MALICIOUS GOVERNANCE ATTACK: A Call to Action to Stop the Attack *OPINE IN THE NEXT 42 HOURS*

TLDR – A CALL TO ACTION IN THE NEXT 48 HOURS

We have irrefutable evidence supporting a malicious governance attack with respect to the recent vote on “Proposal for Tech Infusion, Support, and Expansion of Truefi Products.”

This post is a call to action to gain social consensus that this scenario justifies the use of the canceller multisig. For the unacquainted, the power of cancellation has already been granted to the multisig via TFIP-6, but since this is the first time the DAO has experienced such a scenario, it makes sense to request feedback before canceling the proposal.

As we will show in the evidence below, it is clear that an entity, individual, or coordinated parties purchased TRU Tokens on Binance with a hedge in order to gain super-majority voting share to ram through this proposal. There is significant economic gain to be had for the Teragon team (and whoever else helped them potentially) given the ~1.5-million-dollar payout (at today’s prices) and minimal cost of trade execution.

Abnormal TRU Token Voting Amounts

As of close of the voting period, over 41 million TRU tokens voted in favor of the aforementioned proposal. This is abnormal by DAO standards, with the average 5 proposals receiving 15.4 million TRU voting in favor. The last time this many tokens voted in the affirmative was on October 17th 2023 with 83.28 million voting in favor. However, TRU tokens were priced at just $.033 at the time. Consequently, if you adjust for today’s prices, the October 17th 2023 proposal would only equate to ~22.5 million TRU, half of what was used for the malicious proposal.

Coordinated Wallet Creations

Another key piece of evidence is the large wallet’s that voted in favor of the proposal. They are listed below for reference:

• Address 0x94CE9Fd7c4b7C6F544347683B630393ed6C45d83 | Etherscan
• Address 0xFecf0c08ebdB2228aBcbdD37ea6151b234853841 | Etherscan
• Address 0x6Df0a7011560693878831ca9F6BA8857A54d6b6e | Etherscan
• Address 0xF099fCadf4d8D33a5Cf1869f67c9b22034773Ed0 | Etherscan
• Address 0xbBACb3a43a4C9E360cd878fa78670f96fADd927d | Etherscan
• Address 0x3A67D40d7385Ba08Aa1c170Bad4bb0133267D083 | Etherscan

Upon review, all wallets were created within a few hours of each other on July 4th (EST). Additionally, all wallets came from the same exchange, Binance. The odds that this quantum of tokens and wallets were made in quick succession and time interval makes it apparent that one individual party controls all of these wallets. Thankfully, the manipulator was too lazy, impatient, or worried about market exposure from negative funding rates, to space the creation of these wallets out to at least give a semblance of normalcy.

Negative Funding Rate Anomalies on Binance

We also looked at historical funding rates for the TRU token over the past few weeks and saw an abnormal pattern emerging in the same time period that the previously aforementioned wallets were created. As you can see in the chart below from data taken from (https://app.laevitas.ch/assets/perpswaps/TRU), Binance is the only exchange to have had significantly negative funding rates in the past week. Given all of the tokens above originated from Binance (as proven above), it is quite obvious that the manipulator shorted the TRU token on Binance in order to create a D1 trade after purchasing the TRU tokens with the intent to manipulate voting without taking price exposure to the TRU token. It is quite obvious at a ~-33% funding rate in the past week that the hedger entered the positions on or around July 4th, the same day that the wallets were created.

image975×355 65.4 KB

Elevated TRU Futures Volume During Past Week

There has also been a significant spike in TRU Perps volume over the past week, which also correlates with the period that the manipulator began to hedge their position. Data provided from the same source, Laevitas, shows a massive spike on July 11th, the vast majority of which was on Binance.

image975×662 60.6 KB

Call To Action

As one can see from the verifiable evidence provided above, we believe that the right course of action would be to block this proposal from executing to prevent bad actors from stealing money from the DAO treasury.

Given the creation of the Canceller Multisig that was introduced following the Tornado Cash DAO takeover (https://www.coindesk.com/tech/2023/05/21/attacker-takes-over-tornado-cash-dao-with-vote-fraud-token-slumps-40/), we can do this if we act within the first 48 hours of the vote passing.

