PIP-59: Proposal for Returning 40.203 wETH to Bybit (After 10% Bounty Deduction)

Proposed by: Bybit Team

Abstract
This proposal aims to freeze from any usage and return 40.203 wETH to Bybit that were collected by the DAO following the compromise that occurred on February 21st, 2025. We request the funds to be sent to the following address [WETH on Ethereum : 0x3ac32a00afb4ca177a0e1b6899ab90d0b811412f]

These returned funds will be returned to aid in asset recovery efforts and demonstrate the community’s commitment to responsible governance.

Goals and Review
This proposal seeks approval from the Paraswap DAO community to return 40.203 wETH that was collected as a transaction fee from ParaSwap. These funds were originated when the hacker swapped stETH for ETH on ParaSwap on the following transactions on ethereum mainnet:

0x15f5a77ec512f1556f34feef83880364a1e3c3efa78b718670abdaede1936f3f
0x21d714ef63ce1197535edcafee9ab2281d1345225aa70e6a2fcb29f828fd3d10

0x4ef02a4d6ca5078647ece2b15599cce62942b517e6bcf52ea89940987762cc5d

0x6c108f99a7d1f2a627a5b6a6a1984d054d5dc17f7bcc423bcc926c7d69f766f6

0xa2007b9458fec54bf765f8a53b9ef4dffa49e5dabe7c4f70dd288af9c260bd39

0xa3840fd4728c04daf437108fa02dd462ee548912c1cd83d96604f17308448295

0xad9fb92cf898aeaa4027a8ac73176617ce75feccedcdb72a7d41594dfc996778

0xe42eb2f64b3b0c39dd56af0ccf891e85119dc844b3b5454064c16909c364e72b

Your community may be aware that Bybit has presumably been compromised by a North Korean hacking group Lazarus (the “Hackers”). During the compromise the took control of Bybit wallet controls and siphoned the following assets from 0x1Db92e2EeBC8E0c075a02BeA49a2935BcD2dFCF4 (the “Bybit Implicated Address”).

The Hacker then laundered the stolen assets through various intermediaries, ultimately routing them to ParaSwap, where the swap transaction incurred 40.203 wETH to the ParaSwap DAO, which were later wrapped into wETH as part of the DAO automated fee process. While this was an automated process, it has inadvertently resulted in the DAO holding proceeds linked to a widely reported exploit.

Given the ethical and reputational implications, we propose that the 40.203 wETH held by the DAO be returned to aid in asset recovery efforts and demonstrate the community’s commitment to responsible governance.

HackBounty Commitment
Bybit remains fully committed to upholding its obligations under the HackBounty program, which stipulates a 10% reward for the successful recovery of stolen funds. In alignment with the suggestions from the ParaSwap DAO community, we are requesting the return of 40.203 wETH instead of 44.67wETH, reflecting the total amount after deducting the agreed-upon bounty. This ensures a transparent and structured approach to the recovery process while reaffirming our commitment to fair and ethical resolution. Bybit stands by its promise to distribute the bounty accordingly, reinforcing trust and accountability in this collaborative effort.

Established Goals:

• Recover 40.203 wETH that was allocated to the DAO treasury as part of transaction fees from an unauthorized actor by the Hacker.
• Ensure ethical fund management by returning assets tied to illicit activity.
• Maintain the DAO’s integrity and responsible governance practices.
• Support broader industry efforts to mitigate the impact of crypto-related cybercrime.
• Metrics for success include the DAO approval of the return and the subsequent transfer of funds.

Means

• Approval from the DAO through a governance vote.
• Execution of an wETH transfer from the DAO treasury to the designated recovery wallet.

Execution:
Upon majority vote results, the DAO treasury will freeze the 44.67 wETH funds from any future distribution and initiate the transfer of 40.203 wETH to the provided recovery wallet.

Future Considerations
The following proposal covers only the return of the accrued funds, and would require no further follow-up actions once the transfer has occurred.

Time of Implementation:
With the passing of the proposal, the funds will be immediately frozen and excluded from any DAO funding or distribution process. Afterwards, the transfer will be executed for the return of funds.

Budget:
40.203 wETH

Risk Assessment:

• Receiving party verification: To ensure the address being sent belongs to the Bybit team, separate communication will be shared from an official communication channel.
• Distribution risk: Were the funds not to be frozen , stakers and DAO participants could be exposed to potential risk due to the source of the funds.

Release
The parties acknowledge that the return of funds is made in good faith, and as such, ParaSwap DAO, its members, and the protocol shall not be held liable for any future claims arising from this action, provided there is no fraud, willful misconduct, or gross negligence involved. This indemnification is strictly limited to the return of these specific funds and shall not extend beyond this transaction.

Verification of Proposal Authenticity

paraswap1738×1216 286 KB

Thanks for the proposal @Bybit team !

I have mixed feelings about this action, although I am sorry that the hack affected Bybit for which I hold tremendous respect but my immediate question is : Will Bybit advocate to ethfoundation for the gas that the hacker used to be returned aswell ?

