Summary
I recently lost around a $4000 because of Kashi. I’m not a developer but from what I’ve been told by the Sushi devs in discord, someone exploited the oracle to borrow so the collateral is worth less than the amount lended. To quote Maka
Ok. Looks like this one was hit by someone exploiting the lack of anyone updating the price. I think here: Ethereum Transaction Hash (Txhash) Details | Etherscan
By my math is $50.7566718156 collateral, $5657.970711 lent out.
I assume there are others that lost in Kashi too. Total losses are probably over 20k but less than 30k. Kashi advertised high APR’s and the specific pool I lended to was exploited 90 days ago but I deposited 30 days ago. So basically MLM where my deposit was used to make the person who lost money whole. There was a green dot and the sushi website said healthy so there was no indication that there was any issue to depositors. Sushi was aware that there were issues with Kashi and later moved to close Kashi down, but unfortunately this was done too late to save me.
Abstract
My proposal is to reimburse losses from the Sushi treasury. I can understand why people would be against this if it was millions but given that its a minimal amount this can be done relatively cheaply. Setup a fund of say $50,000 and reimburse users who submit requests until it runs out on a first come-first served basis up to $10k each.
Motivation
Motivation for Sushi doing this would be to reimburse losses that occurred to users of Sushiswap. I’ve seen some say its the lenders responsibility to keep the Oracle updated but given that Sushi gets a % cut of Kashi profits and knowingly kept hacked Kashi pools online for months I would say Sushi bears some responsibility. Cheap advertising compared to what is currently spent on advertising to avoid bad publicly and to avoid diminishing Sushi’s reputation. Quite a bit less than Quickswap reimbursed when it got its frontend hacked. Also helps avoid a lawsuit.
Specification
I’ve been told this can be taken from the treasury but I will leave it to someone else to specify how as I don’t know.
For
Do this and pretty much everyone’s happy.
Against
Don’t do this and there will be a lot of people unhappy. Also when Sushi comes out with new projects people won’t trust them.
Poll
option one Reimburse Kashi Losses ($50k Total)
option two Don’t Reimburse Kashi Losses
option three Reimburse Kashi Losses (No Limit on Amount)
That is horrible, and I hope it is made back quickly.
As a rule (and as I think necessary to protect protocols from dual exploitation) I have always supported responsibility for use of a decentralised contract as falling on the user of it.
The exploitation was of a feature that exists by design, and for whom responsibility of keeping price updated is labelled in docs as falling on the lender.
So don’t think it can expected or that it should set any precedent. But from a humane perspective, I know people don’t read every page of a doc and in practice it was a bad UX for many. So if feasible (I think the number is quite a bit higher) it would be an amazing gesture that would reflect well.
Would need total numbers, as any pool could potentially be effected, and there was a period when people could create a wide variety of markets.
Which leads back to the point of dual exploitation, and how much Sushi should be expected to pay out if a random market is created, the creator lends to it and then never updates the price. Or worse still an attacker lends to a market, exploits it and is able to claim as victim also.
Should things like that fall on a protocol, could they without crushing it?
So I think there is a fair debate to be had on viability of such a gesture.
I have different feelings about this. When an exploit happens on a product Sushi profits/promotes that generally means Sushi bears some responsibility. Especially when Lend was a key product of Sushi, not someone else. In addition, after the exploit happened Sushi kept the product open luring in unsuspecting victims so those who actually lost money could be made whole from their funds. Sushi then closed the product later so those lured in couldn’t be made whole from more unsuspecting victims. I wasn’t the one exploited by this hack, I was exploited 60 days later by the people who lost to this. And Sushi lured me in with an attractive APR and a green dot saying its healthy. I would guess that Sushi knew there were pools on Kashi that had been hacked but kept them up on the v1 website it just didn’t add them to v2.
If as you say Sushi bears no responsibility, why did it not keep Kashi on v2 (and instead keep it up on v1) and why did it close Kashi 90 days after this hack? Even if you argue that Sushi bears no responsibility for the original hack, it definitely is responsible for not taking action after the hack such that the people hacked were recompensed by new victims that Sushi brought in with advertising.
A great example is Hodlnaut who after the Terra crash instead of taking slow action like Celsius, deliberately lured in victims for months so that the owners/big investors/employees could be reimbursed by new victims and withdraw.
Obviously that raises the question of whether any Sushi members had funds in Kashi and if thats why they were left open so long so that unsuspecting victims could come in and reimburse them. Would make sense that the members responsible for monitoring Kashi had money in it. I’d prefer we didn’t have to ask that question though as it leads to a lot of negatives.
