PIP-75 - Fund request from a user claiming losses due to the March 2024 AugustusV6 vulnerability

Voting ended about 1 month agoDefeated

PIP-75 - Fund request from a user claiming losses due to the March 2024 AugustusV6 vulnerability

Abstract

This proposal is submitted by the GTF with the purpose of establishing a clear precedent for any similar claims that may arise in the future.

In this post, a user alleges to have been affected by the Velora (formerly ParaSwap) AugustusV6 vulnerability from March 2024 and is requesting that the DAO refund 20,107.8 USDC allegedly drained from their wallet as a result of that incident.

The DAO is asked to decide whether to approve the request and transfer the requested funds, or to reject the request and transfer no funds.

The DAO’s decision will set a precedent for future requests like these:

If the proposal is approved, similar future requests may be submitted and will need to be evaluated individually.
If the proposal is rejected, similar future requests will not be considered, based on the precedent established here.

Goals & Review

Case Context

A user has made a fund request in the Velora forum, reporting being affected by the AugustusV6 contract vulnerability identified in March 2024. According to this user, after performing a legitimate swap using the platform, a residual approval linked to that exploit remained active.

On October 6th, 2025, this approval was leveraged by a third party to drain 20,107.8 USDC from his wallet (0x05808Cf9F8aAcFD6a2c2A879326593644F9a339e). The user asserts that the loss occurred without any negligence on his part and resulted directly from the protocol-level vulnerability.

Previous Steps Taken

After discovering the incident, the user contacted the Velora support team. He was informed that an on-chain message had been sent to the attacker without receiving a response, and that the PEP-07 - Grant Request From the ParaSwap Foundation Regarding March 20th Vulnerability, previously used to compensate similar cases arising from the same vulnerability, has already been depleted. See here de post-mortem report.

He was also told that requesting reimbursement now requires submitting a formal DAO proposal; however, the user does not hold the 100,000 VLR tokens required to initiate such a submission.

Request

Given the circumstances, the user is requesting that a community member with the required voting power submit a proposal on his behalf, enabling the DAO to evaluate reimbursing the funds lost, following the precedent established in earlier cases related to the same vulnerability. The GTF, in our role as DAO coordinators, will proceed to resubmit the proposal in order to comply with the requirements of PIP-57 - PIP Lifecycle Improvements

Ampliation

The AugustusV6 vulnerability affecting Velora (formerly ParaSwap) was identified in March 2024 and promptly addressed: the system was paused, the issue was fixed, and the exposure window lasted roughly 48 hours. During that period, ParaSwap proactively notified affected users through multiple channels, including Twitter alerts (see here, here and here), NFT notifications to users, and coverage from ecosystem media outlets (see here and here as an example).

A white-hat hacker assisted in recovering a significant portion of the stolen funds. The remaining unrecovered amount, approximately $340,000, led to the PEP-07 proposal in April 2024, which the DAO approved with nearly 97% support to compensate impacted users through DAO funds. ParaSwap publicly communicated these actions (see here), and it was alsocovered by various media (see here and here). The process concluded with a claim procedure and a comprehensive post-mortem report.

Implications of the DAO’s Decision – Precedent for Potential Future Requests

The DAO’s decision will set a precedent for future requests of this nature:

If the proposal is approved, similar future funds requests may be submitted and will need to be evaluated on a case-by-case basis.
If the proposal is rejected, similar future requests will not be considered, based on the precedent established here.

Means:

This proposal does not require any additional Velora, external product or development.

Implementation Overview:

If the proposal is approved, the DAO will transfer 20,107.8 USDC to the claimant, who must first provide the wallet address where the funds should be sent.
If the proposal is rejected, no action will be taken by the DAO.

Time of Implementation

If the proposal is approved, the funds will be transferred immediately, within the time required to prepare the transaction (including, if necessary, performing a swap to secure the required USDC) and to obtain the necessary signatures from the DAO multisig signers.

Budget

The budget for this proposal is 20,107.8 USDC, which corresponds to the amount requested by the user. No additional costs will be incurred.

Risk Assessment:

Arguments for voting in favor - Pros:

The AugustusV6 vulnerability was real and publicly documented, and the user’s loss resulted directly from that protocol-level flaw.
There is a DAO precedent: in 2024 the DAO approved in PEP-07 a compensation program for users impacted by the same vulnerability.
The user acted in good faith and with no negligence; the loss occurred through normal use of the platform, strengthening the legitimacy of the claim.
Granting compensation in this case would represent an act of responsibility from Velora and the DAO, reinforcing the protocol’s core values of protecting its users and responding fairly when damage originates from a protocol vulnerability.

