===

Title: Strategic reevaluation of legal actions post-security breach and proposal for forward path

Date: 20th Feb 2024

Proposed by: Starlay Chan Initiative (SCI)

===

Summary

In light of the recent security breach, SCI has undertaken a thorough review of potential legal actions with our legal advisors. This evaluation has highlighted significant challenges and costs associated with legal enforcement, notably the process of obtaining court-issued orders directed at CEXs. This proposal outlines these findings in detail and presents alternative strategies for community deliberation.

Legal Enforcement Challenges

Obtaining Court-Issued Orders:

• The process to secure official orders from the courts mandating CEXs to release pertinent information is not only protracted but also financially burdensome. Preliminary assessments indicate that the initial phase of obtaining such orders could extend over several months, with costs potentially escalating to several hundred thousand dollars. This figure accounts for the complex legal procedures involved, including but not limited to drafting, filing, and litigating the necessary legal documents.

Identification and Apprehension Challenges:

• The probability of successfully identifying the hacker(s) through CEX account information is relatively low. Hackers often operate using numerous accounts, and there’s a high likelihood that the accounts used in the breach are not directly linked to the actual perpetrators. The endeavor to pinpoint and verify the correct accounts would incur additional time and financial resources.
• In the event that the perpetrator(s) are identified, the process of apprehension could be exceedingly lengthy and would likely require extensive international legal cooperation and potentially even extradition, further compounding the complexity and cost.

Given these considerations, the potential outcomes of pursuing legal enforcement may not justify the significant financial investment required, leading us to reassess the viability of this approach.

Proposed Focus Shift

Considering the above challenges, SCI proposes to pivot our strategy away from pursuing uncertain and costly legal enforcement towards more practical and collaborative measures. This includes enhanced coordination with CEXs for account monitoring and blacklist implementation, areas where we’ve already seen willingness to cooperate from platforms like Whitebit and Huobi. Also

Community Engagement and Decision-Making

This juncture presents multiple paths forward, which we wish to discuss with the Starlay Finance community. It’s important to reiterate that Starlay operates under a DAO governance model, with no single entity making unilateral decisions. As such, SCI’s role is to contribute to the dialogue and support the community in arriving at a consensus through voting. Here is how our decision made: Starlay Governance Process

Option 1: Rebranding and Evolution with Continued Support and Enhanced Compensation Strategy

Under Option 1, SCI proposes to discontinue legal enforcement efforts due to the high costs and uncertain outcomes associated with such actions. Instead, SCI will continue to operate and contribute to the Starlay Protocol as it has done to date. The option suggests rebranding and reallocating Starlay’s future tokens.

Key Considerations:

• Treasury Assets: The majority of the current assets in the Treasury have been accrued through dApp staking revenues on the Astar network. Given that these assets are intended for use within the Astar ecosystem, their allocation towards compensation will require community consultation and approval through a voting process.
• Financial Reserves: In continuing operations, SCI aims to maintain a 50% reserve within the Treasury to ensure operational sustainability.
• Introduction of New Tokens and Evolution Strategy: The emphasis shifts towards a broader strategy of protocol evolution and community support. The potential for future token issuance, aligned with the rebranding initiative, will be explored in close collaboration with the community. It is crucial that any decision regarding token issuance and the specific mechanics of compensation be ratified through community voting, ensuring alignment with the collective vision and interests of the Starlay stakeholders, however there is high possibility that the users suffered from this time incident would be allocated the new token.
• Continuous Efforts to Recover Funds without Legal Enforcement: We will pursue measures without legal enforcement. We remain committed to tracking wallet addresses, collaborating with CEXs, coordinating efforts with the Acala and Certik teams, engaging with the BNB security team, holding discussions with the Parity team

This option emphasizes a balanced approach that prioritizes community support and protocol sustainability over the uncertain returns of legal enforcement. Should the option 1 be selected, SCI commits to dedicating its full efforts towards contributing to Starlay’s future, with a clear outline of contributions and future scope as detailed in the provided forum link: Starlay Chan Initiative (SCI) 6-month budget request

Noted

Considering what token distribution, we added 2 options and wil be voted.

