Dear Acala community,
Most of you know about the exploit that took place on Starlay, the first lending/borrowing protocol deployed on Acala EVM this year. The total amount of stolen funds was around 2.2M$, all in DOT and LDOT at the time of the hack.
There is a strong request from the affected users to get partially compensated for the loss. If you look at the numbers, those users are not degenerate Defi traders having paid the price of an unreasonable exposure to leverage: almost none of the available 2.2M$ in DOT had been borrowed by these users before the exploit took place, which unfortunately allowed the attacker to steal almost all of them.
The exploit was made possible by wrong configurations implemented by Starlay (on Acala EVM) on the condition to get liquidated related to an empty USDC pool.
This exploit was initially announced by Starlay Finance on their X account : https://x.com/starlay_fi/status/1755605617421795560
The list of transactions involved in the exploit can be found here, as published by Starlay:
https://docs.google.com/spreadsheets/d/1RK_5z_iAhmoeE9cnTGjlPvaMyETb8V7OodWBNsTQ4tM/edit?usp=drivesdk
Of course, the first request of the affected users was directed towards Starlay, which was responsible for this exploit since they were the ones who programmed the pools and hosted the product. Unfortunately, though, Starlay had very limited treasury. However, Starlay did propose a significant compensation compared to its limited financial means and submitted it to a vote in its community. In the end, ASTR tokens were sent to the affected users which cover between 20 and 30% of the loss, depending on how one counts it.
The list of affected accounts, with the corresponding amounts of stolen DOT and LDOT can be found here, as published by Starlay, along with the corresponding compensation in ASTR tokens already received :
https://docs.google.com/spreadsheets/u/0/d/1qCUiQKl2sm7Vuqi8M01ITHQKaEzdhwxAzerW5stJmCA/htmlview
Acala did help Starlay in the search for solutions and on following the transactions made by the attacker, and I believe we can all thank them for that. In addition, Acala, decided unilaterally to send some DOTs to affected users, which cover an additional 5% of the loss. This is a commercial gesture which was directly taken from Acala funds and not from Acala treasury. Of course, it is a first positive signal from Acala and I am sure every affected user was happy to receive some money back even if this amount was small. However, many among the affected users would still like to submit a vote to Acala governance. This has been proven by a recent off-chain governance vote on Acala Opensquare that you can find here : https://voting.opensquare.io/space/acala/proposal/QmXtu2pcSJtStoxxbw3RcspMZggoHVnGujtRpFYbvWmzWb
Initially, the demand in this off-chain vote was meant to try to cover 50% of the loss overall, with some of it with vesting. However, following discussions with Acala and in particular Travis (via Acala Discord), it appeared that :
- This amount was too large too be compatible with Acala development
- The possibility to vest the tokens on multiple accounts was quite complex to incorporate in a treasury proposal.
After thorough discussions, we decided, among affected users, to request 150k$ in ACA from Acala treasury in one single transfer, as a final compensation to close this case and move on. This would be a gesture to support the affected users who a mostly strong supporters of Acala. To guarantee the compensation reaches its destination, the account to which the funds are requested to be sent is a multisig between Adam Clay Steeber, who is a well-known figure of the dotsama community, and myself, as a representative of the affected users. A contract has been signed with Adam with the following references :
- Contract ID : 64zvxkxqn88w64kckq
- Service Provider signature hash: 0x584d2baf8a369ecd3eedd8b9202eaa99759984018087dcb8c467b71b06769c4c847100478813a4eede9e96e395da21cecc0f0042f01d540e69ef915e8dab318e
- Client signature hash: 0x5e4076cb3945ce17fc6801faf98e838a9551b7bc0d5b0e191910a2739ee34548030bca839594606fb9e5654ebe477a8b02cef2304f2e7e3fce7dc28f7db31789
This contract stipulates that, should the treasury proposal be AYEd, Adam will be responsible for the correct transfer of the funds to all affected users, in proportion to their loss.
Adam Steeber here (posting from my business wallet - verified Kusama identity here). I am the second signatory on the beneficiary multisig.
I can confirm that I've been working with the submitter here and we have come to a contractual agreement regarding the distribution of these funds.
Steeber Solutions LLC shall be legally responsible for the distribution of the Treasury funds. This distribution is as follows:
256ixYC9YMyLTza1bT52Jy4K8yjBjD46qrbxbB2XkTq8h7rgHere's a breakdown of the distribution of this Treasury spend. Shares are based on the USD values found in the spreadsheet provided by Starlay. The Acala-to-EVM account mapping comes from this chain query:
api.query.evmAccounts.accounts.entries();. Notice there are 4 EVM accounts entitled to a share of this spend who have not binded their Acala accounts to their EVMs, though their shares are relatively insignificant. The following is the encoded call hash that you can derive by batchingbalances.transferKeepAliveof the shares (down to the planck) to their respective recipients, in order from largest to smallest, usingutility.batchAll()(omitting the 10% share to Steeber Solutions and the 4 accounts without a binding):0x1f25eb1cf4c6a14c048c603dfdbabc9677316b74ae03fd17425c6425d226515eEdited