At a high level, the Canceller Multisig was put in place to prevent faulty or adversarial proposals. The multisig has the ability to execute a transaction that would render the proposal ineffective. You can check out the TFIP that implemented this feature here: [TFIP-6] Assign CANCELLER role for TrueFi Governance - **modified**.

While the cancellation of this proposal does not mean that Teragon can’t make another proposal again in the future, it is the responsibility of the community to wait for other proposals to come in before we rush into one that has had uniformly negative opinions against it on public forums and votes in favor of this proposal are clearly the result of a governance manipulation.

We now ask the community to voice their opinions on the matter, so we can achieve social consensus to execute the Canceller contract. The Multisig has never been used and this would set a precedence for its use in the DAO.

Looking Forward

At Cicada Partners, we hope that we can spearhead a proposal in the near future to eliminate the possibility of this happening again by requiring a time-lock feature on voting, that is long enough to disincentivize bad actors from purchasing tokens immediately before a proposal to manipulate results. Feel free to message the Cicada Team, if you would like to speak further on the matter or if you have additional information or thoughts to share in regards to the voting attack.

Thanks and Best,

Cicada Partners

Thank you for the detailed post @Cicada.Partners. This is an usual situation and I agree that using the Canceller Multisig seems justified here.

The key pieces of evidence that this is an attack include:

1. Multiple wallets created from Binance quite recently and all at the same time
2. The unusually large negative funding rate on Binance
3. The unusually high TRU futures volume
4. Very significant opposition in the community to the proposal, and little to no support from long-term community members

Additionally, I would note that funding rates on Binance TRU Perps appears to still be significantly negative, suggesting that someone might still be holding a large short TRU position.

image1144×122 15.9 KB

For all of these reasons, I am in support of using of the canceller multisig. I would specifically like to allow more time for an investigation, and also more time for competitive bids for development services to come into the DAO.

Thank you and I would love to hear what the other community members think.

I have been monitoring Staked TRU wallets on Dune for the past month, focusing on their staking and voting activities. When I noticed a sudden influx of staked wallets (all on July 4th) I anticipated they would soon influence the voting of this particular proposal or another to overturn a majority “no” or “yes” vote at the last minute. And that is precisely what happened with this proposal in question. A “no” vote was overturned at the last minute and all wallets seemed to vote around the same time.

I started to feel that regardless of how the majority of staked voters decide, there will always be individuals determined to push proposals through by staking a substantial amount of TRU across multiple wallets with complete disregard for how DAO voting should ethically take place

I completely agree that 5-6 of wallets listed below were created in a highly suspicious manner on July 4th

10000141621920×1043 107 KB

As a follow-up, various members of the community asked for a poll:

Do you support the use of the Canceller Multisig to cancel Teragon’s proposal until further investigation can be completed and competitive bids can be entered?

Thank you, @Cicada.Partners, for your team’s meticulous analysis of the source of the TRU used to perform this evident governance attack.

I was shocked to see such last-minute solid support of this proposal, in contrast to the stark opposition it received on the forums.

I don’t believe this proposal aligns with the best interests of TrueFi. Integration of Teragon’s Managed Vaults, Structured Products, and Index Products conflict with TrueFi’s existing products and there was no post made to explain why Teragon’s products are superior. Not only that, but there’s a complete lack of transparency into what TrueFi is buying. Minimal code is available, no test suite is available, and a 3rd party hasn’t audited the code.

While I acknowledge that there is a chance that Teragon’s products could be worth the cost (again, we don’t have transparency into what we’re buying), the integration does little to solve TrueFi’s current and future needs. Who is going to do marketing, support, maintenance, etc.?

Given the evidence, lack of transparency, conflicts, and strong opposition on the forums, I believe the use of TrueFi’s canceller multi-sig is justified.

Moving forward, we need to implement significant updates on how, when, and why a proposal is allowed to proceed to voting.

While we have a Canceller Multisig to revoke malicious voting attacks, we need additional measures to filter out proposals that are not suitable or beneficial for TrueFi before getting to the funding vote stage.

We should consider establishing a verified user account system that requires proposals to pass a preliminary platform vote before they can request voting for their funding approval.

This aims to reduce the intense desperation and extreme measures these wallets have resorted to in order to withdraw money from TrueFi.

I appreciate Cicada’s research and agree with their conclusion. The voting patterns and proposal are strong evidence of a governance attack and support using the canceller to prevent this.