Option 1-1: USD-Based ASTR Distribution

Under Option 1-1, compensation for the hack will be calculated based on the USD value of DOT/LDOT at the time of the hack, and ASTR will be distributed accordingly. This approach ensures a swift distribution process

Option 1-2: DOT-Based ASTR Conversion and Distribution

Option 1-2 proposes converting ASTR to DOT based on the current valuation and then distributing DOT to the users. This method aligns compensation with the original asset lost but may require additional steps for conversion and distribution.

In both cases, if any stolen funds are recovered, compensation could potentially increase from 40% to up to 100% of the initial user loss. Should the recovery exceed the losses, the surplus will remain with Starlay treasury, considering the initial 40% compensation was provided from the treasury.

Option 2: Dissolution of Starlay and Cessation of Hacker Tracking

Option 2 involves the dissolution of Starlay Finance and the cessation of efforts to track the hacker, including the use of Treasury funds for such purposes. This option would entail liquidating the Treasury and using the remaining assets for community compensation.

Key Considerations:

• Community Consultation: Similar to Option 1, the use of dApp staking revenues from the Treasury for compensation requires community input and approval, given their intended use within the Astar ecosystem.
• Vote-Driven Decision: The decision to dissolve Starlay and allocate the remaining assets for compensation will be determined through a community vote, ensuring that the chosen path aligns with the collective preference of the stakeholders.

This option represents a definitive closure to the protocol’s operations, focusing on equitably distributing remaining assets to the affected parties.

Option 3: Pursuing Legal Enforcement

Despite the outlined challenges and costs associated with legal enforcement, Option 3 remains on the table. This option would involve proceeding with legal actions to attempt asset recovery and hold the perpetrators accountable.

Key Considerations:

• Cost vs. Reward: As previously discussed, the potential costs of legal enforcement may outweigh the possible benefits, making this option less favorable compared to the alternatives.

Option 4: Continuing Development Without Compensation

Under Option 4, the Starlay Chan Initiative proposes to continue the development of Starlay Protocol without providing compensation for the security breach. This option focuses on moving forward with the current development plans and strategies to enhance the protocol’s features and security, without allocating funds from the treasury for compensation purposes.

This approach prioritizes the long-term growth and sustainability of the protocol, leveraging the current assets and resources to improve and expand the platform’s capabilities. The decision to not provide compensation is based on the assessment of the protocol’s financial health and the strategic direction aimed at maximizing the protocol’s potential and value to its users and stakeholders.

Next Steps

• Launch a comprehensive forum discussion to solicit community feedback on the outlined options and any additional suggestions.
• Organize a formal community vote to democratically select the preferred course of action, ensuring transparency and inclusivity in the decision-making process.

Hi Seiya,

First of all, thank you for your constructive proposal.

I am a $LAY holder and a user of Starlay on Astar, and I have not been directly affected by the hack that occurred on Acala.

Given this, what would be the benefits for me if I choose option 1?

I believe the issuance of new tokens could dilute the existing $LAY tokens.

While I am not opposed to compensating users who suffered losses on Acala, I wonder what benefits there would be for users like me?

If the dilution of tokens means that the value of tokens I receive in the future will be less, choosing option 2 to dissolve Starlay and receiving a distribution of the remaining funds in Starlay’s Treasury could potentially be more beneficial for me.

I would like to hear your opinion.

with the situation now, knowing that getting all back from the hack is unlikely and we are unsure what, if anything can be done on CEXes.

ideal would be if either an Acala that cooperated through Euphrates or even a Polkadot would support from the community fund, but depending on relation even that is difficult or can only be a small path

i also think it could a good way to have partial compensation from treasury

1. convert some part of treasury (50%?) now to DOT to avoid further market price changes
2. await full community decisions and calculation of compensation levels and then convert the rest of the treasury that is used for compensation to DOT
3. pay out compensation to affected users in a % of DOT based on the funds lost
4. keep the option of future extra compensation in DOT if anything comes back (100% of funds lost minus the part that is compensated with 3))

this also gives all the chances to get a part of the upcoming airdrops on DOT through first Starlay receving them.
with that Starlay team can still rebuild, try to make something happen in a now again booming market and more positive environment for Polkadot in general

and re Astart Starlay community:
overall Starlay started on Astar.
But having the first leveraged staking protocol for DOT which has a much higher market cap has the potential to be a killer app.
Just have a side look on what is happening with LST LRTs and so forth on Ethereum right now.
While the DOT narrative is heating up, there will be people slowly discovering that liquid staking has been a thing on Polkadot for a while and now Starlay already has it working and despite having an initial hack and learning from it can be turned into a great success story

I like your answer !
I am in the case that I was only a user of Starlay on Acala. And my DOTs have been stolen.