Arguments for voting against - Cons

ParaSwap/Velora acted quickly and transparently during the incident, issued multiple alerts on Twitter, sent NFT notifications to affected wallets, and the incident was widely covered by ecosystem media.
The PEP-07 compensation fund used in 2024 is now fully depleted.
The vulnerability exploit occurred over 18 months ago, and ParaSwap/Velora fully communicated both the incident and the claims process throughout that period.
The user, unfortunately, remained unaware of this widely shared information and only engaged with the affected approval much later, resulting in the loss.
Web3 provides decentralization, user empowerment, and true ownership, but it also requires users to be more informed, responsible, and proactive compared to TradFi. Staying reasonably informed is part of the responsibility of Web3 self-custody; it does not require constant monitoring, but basic awareness of major ecosystem events is expected.
The event cannot remain open indefinitely: Approving compensation beyond the original window could establish precedent and potentially generate open-ended liability for the DAO, affecting future governance decisions, and introducing a significant financial risk for the DAO.
Refunding this case could create another dangerous precedent: Malicious actors who approved the vulnerable contract in 2024 could intentionally “self-hack” today by performing a transaction now, move their own funds to another wallet by exploiting the vulnerability, and request refunds from the DAO.

Off-Chain Vote

For

15.46M VLR3.5%

Against

426.76M VLR96.5%

Abstain

103.42K VLR0%

Quorum:491%

Download mobile app to vote

Discussion

PIP-75 - Fund request from a user claiming losses due to the March 2024 AugustusV6 vulnerability

Timeline

Dec 18, 2025Proposal created

Dec 18, 2025Proposal vote started

Dec 23, 2025Proposal vote ended

Jan 27, 2026Proposal updated

PIP-75 - Fund request from a user claiming losses due to the March 2024 AugustusV6 vulnerability

Abstract

This proposal is submitted by the GTF with the purpose of establishing a clear precedent for any similar claims that may arise in the future.

The DAO is asked to decide whether to approve the request and transfer the requested funds, or to reject the request and transfer no funds.

The DAO’s decision will set a precedent for future requests like these:

If the proposal is approved, similar future requests may be submitted and will need to be evaluated individually.
If the proposal is rejected, similar future requests will not be considered, based on the precedent established here.

Goals & Review

Case Context

Previous Steps Taken

He was also told that requesting reimbursement now requires submitting a formal DAO proposal; however, the user does not hold the 100,000 VLR tokens required to initiate such a submission.

Request

Ampliation

Implications of the DAO’s Decision – Precedent for Potential Future Requests

The DAO’s decision will set a precedent for future requests of this nature:

If the proposal is approved, similar future funds requests may be submitted and will need to be evaluated on a case-by-case basis.
If the proposal is rejected, similar future requests will not be considered, based on the precedent established here.

Means:

This proposal does not require any additional Velora, external product or development.

Implementation Overview:

If the proposal is approved, the DAO will transfer 20,107.8 USDC to the claimant, who must first provide the wallet address where the funds should be sent.
If the proposal is rejected, no action will be taken by the DAO.

Time of Implementation

Budget

The budget for this proposal is 20,107.8 USDC, which corresponds to the amount requested by the user. No additional costs will be incurred.

Risk Assessment:

Arguments for voting in favor - Pros:

The AugustusV6 vulnerability was real and publicly documented, and the user’s loss resulted directly from that protocol-level flaw.
There is a DAO precedent: in 2024 the DAO approved in PEP-07 a compensation program for users impacted by the same vulnerability.
The user acted in good faith and with no negligence; the loss occurred through normal use of the platform, strengthening the legitimacy of the claim.
Granting compensation in this case would represent an act of responsibility from Velora and the DAO, reinforcing the protocol’s core values of protecting its users and responding fairly when damage originates from a protocol vulnerability.

Arguments for voting against - Cons

ParaSwap/Velora acted quickly and transparently during the incident, issued multiple alerts on Twitter, sent NFT notifications to affected wallets, and the incident was widely covered by ecosystem media.
The PEP-07 compensation fund used in 2024 is now fully depleted.
The vulnerability exploit occurred over 18 months ago, and ParaSwap/Velora fully communicated both the incident and the claims process throughout that period.
The user, unfortunately, remained unaware of this widely shared information and only engaged with the affected approval much later, resulting in the loss.
Web3 provides decentralization, user empowerment, and true ownership, but it also requires users to be more informed, responsible, and proactive compared to TradFi. Staying reasonably informed is part of the responsibility of Web3 self-custody; it does not require constant monitoring, but basic awareness of major ecosystem events is expected.
The event cannot remain open indefinitely: Approving compensation beyond the original window could establish precedent and potentially generate open-ended liability for the DAO, affecting future governance decisions, and introducing a significant financial risk for the DAO.
Refunding this case could create another dangerous precedent: Malicious actors who approved the vulnerable contract in 2024 could intentionally “self-hack” today by performing a transaction now, move their own funds to another wallet by exploiting the vulnerability, and request refunds from the DAO.