Since this is a time-sensitive matter and the use of the cancel powers has support, I’ve initiated the transaction to cancel.

https://app.safe.global/transactions/queue?safe=eth:0x8c8FcA3812c4272756120E207D3ED496A73Bc528

Pending 2 more signatures.

Teragon’s response to this call: Refuting Governance Attack Allegations: Teragon's Defense

Thanks @Cicada.Partners for the in-depth review of the on-chain transactions and analysis on community sentiment and business potential.

Although, this proposal is hasty and could be improved on cost and alignment, I don’t agree that this is directly a governance attack or malicious. Why? Teragon’s proposal could add clear benefits to TrueFi’s revenue streams.

From my conversations at EthCC Brussels, I believe their proposed products could find a market fit. The main issue is the lack of consensus on how these products would integrate into our current operations, especially with many functions being transferred to a young Directorship, and lastly the cost of these products is questionable too.

DAOs require a balance between social and economic alignment. While we want significant TRU holders to have skin in the game and move the DAO forward, social alignment is also necessary.

This is the first time the canceller wallet has had to be used, so we lack precedent, but it’s clear that without strong community support and alignment with the Directors, this shouldn’t go through.

Short term, it makes sense to block this and reassess the merits of the Teragon proposal. We’re in a transitional period at TrueFi. While these products might benefit TrueFi’s future revenue, we need a clear business scope and consensus.

Medium-term, we need a new governance primitive where proposals require a quorum on the forum before going on-chain to prevent occurrences like this. The Directors will work on a proposal in this direction.

I encourage Teragon to revisit the proposal and gain social alignment on how it could support TrueFi moving forward.

Thank you for the thoughtful reply @vandynathan.

Big +1 to this. I would love to see a clear business scope, consensus around the deal, and alignment with the directors around the vision.

I would also like to see a vote during more normal circumstances… specifically once whoever appears to have taken out a large short position on Binance has closed it down, and all TRU holders have been given time and warning to stake their TRU so they can participate in the vote.

I’d like to review some of the data that has been combined to make assumptions that this is a Governance Attack: going through the data, one by one.

Lets start with the real data from exchanges in Binance and Bybit, and compare it with the chart, provided by Cicada.

image889×687 146 KB

I was curious and I started to check was the funding rate so negative in the past 30 days actually on Binance? The data direct from the source in Binance would show otherwise.

I’ve have arrowed the CSV here, so you all can also download it and compare my figures. Visually, except for one day of large negative funding (I will get to this) on July 11th, rates look fairly normal, not enough to see evidence of aggressive hedging as implied by Cicada. See my spreadsheet snap below:

image756×522 128 KB

The annualised rate stayed positive across most time periods. In fact, in the period of June 14th to July 5th the annualised rate was near 9%.

In fact, it was in Bybit, where the funding rate was lower. However, the open interest stood at around only 2mm USDT, about half that of Binance. Hard to see that anamoly of a “shorter”.

image743×255 15.5 KB

Next, lets get to this anomalous volume on July 11th.

image1068×946 122 KB

Lets go to the direct to source again, on Binance and look at the perps:

image1654×442 25.6 KB

There is elevated volumes, but where is the shorter? In fact, the majority of market moving trades (taker orders) were buys. If there was hedging (net selling), you’d expect to see a significant imbalance of sell-taker orders, especially for the size that Cicada is imagining.

Volume is usually a function of volatility, and lets what happened on this day.

image905×460 102 KB

What we are looking at is a huge upward market move day, where naturally there would be plenty of day trading and positions changing hands amongst market players. Further with that is release of trade-able information on DWF being appointed a market maker for Truefi (see below Binance release on July 11th)

image571×542 62.6 KB

Proof in the pudding of open interest: is there a real change in open interest to see a shorter? This may interest you @rafaelcosman

image940×775 144 KB

On Binance, we’ve seen a steadily decreasing open interest of units over the past 30 days. For good measure lets check Bybit as well:

image2480×1098 110 KB

Again, we see open interest in terms of TRU token units decline over the past 30 days. So, where is this short?

It is questionable at best that much of the evidence is “irrefutable”.

The only item that is irrefutable is that:

1. Tokens did come from Binance (but at 33% of tokens held in Binance, and as we know most real trading occuring there - so much so - that DWF has kindly offered to conjure up volume in other exchanges as a market maker)
2. Addresses were made. Not all tokens which voted went to one address.