To discuss your points :
1- I completly agree I think Starlay should change 50% of the treosury into DOT to avoid market fluctuation asap.

2- Identify all the users affected by the hack and evaluate the real compensation possible.

3- Pay out the initial compensation and work on reimbursement planning.

4- If anything comes back Starlay keeps the difference.

I think this sound a good plan. I hope Acala could help supporting a part of the refund. Acala or any other project, at this point if we could receive support from DED and PIINK it will be amazing. I just want to see my DOTs back.

I don’t have interest seeing Starlay dispear. I actually like that you devellop the DOT ecosytem building on Acala and it is exactly what we need and the hack is really tragic.
I completly agree on the fact that leveraged staking protocol is a real business as we can see on Ethereum. And it will be at an other level on the DOT ecosystem.
In the same time this solution offers the possibility to work with other protocols on the blockage and the return of stolen funds.

Hi @Beck

Given this, what would be the benefits for me if I choose option 1?

For users exclusively on the Astar Network, there may not be direct benefits. Yet, it’s worth considering whether a protocol that fails to address the needs of its hacked users can truly flourish in the future. Should this approach be rejected, I am prepared to resign as a contributor, as a protocol that lacks backing from its community, which fully comprehends the situation, is not viable in the long term.

I believe the issuance of new tokens could dilute the existing $LAY tokens.

This strategy does not dilute the existing LAY tokens since the new tokens are planned to be exchangeable with LAY (or distributed via an airdrop). The intention is to transition the role of LAY to the new tokens, not to distribute new LAY tokens. The allocation of these new tokens is intended for Acala users affected by the incident.

The issuance of new tokens is not only for rebranding purposes but also to facilitate CEX listings. Currently, LAY’s liquidity and price are quite low, and nearly 100% of the tokens are already in the market, which could lead to increased selling pressure upon listing.

To mitigate this, the main goal is to exchange LAY for new tokens with lockup and vesting periods (or distribute them via an airdrop), thus reducing selling pressure. Previous LAY listings suffered from price drops due to low liquidity and the absence of market makers. This time, we aim to learn from those lessons by ensuring greater liquidity distribution and hiring market makers.

I appreciate your perspective, but it’s important to clarify that the amount compromised in LDOT was indeed significant rather than DOT. Calculating compensation based on USD value at the time of the hacking simplifies the process. Moreover, considering the potential for a future Starlay token airdrop, compensating in USD seems more appropriate.

Also I suggest compensating in ASTR valued in USD, as it’s readily available in our treasury, allowing for swift action. Without DOT in our treasury, our only option is to refund in the USD equivalent of what’s available, not in DOT value. If we were to compensate in DOT or other assets, it would entail further delays. Allocating 50% of the treasury’s USD value in ASTR seems like a practical approach.

Hi,

like many others I had exposure to the Starlay protocol through ACALA Euphrates.
Lost a huge chunk of DOT tokens, therefore I can totally agree with what you suggest.

ACALA could and definitely should help in this matter, as they are just as accountable for providing the service. In their case, withdrawing responsibility will certainly not benefit them, nor the community or anyone else affected by this unfortunate incident.

Now that Polkadot has approved the proposal to burn revenue from “coretime” sales (RFC-10, I believe), perhaps DOT treasury can use that revenue to exceptionally compensate % of the stolen funds, back to those affected by the exploit. There could even be some kind of vesting system in case there’s not enough revenue to return funds at once, idk just sharing my thoughts here.

Let us hope we get to a solid proposal through which the entire community can recover their assets and Starlay doesn’t have to cease operations.

Gm! As an affected victim, I agree that the best way forward is Option 1 or similar. We need to keep the project alive or we all lose.

This is real crypto and is not only sunshine. This issue will open the eyes to many of us about the importance of diversification and not putting all the eggs in one basket.

I was a sideline investor that went only for the profits. Now I have to take care of my bags and help push the best decisions for best possible outcome.

I see Seiya committed and that is very valuable. Without that i’d be pushing towards protocol liquidation instead.

About voting proposals, our hands are tied to the Lay holders and gate keepers. Most of us do not own a single token and would be irrational to buy Lay to be able to vote to save our compensation plan.

