Feedback 104 (Survey): Remediation of Unlimited Allowance Exploit Losses

Feedback
1

Feedback 104 (Survey):

Remediation of Unlimited Allowance Exploit Losses

Abstract

RFP-XX (TBD) proposes the remediation of users who suffered asset drains due to leaving open unlimited approvals for the Radiant lending contracts on Arbitrum and BNB chains. These users were affected when hackers exploited and hijacked the lending contracts and drained users’ wallets with unlimited spending allowances. This proposal aims to structure a process similar to RFP-47 while excluding liquidation-related elements and adjusting the scope to reflect this specific class.

Motivation and Rationale

On October 16, 2024, Radiant suffered a sophisticated security breach, resulting in the loss of over $50 million in user deposits and the associated unclaimed locked dLP rewards (real yield from protocol fees). In addition to these losses, the hijacked lending contracts were able to drain funds directly from users’ wallets that had interacted with them in the past, with improper use of the unlimited allowances, leaving open-ended unlimited allowances. While the team collaborates with security experts and law enforcement authorities to retrieve funds, a plan, if ratified, is necessary to start addressing this class of unlimited-allowance victims and restore confidence.

However, the DAO must acknowledge that managing approvals is ultimately the user’s responsibility. Approvals can be granted, revoked, and modified at any time. While Radiant’s use of unlimited approvals may be subject to criticism, it was industry standard at the time, only recently seeing a shift away from this practice. Therefore, this proposal must recognize this context and distinguish between depositors and users who left unlimited approvals open-ended. Reflecting these differences is essential to ensuring fairness across the entire protocol.

Remediation Goals

  • Keep a record of losses for 2024 and 2025.

  • Design claim contracts if voted for.

  • Deploy Unlimited Allowances Claim Contracts in the Remediation Portal if voted for.

  • Scope of remediation:
    The Radiant DAO, its partners, contracted security experts, law enforcement agencies, and many media outlets have done their persistent and level best since the hack date to keep the community and the public informed of the root causes, the progress made, and the immediate and necessary steps to address the risk of loss related to the use of unlimited allowance function of crypto wallets. Since the DAO can not ask the community to ratify an open-ended scope of remediation, RFP-XX proposes limiting that scope to a rather reasonable 76 days, from October 16, 2024 (hack date) to December 31, 2024. Then, repeating the process for the full year of 2025. The current data analysis scoped the 2024 exposure at $7.7M and the Q1 2025 exposure at $1.2M as of 3/31/25. The prevailing community sentiment regarding the potential remediation for this exploit is that it has lower priority than the exploit of depositors. Perhaps, offering a 30% discount for 2024 losses and 60% discount for 2025 losses could attract enough votes for passage. If approved, remediation for this exploit group will commence after depositors are fully remediated as per RFP-47 and RFP-49.

Key Terms

Claim Contract: A claim contract is a smart contract that allows users to securely claim assets or funds under predefined conditions.

Remediation Share: A remediation share in a claim contract represents a user’s proportional entitlement to the total amount of assets drained from users’ wallets based on their claim in %.

Specifications

Radiant would deploy dedicated claim contracts on Arbitrum, enabling users to withdraw coins as the contracts are progressively recapitalized. If approved, remediation for this exploit group will commence after depositors are fully remediated as per RFP-47 and RFP-49.

Token Distribution

  • Impacted users would receive a %-based share on a 1:1 basis following a Token merge process described below.
  • Each claim contract has its own set of %-based shares.

Token Merges

To simplify the remediation effort and keep the number of claim contracts to a minimum, different assets will be merged into a single stablecoin.

Conversion Prices

The conversion price will be the Volume Weighted Average Price (VWAP) for the given remediation period. The conversion will take place on the conversion effective date.

Withdrawal Mechanism

  • The Remediation Claim Contract would issue a %-based allocation based on the final tally of token merges.
  • Capital injections would occur in multiple phases, and after each phase, the claim contract will allow users to withdraw assets proportionally to their share.

Dust

  1. Prior to merges, all balances below $1 will be classified as dust and set to zero. In these cases, balances under $1 are always treated as dust to simplify remediation efforts, reduce complexity, and streamline the process.
  2. After merges, all balances below $10 will be classified as dust and set to zero. Retaining balances under $10 in the claim contracts would be gas-inefficient, as claims are repaid incrementally in small chunks. Balances below $10 would incur gas costs higher than the payouts received at each stage.

Remediation Claim Contracts

This proposal involves merging assets into a single stablecoin.

Repayment Schedule

Repayment could take many years. The Radiant DAO will make its best effort while balancing financial stability and ensuring ongoing operations. The repayment timeline would depend on various factors, including available resources, future revenue streams, and the outcome of this proposal. The Radiant DAO is committed to maintaining transparency throughout this process and will provide regular updates to all stakeholders regarding progress and any changes to the repayment schedule.

Remediation Portal

An easy-to-use interface will be provided to hack victims to review and verify on-chain information, and follow the remediation process and status.

