the OmniBridge were following a non-standart implementation that was designed to prevent people from accidentally sending tokens directly to the bridge contract. While it was a good-faith design, it was indicated in a 2020 audit report that this non-compliance with ERC-677 standard may pose problems. And it was not proactively shared with the developers of the ecosystem. And Agave, as a direct fork of Aave V2 contracts, assumed that the tokens listed on the platform were compliant. Therefore, in almost 2 years, no one other than the attacker saw that this would cause any problem.
Agave DAO 🤝Gnosis DAO
Let us get back to the social aspect, right? Typically, in these kinds of rekt scenarios, you either expect responsible teams to just immediately reimburse users of their lost funds or just remove their on-chain credentials if they don’t care about the users at all. Well, this story was a bit different. Obviously, Agave at around $3M Market Cap, which was already ridiculously lower than its TVL at the time of the hack, did not have the funds to reimburse its users, who happened to be also long-time contributors to Gnosis Chain rather than mercenary capital chasing ridiculously high-yields on their deposits. What could be done? It’s turning into a Prisoner’s dilemma situation with three parties: Gnosis DAO, Agave DAO, and the Users. Defect + Defect + Defect? Or Collaborate + Collaborate + Collaborate?
Remember the “hostile takeover” accusations to Gnosis DAO above during the Gnosis/xDai Merger proposal. As unfortunate as it seemed, this incident was a huge opportunity to render the accusers wrong during the arguments in November 2021. On the day of the hack, what we saw from the founders of Gnosis DAO, both Martin and Stefan, were nothing more than reassuring public statements on Twitter indicating a willingness to collaborate.
Mainstream Media Being Mainstream
On the same day of the hack, mainstream media sources like Fortune appeared like scavengers to gnaw on the already assumingly dead platform. They knew what they were doing as they bent the words from Shegen’s mouth, which she also explained in her tweet. To be frank, we were not expecting a good take from a magazine like Fortune, but the keywords they used in the article’s link was outright a malicious attempt to downgrade the experiment we like to call DeFi.
Why the hell would you put that word “scam” there if you had good intentions, right? Was the incident similar to your ponzi scams or your everyday MLM schemes attacking the vulnerable people who had no idea about finance? Or was it some kind of an asshole just taking advantage of a code vulnerability?
Reimburse But How?
Anyways, we can talk about the mainstream media constantly criticizing crypto and DeFi experiments on false grounds in an attempt to demonize change to protect the status quo until forever. Let us get back to what happened later.
In such incidents where an attacker is able to steal money and the protocol is competent, has the liquid funds to make users whole, or in less decentralized environments, either the protocol itself covers the losses or the infrastructure provider such as the chain bails out the protocol. Upon checking rekt leaderboard and the socials of the projects listed there, you can see that most of the time, these protocols all tried their hand to resolve the issue one way or another. Hence, in order to demonstrate that it has a strong community, Agave DAO also promised to do the best they can to reimburse users’ losses. Coincidentally, the users of Agave were also the contributors to the DAO as well as the entire Gnosis Chain ecosystem since the early days of the DAO-Chain.
The problem was that Agave did not have the funds to reimburse everyone right away. And a typical bail-out by some party that you would normally see again in less decentralized environments would not be the ideal solution. It had to be done in a truly DAO-way.
Consequently, some high level discussions between Agave DAO and Gnosis DAO were initiated and users were also invited to share their opinions on Discord. And there were some lively, friendly discussions and ideas were offered. If you want to get the feel, you can still join Agave Discord, scroll up in the #general channel.
So, the high level discussions between the affected parties a pre-proposal was submitted to Gnosis DAO, initially asking around 55% of the lost funds during the hack in return for auctioning 25k AGVE tokens to Gnosis DAO while 20% of the funds to be reimbursed would be open for discussion as to how it would be collected.
After some community feedback, and an almost three-hour long AMA held in the Agave Discord server, time for high-level communication between DAO representatives again! Then, the proposal to Gnosis DAO by Agave DAO was to be amended again. Which in the end led to the emergence of GIP-34. TL;DR:
And the proposal passed with overwhelming support on Snapshot except for a few nay-sayers.
Gnosis Chain Hard Fork
On the other hand, while all these discussions about the reimbursement of user funds and the future of Agave were going on, Gnosis Chain was also supposed to carry out a hard fork on the Chain. And even though hard forks are not embraced in the Ethereum ecosystem, the biggest one of which was the one performed after the infamous the DAO hack leading to the emergence of Ethereum Classic (ticket $ETC), which has basically seen almost no development on it after the fork. All stakeholders following suite after GIP-31 (fortunately), proposing the hard fork on Gnosis Chain to upgrade the token contracts (legacy ones) to prevent re-entrancy attacks that have caused both Agave and Hundred Finance exploits on the same day around the same time frame, the hard fork support by OpenEthereum (sadly deprecated last month) was named after Agave, and the rest was history. Agave became the DAO of the Gnosis Chain.
Good News!
Well, fast forward to today, after the loan from Karpatkey, everyone affected by the exploit on the 15th of March is able to claim 80% of their net losses at
Final Remarks
Crypto is neutral no matter what your everyday policymakers or no-coiners or non-believers in this technology love to assert to protect their hidden agendas. And yeah, all human beings have their hidden agendas to protect. That’s what defines society and the power struggle between whatever fucking ideology you may want to support or not. There are assholes everywhere as much as there are people with good intentions trying to better the world even for the assholes.
But, a huge BUT, an alternative is possible and that’s why we are all spending our valuable time to make things as accessible, inclusive, trustless, permissionless, transparent, full-of-kindness as possible, oftentimes without expecting anything of value in return. We do not have to sacrifice freedom for the sake of some artificial security provided by governments or whatever regulatory body. As Elinor Ostrom has already pointed out in her groundbreaking novel-prize winner work Governing the Commons, when you give the very people who are affected by the exact source (call it common pool resources or public goods or DeFi in our space) the autonomy to have control over the use, they will find the best outcome without any outside intervention. And this outside intervention is more costly anyways (but this will constitute the main subject of a future issue of daoApe). These eight design principles are more powerful than your typical outside regulatory body or your private institutions will ever be.
Let us embrace this innovative technology despite the assholes, scammers, cash-grabbers, exploiters, selfish bastards. Cause you know, they are everywhere. Let us all coordinate to slay the Moloch.
Also, huge thanks to the Monstrosity, Stonky, Luigy, Anisoptera, ZedKai, Mojmir, Martin, Stefan, Karpatkey Members, Claud, Makerman, Wunderbernd, Svantetobias, Gigadig and all the Agave users and whose names I forgot to include here for helping us achieve this! You are all great people, and may everything in your life come true as good as you wish! Love you all.
We also have a grant on @gitcoin Grand Round 14. And we will be recoursing 20% of our donations to @Givethio Matching Pool at the end of this round.