Are holders of the token which vote with movement from an exchange to staking contract to vote, considered an attack on its own? I have to agree with the @vandynathan here that it isn’t an attack.

In addition to all the points made regarding the unsubstantiated allegations, I believe it’s crucial to emphasize the following:

In a scenario where ‘canceller authority’ is exercised, it is not only logical but imperative that the signatories:

1. Publicly disclose their wallet addresses and prove if they are real people.
2. Clearly announce their intentions and actions.
3. Provide detailed justifications for exercising this power, which is reserved for extreme circumstances and well-defined threat vectors.

This level of transparency is essential for TRU token holders given the extraordinary nature of the canceller function and its potential impact on DAO governance and token PA.

I understand reservations on how the voting is done but I don’t see anything malicious. It is the will of the TRU token holders unless otherwise proven conclusively.

I see this as interference by actors with clear conflict of interest as highlighted by the post here: Refuting Governance Attack Allegations: Teragon's Defense

I would add that cancelling & ignoring a DAO vote without a proper justification by actors like Wallfacer & Cicada with clear conflict of interest acting on their own without the consent of TrueFi board would contitute a LEGAL issue.

Seems like most of the logic used in this post is simply propoganda because it doesn’t benefit the said actor and is based on incorect data / understanding of the token flow, OI and trading of instrumetns as is evident from this reply: MALICIOUS GOVERNANCE ATTACK: A Call to Action to Stop the Attack *OPINE IN THE NEXT 42 HOURS* - #12 by TheSkyHopper

TrueFi DAO has not made any real progress on products or expansion despite spending huge amounts of TRU tokens paid to wallfacer and Cicada. Teragon proposal throws fresh blood into TrueFi and charts a path to growth & evolution and seems to be at a fraction of the cost. I can understand why TRU holders would want to see this implemented.

I do think understanding the perspectives of the TrueFi board members is valuable here- if they could all post at least briefly here and participate in the poll above, that would be quite useful.

@vandynathan @TheSkyHopper @ferengi

I’d like to add to the “irrefutable” point of tokens coming in from a Centralised Custody/Exchange to vote or stake before a vote (all part of the governance process). And I’d really to like to point out the prejudice that Cicada’s call is.

Let’s take the vote where Wallfacer’s proposal for funding. Just prior to the vote, an address 0xeb7C4ab78b22EaAa733b08731c32f68400B9f89C voted for the proposal with 11 million votes, which was a delegated vote from 0x83FB0a3fB2cbCe4396f9F0363b5eFB5e1190d5F0.

Just prior to the vote, these tokens flowed through in a single day from Coinbase, staked, delegated and voted. (see below for the ERC20 txs)

image1107×863 249 KB

Lets also look at the address 0x756bD3f4F843767Aa1061Aaaf088faBaACE0D363, but the address acting as a delegate for address 0xDF53b3F7Df527196c69B38F99AFeFD9D0876a44A which, like the addresses Cicada alleges are part of an “attack” - similarly sent tokens in from Binance. See below:

image1920×1434 206 KB

Subsequently, this address voted YES for DWF Labs to be a MM (but if you look at the forum, didn’t receive much support but yet was passed), and also for Cicada’s incentive payment.

Yet, for both of these addresses coming from CEX, nothing was questioned. This is quite arbitrary that one set of addresses get accused of orchestrating an attack only because of wallet creations, transfers, and accused (without evidence that I’ve shown) to have had a short hedge? Why wouldn’t these addresses also be scrutinized as well. In theory, I can conjure up many wild theories on these wallets, but I don’t. Because I take it for what it is.

Why does a certain token amount or effective dollar amount matter as to what has come to vote? This is purely arbitrary as well. Previously 100 million tokens have votes (or nearly), then much of this ended up flowing into exchanges. I’m not here to question diamond versus paper handing - people have reasons of many kinds to liquidate. But it is not inconceivable that those tokens may return one day to vote - and likely those votes are for change.

I’m disappointed that Teragon’s proposal has been accused of being a governance attack (and also written in the title with all capital letters I might add). What constitutes a governance attack? Sure, there’s no forum proposal, and a tally to simply mint and take tokens unattached to a forum proposal - I get that to be an attack. Its a good thing that there’s more voters and some votes against and for, as this means there is the friction of change, and in crypto no protocol should remain stagnant with the status quo.