Remediation Portal Deployment Phases

Phase 1: A view-only UI, where users can check their balances by copy-pasting their wallet address into a field. After copy-pasting the user’s wallet address, the following is available:

  • See their post-merge balances.

Phase 2: Claim contracts will become available.

  • Wallet connection will be enabled
  • Claim contracts will be deployed and will be available in the Remediation Portal.

Hacked Fund Recovery

If hacked funds are partially recovered the coins will be returned proportionally based on contract TVL into the RFP-47 claim contracts.

If sufficient hacked funds are recovered, the claim contracts outlined in this RFP will be repaid next. Any remaining funds will be held in reserve to address additional losses as specified in this Unlimited Approvals Exploit RFP. Regardless of whether you are part of the RFP-47 Claim Contract group or the Unlimited Approvals Exploit Victims group, the recovered coins from the hack will be returned to all users in sequence, to the maximum of their pre-hack balances minus any amounts already distributed or voted upon.

Steps to Implement

User Asset Database

  • Generate a snapshot of users’ wallet assets drained by the hijacked lending contracts on Arbitrum and BNB Chain for the year of 2024 and 2025, based on the timestamp/block after the last legitimate transaction (non-hack) TX.
  • Develop a methodology to ensure 100% data accuracy.
  • Build a Web2 database from the snapshot.

Then depending on Vote:

Merging all tokens into a stablecoin based on the merge logic.

  • Develop an off-chain user interface (UI) that allows individuals to verify their claims, show pre and post-merge assets, and show pricing data.

Contract Deployment

  • Deploy claim contracts on Arbitrum.
  • Add the ‘Unlimited Allowance Remediation Contracts’ to the Radiant Remediation Portal.

Cost Analysis

  • Build, test, audit, and deploy new Remediation Portal.
  • Build, test, audit, and deploy new claim contracts.
  • Cover ongoing costs for management, support, and infrastructure.

Survey

This survey is a temp-check during the proposal’s ideation phase for further community feedback. It is intended to further inform the proposal working group, but it is not a binding decision in and of itself. The eventual on-chain/snapshot vote on the proposal by the community will officially settle this question.

Also, what if partners do not contribute to the remediation effort? If partners are unable or unwilling to contribute their share, that portion will remain unremediated.

Please select one (1) option

Poll lasts 4 weeks and ends June 9, 2025 12:00:00 UTC.

  • (A) Create Remediation Claim Contracts for the Unlimited Approvals User Group for 2024 (30% discount) and 2025 (60% discount). Partners and the DAO should contribute up to 100% funding combined.
  • (B) Create Remediation Claim Contracts for the Unlimited Approvals User Group for 2024 (30% discount) and 2025 (60% discount). The DAO should contribute up to 50% funding while partners contribute the remaining 50%.
  • (C) Create Remediation Claim Contracts for the Unlimited Approvals User Group for 2024 (30% discount) and 2025 (60% discount). Solicit partners for 100% support, but the DAO itself should NOT contribute funds.
  • (D) Create Remediation Claim Contracts for the Unlimited Approvals User Group for 2024 (30% discount) and 2025 (60% discount). But partners and the DAO itself should NOT contribute funds.
  • (E) DO NOT create Remediation Claim Contracts for the Unlimited Approvals User Group.
0 voters
2

I think. Its good idea with discount
since this way there is a greater chance of at least some compensation for the victims, I believe that everyone as one team should work 50/50, DAO and partners

1 Like
3

I lost $2000 on October 24, 2024, I believe in your honesty and responsiveness!

2 Likes
4

I lost 1300$ during the hack. Hopefully it will take less than “several years” to get them back

5

I was affected by the exploit in 2024 and lost $13,000 due to unlimited approvals.

I appreciate the DAO’s efforts to support impacted users through remediation contracts.

Given the scale of the initial exploit and its ongoing impact, I hope that the DAO and partners will reconsider the level of compensation for 2024 and explore the possibility of increasing support for affected users.

6

I think that, in the unlikely case we get this money, there are at least 3 different categories

A) users losing money at time of exploit, or 12h later tops where it was just everywhere
B) users losing money in the upcoming MONTH, and I’ve been kind, cause well, you were AFK on X, on website, on everywhere
C) Later than B

And there is a clear difference. A has 0 fault. B was a bit distant from reality. C is strightforward asking for money.

Fun fact: B and C might be counterexploited by the hacker losing his money to himself and asking for some back

Therefore, the only plan that makes sense is:

A) 90-100%. Even a 10% discount is a lot in a unavoidable situation
B) 30% Protocol can’t be responsible if you didn’t read anywhere
C) 0%

Oh, and i would settle dust for single tokens <10$ and total <100$ cause the microtransactors losing 3-4$ don’t make any sense in the big scheme of things

3 Likes
7

Voting does not take into account decisions that have already been made. A single token will be created. Without voting. Discount 30%? Without voting.