The cypherpunk within says we shouldn’t and that is your fault for poor opsec that resulted in this unfortunate event! but the other half say we should help, so I’m split and looking towards the large $PSP community and invite them to comment and when the vote will be in place I shall evaluate sentiment and vote accordingly.

I am tempted to push for a mid-way … a bounty to be rewarded for DAOs time and resources while debating , actioning the above proposed.

I support returning the majority of the funds to Bybit to uphold ethical standards and demonstrate that ParaSwap does not benefit from illicit transactions. However, I propose that the DAO retains a 10% bounty (4.47 wETH) as compensation for handling the process, aligning with industry practices in fund recovery efforts.

For me this is the point. And in this case, or we return everything -because we see a risk-, or nothing.

I want to highlight that this proposal raises significant issues in terms of governance and DeFi philosophy.

From an ethical standpoint, returning the 44.67 wETH to Bybit can be seen as an act of solidarity and good faith, strengthening trust between centralized and decentralized platforms. This action would send a positive message about ParaSwap’s community responsibility in a context where fund security is a major concern.

However, from the perspective of decentralization and cypherpunk principles, this restitution could be problematic. ParaSwap did not steal these funds; they were collected through legitimate transaction fees. Agreeing to return these funds could set a precedent where DeFi platforms become forced arbitrators in situations they are not directly involved in. Over time, this could weaken the protocol’s autonomy and neutrality.

The key question is: do we want to set a precedent where ParaSwap (and DeFi more broadly) becomes responsible for CEX security failures? Or do we want to reaffirm that, in a decentralized system, each actor must take responsibility for their own risks?

If restitution is considered, it would be relevant to clarify the criteria that could justify such decisions in the future to avoid arbitrary interventions that could harm the protocol’s credibility. An alternative could be a partial contribution or a more nuanced approach rather than a full reimbursement.

Before expressing our opinion on the proposal, one issue that raises concern for us is how we can verify that the Bybit account that made this post genuinely belongs to the official Bybit and that the wallet in question is officially owned by Bybit.

What guarantees can you provide in this regard? When will you share that communication from an official Bybit communication channel as you mention? Has there been any communication between Bybit and the ParaSwap Foundation and/or Laita Labs?

@Foundation and/or @Laita , can you provide any confirmation on this matter?

We understand that before moving forward with the proposal, and more importantly, before any funds are transferred, a strict KYC process must be carried out to be 100% sure that the proposer is indeed official Bybit.

As part of ongoing research and engagement between various parties across the DeFi space I would like to highlight some points made by @lex_node from MetaLeX Labs which has offered valuable perspectives that could streamline a way forward, in my view offering some clarification in how the DAO could proceed, thus I want to thank and acknowledge him as a special friend of ParaSwap.

Below are some of the topics discussed as potential requirements for PIP to pass:

Ensure Proper Cost Recovery – Account for governance-related efforts and the due diligence required in this process.

Secure Legal Release & Indemnity – Obtain a formal agreement from Bybit to eliminate any future liabilities for the DAO, as seen in the MangoDAO case, is that courts have acknowledged the enforceability of agreements related to fund recovery, even in cases involving bad actors. This precedent highlights the importance of securing a legal release and indemnity as a necessary condition for returning funds, ensuring the DAO remains protected from future claims.

Verify the Receiving Party

@SEEDGov
Before expressing our opinion on the proposal, one issue that raises concern for us is how we can verify that the Bybit account that made this post genuinely belongs to the official Bybit and that the wallet in question is officially owned by Bybit.

Once these steps have been completed and PSP community happy with overall direction, the DAO could attempt drafting a structured approach to execute the return of funds in a secure, transparent and legally sound manner.

I think it doesn’t make any sense, ParaSwap is a permisionless protocol, The fund requested doesn’t belong to @Bybit but to ParaSwap’s DAO (20%) and $PSP Stakers (80%).
It’s not ByBit’s funds, it is revenue for a service delivered from a trustless protocol and executed on a decentralized blockchain.

Let’s make an analogy, It’s like if a bank (bybit) ask a bakery (paraswap) $50 because the thief that robbed the bank bought a chocolate cake from that bakery with some of the money stolen from the bank… it doesn’t work like that.

As a comparison in tradfi, since 2020 for Paypal and since 2021 for Stripe, they doesn’t refund the processing fees to the bank nor to the merchant in case of a dispute/stolen credit card/etc… Because they delivered the service and that service comes at a certain price because it involves real world infrastructure.

Now a question, will we return the fees generated by every single transaction made on paraswap that could have potentially been made from an address linked to a hack at the 1st, 2nd, 3rd, etc… level? Or is paraswap a true permissionless defi protocol?

For all those reasons, I’m 100% against that proposal

Service delivered. The protocol is trustless and is on a blockchain. It’s a pity that funds are stolen, but that’s not a ParaSwap fault.

I agree with the points raised by @citizen42 and @SEEDGov regarding the need to ensure ParaswapDAO is engaging with Bybit.

Now, about the issue at hand: There are legal and moral/social implications that go beyond this specific case. This will not be the only solicitation the DAO will receive, as it is likely other situations like this will happen in the future. Because of that, IMO we need to have a framework that gives us clarity on how to proceed and manage situations like this.