About a poll:

We have to ask ourselves, how many of these voters are conflicted? Further is: what about the silent majority?

I have argued that the voting cannot be irrefutably evidenced as an attack - then how is it right to use a canceller function, simply because the losing side of voting happen to be on the signing page, just because things go they way they don’t like?

I’m going to lead by example here: you can take a look at DWF’s proposal which just recently passed, and as a board member I wasn’t for this proposal.

image1220×782 133 KB

Because it passes, do I make a big fuss over this? No, because the DAO voted for it and went through. In fact, as a foundation board member, I’ve been working to onboard DWF as corporate counterparty in the past two weeks, despite being on holiday with my family.

I’d rather like to think of the positives a DWF can bring now that it is here - how we can work them on other things - and maybe even (dare I say?) to see there’s ways if they want to open a borrowing pool here at Truefi, and many more things. Instead of calling an attack simply it didn’t go my way, I’d rather like to think how to work along with someone who comes in with my support or not.

So yes, as the stakeTRU voting came through - I mean after all wasn’t more activism and voting the incentive for this proposal: [TFIP-10] Increasing stkTRU gov participation & a look to future protocol spending?

So in conclusion: I fully support Teragon’s proposal and 100% disagree with using the canceller function.

Everything and everyone needs to take a pause and step back for a moment.

Why are we rushing things from every angle? The pressure came from conflicting parties involved and irrational conversations took place privately and irrational decisions are being made. Myself included!

The entire proposal process needs to be discussed, not the proposals at this point.

If the Canceller function is used then i dont think it shoukd be an automatic “no” to the proposal but more of a step back to have a cival conversation without conflicting parties involved.

We need to come out of this with better implementations in place, because the voting has always been an issue, even with Wallfacer. They just didnt have anyone (in Ryans words) “doxing” them back then.

I mean just look at Adapt3r with their vote on Frax. Majority of voters voted yes, but a single large wallet voted no on their proposal rejecting their proposal. That particular wallet obviously wants to steer Frax in a particular direction. (Based on the age of the wallet after looking into it)

In the same way, past large wallets wanted to steer Truefi in a particular direction. Although its difficult for Wallfacer to relax the reins as they no longer have the same support from those large wallets, we need to remove conflicting parties from votes and polls and reassess things.

For eg; Ive heard many times and i myself have said it.

“TrueFi already has the products that Teragon is proposing , TrueFi doesnt need them”

While i understand a little about these products that Wallfacer and Cicada have mentioned.

No in depth technical conversion has taken place between @WallfacerLabs and @han @Sh4un in actually comparing what Truefi already owns to that of what Teragon is offering.

Maybe we take a step back and start there to have a better informed foundation for conversation @WallfacerLabs and @han @Sh4un ?

Can you both technically define the similarities and the differences of what products TrueFi already owns compared to the products being offered by Teragon?

And maybe everyone can share their thoughts on any new direction they can see TrueFi taking while maintaining their current direction.

Whats Truefis unofficial Roadmap everyone can see happening?

With respect to spurious claims of Cicada’s conflicts of interest:

1 - We are not trying to dispute the offering suggested by Teragon, but the un-usual activities we see to protect the integrity of DAO voting. We have an intrinsic interest to protect that as our relationship with the DAO can be effected if unusual voting behavior can sway decisions.

2 - We clearly have interests in the sustainability of the DAO and would like to support the go-shop process by providing our own plan with a partner technical team that would both be a material cost savings (recall: the original issue with Wallfacer’s proposal, which was only made worse by Teragon’s proposal using inflated acquisition accounting of unproven and unaudited SCs). Does this make us conflicted to see Wallfacer reinstated? Absolute not.

3 - Teragon openly said they would not support Cicada on the forums. That is to say, I guess our interests are clearly against Teragon since they have shown no desire to reach out, understand our vision of TrueFi, and clearly showed no interest in credit (which is the core of TrueFi eod).

4 - For the sake of transparency, we have spoken to Wallfacer (2 of 6 on the Canceller multi-sig) and both Cicada and Wallfacer agree that a vote in favor of the Canceller contract would be highly conflicted. Both parties agree that Wallfacer will abstain.

Given the timing of Teragon’s rush to cram the proposal down tokenholder’s throats, and the clear trading irregularities, it remains our view that giving time for a competitive process remains paramount.