Every market is subject to that risk by design, the risk is only increased by deprecation through lack of interactions, potential price updates and a reduction of available liquidity as people look to exit.
Sushi didn’t make money from Kashi, and it wouldn’t be a risk to devs or anyone understanding how the system worked as they would just keep the market updated.
It’s the difference in the exploit of a bug vs a feature.
There’s no good reason to “lure people in”, but even after locking down deposits through UI many still use direct contract interaction.
Sushi would benefit from people not using it, as it was operated at a loss independent of any oracle exploit and so was left out of v2.
Should also clarify that I am community support, and not a developer.
UI was only recently locked, the exploit happened 90 days ago and I deposited 60 days later using the UI.
Sushi may have operated it at a loss, but it was built to make a profit and Sushi took a fee from it. Just because a product is a failure doesn’t make the company not responsible for it.
And I suspect that members of Sushi knew that the Kashi pools had been exploited and kept them up. I enjoy Sushiswap and have been using it for years (and I am semi-active on the discord) so I’m disappointed at that. To be clear, I wasn’t the one who suffered from the hack, I’m the one that suffered because Sushi was negligent in leaving a hacked pool up that they advertised as safe. The person who was hacked was reimbursed by me.
I would argue that Sushi has an absolute duty to respond as soon as possible when a hack occurs to prevent further losses. I think every person who uses Sushi would agree with this. Is anyone going to support the opinion that Sushi should be allowed to ignore when hacks happen and allow further victims?
Hey, appreciate the patience. Hoped one of the professional data analysts might have jumped in, but I and another support member have attempted to approximate.
Looked across eth, polygon, arb and bsc, as others seem unaffected. Tested for where collateral value is less than borrowed value, and also where collateral value is less than asset value (some cases total asset is less than borrowed due to accumulated interest).
Took the lowest in cases where negative, and summed those.
There was a lot of data so wanted to do independently and compare results. But we both approx. around $300k, about $340k at current prices, mainly on Ethereum.
I don’t know what opinion would be on trying to cover that total.
Am happy to have my numbers, or working out checked by anyone with bandwidth for that, but hopefully can help inform a decision.
I have opened tickets to contact mod several times from October 2022 and the end of November 2022. My tickets always had been colsed with uncertain answer.
Will there be a vote soon? I’m holding off on a lawsuit and a police report because I was hoping the suggested process would work. I don’t feel comfortable holding off much longer.
Was hoping would be touched on during forum call this week, but was cancelled.
I don’t understand the legal recourse of losing funds to a decentralized contract that is use at own risk, though am not a lawyer. Think DAO vote is possibly the most likley chance and most respectful way of handling it. But it would have to be put up for that.
I mean its shit that I have to sue over this but I’m being forced to. I’ve been more than patient. As Canada doesn’t recognize a DAO (goodluck telling a judge you can profit off a business without being responsible) I will be suing the developers and employees of Sushi who are public. I’m basically going to lookup every developer on your github/organization and name them. Since there is no corporate entity I can find I’m not restricted from suing in Canada unless I am missing something? Canada will likely view this as an informal partnership as you haven’t incorporated.
You may feel that Sushi isn’t responsible but given that you released and maintained code you knew was faulty and then encouraged people to use it while profiting off it I suspect a judge will have a different opinion. I assume once I sue your employee’s insurance will payout rather than go to court but I guess we will see. Goodluck telling a judge that you were knowingly exploited but you waited over a month to do anything because “we’re not responsible!”.
I’m going to wait until next week to file. Let me know if you guys start taking this seriously. I’ll post the list of people I name here along with their mail/email address here so that others may do so too in their own nations.
I’m not invested in this situation but I’d suggest you refrain from doxxing people if you want to lead a civil discussion, else I’ll be forced to block you.
My comments are as follows.
I reported it in November 2022 and the related discussion was closed.
Sadly, cryptocurrency related disputes are not accepted in my country, so I can only passively wait, until now I feel disheartened.
I used to believe that the team will have a discussion and make a proposal soon.
Maybe taking this as a lesson would be a better option for me.
The kashi closed passively in December 2022
bigger attacks happened in February 2022
Am not “Sushi”, am a community support member and dao contributor. My position is from one of protecting dao’s more broadly from abuse. Would love to see people repaid as a gesture, if feasible. But in no way can it be expected.
Using software provided as is, am sure the MIT and GPL licenses used have protections for that specifically:
The following evidence shows that the illegal funds withdrawn by the user were remitted to the exchange, and there is suspicion of money laundering
Hope the exchange will take further action, I also don’t think we can put all the blame on sushi, we should brainstorm and come up with an appropriate solution instead of being emotional
