PUNK Compensation Plan and the Path Forward

Punk Protocol
Punk Protocol
Published in
9 min readAug 12, 2021

Dear Punkers,

On August 10, 2021, Punk Protocol was attacked and $9 million worth of crypto assets were drained from the contract. As disclosed in our incident report, we were able to recover $5 million of the funds after $1 million was given as a finder’s fee to the white-hat hacker for their efforts. We have moved all of the recovered funds to a safe account before they get redistributed to the fair launch victims.

You can check the transactions below.

https://etherscan.io/tx/0xa85ce7d9d0882b858bf3dbc8f64b72ff05f5399ec3d78d32cea82e6795ccc7ce

https://etherscan.io/tx/0xc977ea434d083ac52f9cad00417bcffb866b894a5cbabf1cc7af9c00e78b8198

While it is still unclear whether it was the code vulnerability of the white hat hacker’s bot that caused the splitting, it comes prior to mitigate the damage and take countermeasures than to speculate on the attackers when the hacker’s identity and the likelihood of the fund returning are unknown. All contributors have been staying up all night to quickly understand and recover the stolen.

We want to take some time to first thank the community members for their patience and continued support as we scrambled to first analyze the issue and come up with a proper compensation plan, both fair and realistic. It was a very difficult decision on how to properly proceed from here, given that we do not have a treasury stacked with proper funds to go about reimbursement. However, we do want to keep our promise to our users and take this time to list out the compensation plan. We sincerely apologize for this unfortunate event and ask for understanding as we go about making everyone whole.

Here are several measures carefully prepared for everyone to recover the damages as much as possible and restore trust in our protocol and DeFi ecosystem.

TL;DR

  • Punk protocol’s primary concern is to compensate in full. 100%.
  • The recovered funds will be instantly distributed to all fair launch participants pro-rata.
  • The remaining of the damaged (45%) will be compensated via the issuance of peUSD.
  • Reward and disclaimer

Instant Recovery: $4,954,252 (55%)

The biggest concern and question received from the community is when and how to return the funds received from the White-hat hacker. (1954192.544042759382372963 DAI + 3000059.381173 USDT)

During the Fair launch, we have collected the transaction data through the servers to know who participated in the event. In preparation for the recovery plan, our priority was that users understand the recovery plan while mitigating the damage and maximizing user satisfaction.

Total number of damaged transactions: 93

Combined wallet address: 73

The funds recovered from the white-hat hacker will be instantly distributed pro rata to the Fair Launch participants within 24 hours after this post.

(We are aware that all three pools are of different token and wallet addresses. It would be best to distribute them at the same rate to minimize and decentralize the damage since all drained funds went to the white hat hacker. The Stablecoins, DAI, USDC, and USDT, carry the same value of 1 USD. It appears better to reduce the swap fee of 0.3% without adding any complexity or risk to the refund process instead of accurately matching the type of tokens deposited)

Extended Recovery Plan: $4,041,504 (45%) + 210,000 PUNK

Recovery of the remaining value, $4M, is the next prime concern after the refund of 55%. Since the figure is no small amount, the next priority is to normalize our protocol and re-launch to secure a long-term protocol survival and recover its reliability.

Ideally, we would want to fully refund all of our users. But as a small market cap project with low fees and no treasury, this is quite tough for us now.

Nonetheless, Even with our limited resources, we want to try and compensate in full while still achieving our ambitious goals. After long hours of debates among contributors on the best solution, we have found the most optimal plan to move forward.

For the Compensation Plan, the following assumptions were made:

1. peUSD — $4,041,504

Punk protocol prioritizes the reimbursement of the unreturned funds, $4,041,504. It may take some time to compensate for the full amount of $4M, but we will be granting peUSD, a type of guaranteed token for the lost tokens to reimburse in full. peUSD is a token that explicitly represents the amount of damage caused by the exploit and serves to recover it, meaning the sum of tokens distributed by Instant Recovery and the number of DAIs that can be converted to peUSD in the future is equal to the amount of stable coins deposited in Fair Launch. We will mint a total of 4,041,504 peUSDs of ERC20 specification that cannot be additionally issued to match the amount per damaged Wallet Address. In short, owners of peUSD will be able to do a 1:1 swap for DAI from the <Recovery Fund>.

You can check the contract source code of peUSD and address list with the amount in here.

There are the two ways we will fund peUSD’s <Recovery Fund>.

1–1) Compensation via NFT Drop

Some of the contributors have been putting all their efforts and Punky spirits into preparing an NFT project. A Drop event was originally planned as a token of appreciation to Punk users on August 31st. But we have since pivoted the NFT project and will be a for-profit project to compensate.

A total of 10,000 collectibles based on 18 characters inspired by Cyberpunk 2077 will be issued and can be minted for 0.04 ETH each. When all are sold out, it will be worth approximately 400 ETH and this is roughly calculated to be $1,200,000. All profits will be transferred to <Recovery Fund> through Fee Treasury for swap, and be paid out for reimbursement.

It may not be the perfect plan to reimburse through the NFT profit. And the whole profit reaches only approximately 30% of the remaining damaged funds. Nonetheless, it is a decision we made after endless far-reaching discussions on what could be of help and bring more benefits immediately to the users who have shown us faith and support. We hope that the compensation will be completed at swiftly as possible, and will be posting the updated schedule on the community channels.