About the meme airdrops ded and pink. We could reach out to them. They could really help us achieve awareness of what happened here. Even maybe, allocate a symbolic portion of the airdrops to hack victims (this is me thinking out loud).

I’d also like to see some partial compensation commitment from acala (vested maybe). Most of us affected are originally acala users.

Last, I wish Starlay can grow out of this misshapen and help the polkadot ecosystem thrive.

Thank you for your reply.
Your strong sense of responsibility came through clearly.

By the way, is it possible for Starlay’s operations to continue if 50% of the treasury funds are allocated for compensation?
Considering the future expenses for program audits, payroll, and other operational costs, it seems a considerable amount of funding would be necessary to maintain the business.

Hello, some considerations regarding this proposal.

1. Acala should mention his action plan, so far I have not seen any proposal from them.
2. Dissolving the protocol I think would be a bad decision, Starlay can be hacked but if the protocol does not take charge or changes its brand, it loses all credibility, also Acala and Astar since they participate in a protocol that is diluted in the first hack .
3. It is a good opportunity to allocate treasury funds for this type of vulnerabilities. If you have not considered it, it is time to inform the community. They would lose the opportunity to do something good for the future.
4. 60% or more of current treasury funds should be allocated to compensate users in USD before the value of DOT rises.
5. Continue efforts to freeze the hacker’s wallet assets, informing the community who he is is also important.
6. Astar, Acala and Starlay were affected, regardless of the decision that is made, the impact will be for everyone.

Of all the proposals, I think that the option of continuing with the protocol would be the most important but we should better understand the token scheme. I do not want to be paid what I lost with the issuance of new tokens without previously understanding the use of the new token.

Greetings

got your point.

in my mind still sounds easier to do in DOT

e.g. LDOT to DOT has a fixed redemption value at the day of attack and less volatility vs a $ denomination
with that all DOT and LDOT lost can be marked in DOT equivalents per user (one multiplication)
then can decide what part of treasury is used to compensate. convert that once in DOT (on Acala) and send same % to each user based on the funds each one lost.

Eg. (numbers for simple showcase, not real)
Assume a User A lost 1 000 worth of DOT (5000 LDOT = 713 DOT and 287 Acala DOT)
The total equivalent lost in hack is 100 000 DOT
The treasury used to compensate is worth 40 000 DOT (swapped from ASTR)
means 40% of total would be covered.

for User A this means one transfer of 40% x 1 000 DOT = 400 DOT

If any of the stolen funds are recovered, these can in future increase the compensation from 40% to up to 100% of initial user loss, if more than that is received by Starlay, Starlay is to keep the rest as Starlay already initally gave 40% from treasury.

I see it as unlikely compensations will be received from externals/CEXs in anything else than DOT itself since that was the main form of transaction

We’ve been reducing the payroll for core members for a while but plan to recruit new talent. Our audits have been conducted in collaboration with chains for grant, so we’re managing that aspect. For example AlephZero offered incentive controller audit for us. However, keeping 50% for growth is just about feasible, so we’re also considering raising funds through a new token issuance as well

Your suggestion will be included as an option. However, I support calculations in USD and distribution based on the USDC value in ASTR, as it allows for quicker completion of tasks and easier calculations when issuing new tokens in the future. Honestly, if the value of DOT had dropped below its USD value at the time of the hack, I believe everyone would have preferred to be compensated in USD.

Option 1-1: USD-Based ASTR Distribution

Under Option 1-1, compensation for the hack will be calculated based on the USD value of DOT/LDOT at the time of the hack, and ASTR will be distributed accordingly. This approach ensures a swift distribution process

Option 1-2: DOT-Based ASTR Conversion and Distribution

Option 1-2 proposes converting ASTR to DOT based on the current valuation and then distributing DOT to the users. This method aligns compensation with the original asset lost but may require additional steps for conversion and distribution.

In both cases, if any stolen funds are recovered, compensation could potentially increase from 40% to up to 100% of the initial user loss. Should the recovery exceed the losses, the surplus will remain with Starlay treasury, considering the initial 40% compensation was provided from the treasury.

I believe one more option would be needed like: Continuing Development without Compensation
This option involves continuing the development and improvement of the protocol without providing compensation for the hack. This approach would allow the project to focus resources on development, potentially introducing new features or improving existing ones to enhance the protocol’s value and security.