1–2) Punk Protocol Operation proceeds

Service Fee and Buyback Rate were the only cash flow occurring in the existing version of the protocol. However, we believe that recovering the damage is a priority over increasing the deflationary effect of tokens with Buyback, so we’ll improve our security vulnerabilities and fee mechanisms, get an Audit, and then safely accumulate the Service Fee and Buyback Rate into one Fee Treasury, and then into <Recovery Fund> periodically once Saver V2 is released. All Fees sent to the <Recovery Fund> are swapped to DAI with 18 decimals and transferred to accurately calculate deposits and withdrawals and reduce the likelihood of errors. DAIs accumulated in the <Recovery Fund> can be burned at a 1:1 ratio via peUSD and can be requested for withdrawal at any time.

(However, as many contributors are gathered, I would like to inform you in advance that the fee can be accumulated except for some operating expenses. Please understand that without long-term growth or sufficient contribution from the contributors, long-term compensation plans may not work and that all contributors are committed to solving the problems. If the <Recovery Fund> Contract reaches its target amount, Fee Treasury will be operated in a fully decentralized manner through DAO and Governance.)

2. Punk Token Reward — 210,000 PUNK

As all participants already know, the value of Punk Token was computed to be $20.

With it being not listed and given that we have been attacked, our plan to continue with this price can be critical. However, there should be clear criteria to compensate with tokens.

We announced that the initial value of the token is $20 as a DeFi token that starts off with very little initial supply. Although we proceeded with Fair Launch and the issue arose there, it’s still considered only reasonable that the value of the token remains $20.

With the total of damaged funds, $4,041,504, divided by $20, the sum of Punk Token to be rewarded is calculated to be 202,075.2. The reward originally planned for the Fair Launch, which was put to a halt due to the attack, includes 210,000 Tokens. Making use of the original plan, we will be distributing the amount of Punk Tokens, proportioned to the remaining damaged funds.

Undoubtedly, the price of Punk Token will be valued in the market. Thus, there is a risk that it may fluctuate and even be depreciated to be 0. However, we have elaborately designed the deflationary structure to sufficiently incentivize for both long and short-term users to provide liquidity and eventually bring out a positive impact on the price.

  • 21M limited supply, mint disabled
  • 4yr halving cycle with Saver Reward
  • 20% Buyback of protocol revenue (It will work after the Recovery Plan is complete.)

Disclaimer; Freeze Contributor’s token until perfect.

The transfer of the amount of 3,150,000 PUNK (15% of total supply), previously allocated for the contributors, will be frozen until the <Recovery Fund> contract accumulates $4,041,504, targeted for recovery. We believe that it is the best way to restore the lost trust, while we are determined to do our best to solve this problem and normalize the protocol.

The Path Forward

Security vulnerability fixes & Audit to move forward.

Fortunately, the code that caused the hack has been modified. We changed the code on the left to the code on the right. We added two Modifiers (only Creator, initializer) so that only the Contract Creator can invoke the Initialize function and control it to be called only once.

Of course, not only the CompoundModel Contract, but all of the Contracts including Initialize code have been re-checked and modified. In addition, we have written an additional event code for continuous monitoring. Please see the update and the full breakdown on Github Commit.

https://github.com/PunkFinance/punk.protocol/commit/142e4a78eff99e088d7d4b8f230eb89a9242e2a1

We are continuing to perform all Unit Tests in more detail to test all functions and all implementable scenarios so that the same event does not occur in the future.

In addition to the Unit Tests, hacking scenarios are also being implemented to prepare for attacks through contracts related to hacking.

Redistribution and normalization of code will take place after successfully completing current SmartContract security audits and vulnerability remediation.

ImmuneFi Bug Bounty

https://immunefi.com/

We came a long way to learn a painful truth. Security always comes as the utmost priority in DeFi protocols. To prevent such incidents Punk experienced, numerous DeFi protocols go through audits conducted by prominent companies. However, it is difficult to say that these audits let the protocols absolutely avoid the possibility of being hacked. The latest event of PolyNetwork, the biggest loss of 600M, proves this point.

We were bolstering the protocol for audits while preparing to open the service before the incident. Thus, we will be continuing with this progress. Apart from that, in order to strengthen the security of the protocol and to operate safe and sound, it has been decided that the protocol needs careful monitoring and examination from experts.

Through research, we came across ImmuneFi and are looking into ways to use this as a tool to add another layer of protection. We have contacted the team and currently waiting for a response. ImmuneFi is a bug bounty platform with its focus on blockchain and smart contract security for DeFi protocols. It is open “to security researchers to discover and disclose potential vulnerabilities in projects’ smart contracts and applications, thereby protecting projects and their users. For their good work, security researchers receive a reward as determined by the project affected.” As the proposal passes, bug bounty on Punk protocol will be covered on ImmuneFi at all times and any updates regarding this will be updated through the community channels.

Closing Remarks

Once again, we are genuinely sorry for this incident. We want to sincerely send an apologetic message to all Punk users and supporters who have shown us great interest. (We appreciate your continued support through these difficult times.) The contributors will do everything in and out of their hands to ensure proper reimbursement and get the protocol back on its feet. We hope you join us on the path to a swift and full recovery of Punk Protocol.

From,

All Contributors of Punk Protocol

--

--