First of all big thanks to the team and moderator for your time and effort.

As a Dapp user with limited technical knowledge, I cannot go deeply into technical talk so maybe my way of writing isn’t all too constructive or effective.
But since it’s an open discussion I think it’s important to express thoughts to have an overall sense of the collective sentiment within the community and have the people with technical skills interpret this as they wish in order to find the best possible solution.

I definitely agree with the fact that ACALA should also come up with some kind of plan/proposal regarding compensations.
Dissolving the protocol is indeed not the best thing, nor my preferred solution. But in case the funds won’t be returned or compensated, it does promise users to see at least some of their money back without waiting an eternity.

And to Say something about the option to continue without compensation…

With all due Respect, I understand and respect the idea from the team’s perspective. And honestly, as early supporters I think there should be some kind or sense of gesture towards us, as a protocol needs risk takers.
Ok, we are rewarded with high yield, but we also take high risk for it, apply by the rules and pay our fees. I also know in crypto everything is a risk. Especially participating during the early days of any protocol. May it be as user or service provider.

I think I speak for everyone when I say that when you supply assets to a protocol, we don’t put it into charity, we put some of our hard earned money into this to make a profit and obviously in return gave the opportunity for the protocol to grow too. The protocol failed to protect costumer funds.
If a protocol were subject to a hack, questions may arise of how solid, responsible it was build in the first place and how thoroughly it was tested before starting operations…
IF in case of a hack service providers have 0 sense of responsibility towards their users or community members, they can just be neglectful and in a sense use their users as test bunnies? We’re talking about finances here. It should come with at least some sense of responsibility.
I’m not implying it is the case for Starlay but the possibility of a future exploit definitely remains a possibility, so I’m not sure whether we are wishful thinking if we’re continuing and hoping to believe in the best interest of the protocol.
Asking to continue without any compensation is in a sense asking the people who lost their money to pay for neglectfulness of the builders. Or stand as some kind of insurance for the provider’s professional shortcomings.
I don’t see how anyone affected by the hack would vote for that, unless they benefit directly from the protocol’s wellbeing…

I feel sorry for the victims who lost their funds without any compensation.

Therefore, how about initially setting a lower amount of compensation, while also issuing something like debt tokens to the affected individuals, and gradually repaying them from the funds earned by Starlay’s business in the future?

If I remember correctly Bitfinex dealt with it that way with the hack that occurred in 2016.

Thank you all for your commitment and propositions.
Speaking as an user who suffered the hack throught Acala & euphrates to Starlay.

Starlay needs to keep going, shutting down the protocol to reimburse user is not worthing it.

A two step compensation could be

• a 50% reimbursement from treasury ASAP, this way user can still stay exposed to the market right now

• Debt token, Metis is doing it with rMetis when they suffer the BSC bridge hack on September.

• Keep a reserve of 500K for Starlay to grow the protocol and use the rest of its treasure for initial compensation.
• Given that the USD price of DOT can be lower or higher during compensation when compared to the Hack, it is only fair for the Initial compensation to be made in DOT
• If the initial compensation is paid in other token example ASTAR; the user need to face
  • Market liquidity problem: if there is no market maker it would be hard to convert the compensation token into DOT
  • Slippage or Trading fee: User needs to bear this when converting the compensation token to DOT
• For the remaining compensation, Starlay can issue debt token 1:1 to remaining DOT to be compensated.
• Given that Starlay is majority LAY holders, they can accumulate the Starlay trading fee rewards plus the ASTAR Dapp rewards and use % of the rewards to purchase back DOT and pay back the debt token holders. The remaining %of rewards can be used to grow the Starlay protocol
• Give the option of staking DEBT token for LAY rewards
• Given that the users who suffered from the hack have also suffered from opportunity cost, Starlay should consider giving them native tokens with vesting to avoid selling pressure
• Example: Numbers used are only for illustration
  • User A lost 1000DOT
  • Initial Compensation from Starlay: 400DOT
  • Remaining 600 DOT be issued as 600 DbDOT (Debt DOT)
  • Starlay overtime purchases DOT and buy back DbDOT from the users and burn it
  • Give option to stake DbDOT for LAY token rewards
  • Airdrop LAY rewards or with vesting to cover the opportunity cost the users have lost

• Get fast actions
  To work everything smoothly must do a proposal as soon as possible, even the results are negative for the users