My suggestion is to engage with entities like https://www.securityalliance.org/, to ensure the DAO is doing/analysing things properly.

This already happened in 2013 for another hack and the ParaSwap DAO ruled not to refund the processing fees, for exactly the same reasons.

There is no reason to rule it otherwise this time.

I propose transferring these funds to a designated address (wallet) owned by DAO and implementing a hold period during which the DAO will await any legal requests from the authorities, not @Bybit itself. Simply asking for a return would be too simplistic; every action must be fully compliant with legal requirements.

ParaSwap will damage its reputation if it agrees to return this fee to ByBit. The protocol has always been permissionless—there’s no in-between.

It’s a no for me.

It’s not ByBit’s funds but processing fees, the principal is not and has never been in the hands of ParaSwap.

In our opinion, Paraswap should return the fees after verifying that the account that created the proposal is legitimate.

Paraswap must not profit from crime if it has the ability to prevent it. We understand that this could set a precedent, leading to more claims that scammers have used Paraswap. However, we don’t think it’s feasible to evaluate and return fees from minor scammers, as verifying the validity of such claims would be extremely difficult. This case is different—it’s an issue that affects our industry as a whole, and protocols should work together to minimize the damage caused by this group.

Paraswap can retain a portion of the fees to cover the costs of processing the transaction and verifying the claim, but again, it must not profit from this crime. While the protocol is permissionless, this decision ultimately lies with delegates and token holders. Keeping funds generated from NK hackers carries legal implications.

I understand the ethical argument behind returning the funds, but this approach raises concerns regarding the long-term implications for paraswap’s neutrality and governance.

While this case is significant, the argument that “it’s not feasible to return fees from minor scammers” introduces a subjective threshold. If paraswap intervenes here, it implicitly assumes responsibility for evaluating similar cases in the future. Where do we draw the line? What makes one scammer’s victims more deserving of restitution than another’s?

DeFi protocols are designed to be neutral and permissionless. If paraswap starts making value judgments on which cases deserve intervention, it moves towards a more centralized decision-making model, which could impact its credibility.

You mention potential legal implications, but returning funds selectively could also create legal risks. If paraswap is seen as selectively enforcing reversals, it might expose itself to regulatory scrutiny or liability in future incidents where it does not act.

While the intention is to minimize harm, making paraswap an arbiter of fraud cases could have unintended consequences. If this is the direction the community wants to take, it should be accompanied by clear guidelines to ensure consistency and fairness.

ParaSwap is not responsible for what happened to Bybit, ParaSwap does NOT have Bybit nor the Hacker’s funds in possession.

ParaSwap doesn’t provide custody of assets.

Someone Swaped a Token A and received Token B in a permissionless maner, ParaSwap collected a fee for the execution of the swap like UNISWAP, Balancer or Curve do.
What about the Liquidity providers of the different pools that received fees?

The fee collected is a split property of ParaSwap’s DAO (20%) and $PSP Stakers (80%).

If someone were to ask ParaSwap to freeze the funds it would be neither the complainant nor the police but the justice, the only person responsible is the hacker, if he is found guilty and he is not able to repay what he owes, then the courts would (try to) seize his assets.

As a DAO we can argue on creating a temporary reserve with the 20% of the fees the ParaSwap DAO owns, but the 80% share property of the PSP Stakers but be distributed.

This is a pivotal decision for Paraswap DAO, not just for this case but for the future of DeFi governance

While returning the funds may seem like the “right” thing to do optically, we must ask deeper questions:

What guarantees do we have that this hack wasn’t facilitated or at least enabled—by internal failures within Bybit itself? Trusting an exchange’s narrative without full transparency contradicts the principles of decentralized governance. We are being asked to return funds based on an unverifiable claim.

Bybit’s CEO assured the public that they had sufficient reserves to cover this loss. If that statement was truthful, then why should a DAO, an entity with far fewer resources, subsidize the operational risks of a much larger, centralized institution?

if we set this precedent now, Paraswap DAO will be expected to do the same every time this happens.

Hacks are not rare occurrences in this industry. If we establish that fees collected through legitimate, permissionless smart contracts can be reversed, we open the floodgates to an ongoing financial liability for the DAO. Over time, this could result in substantial cumulative losses especially when Paraswap had no direct involvement in the security failures that led to this hack.

More concerningly, this sets a dangerous philosophical precedent: if fees can be refunded post hoc, then what else can be reverted? It wouldn’t take long before individual users start demanding refunds for their own losses, citing this case as justification. This completely erodes the principle of Code is Law one of the core tenets that differentiate DeFi from centralized finance.

Decentralized protocols must remain independent from CeFi risk management. Otherwise, we are simply recreating the same discretionary bailout mechanisms that DeFi was designed to eliminate.

The role of DAOs in the financial ecosystem is distinct from that of centralized entities. If a DAO earned revenue through legitimate smart contract operations, then undoing that after the fact sets a dangerous precedent. Are we expected to act as backstops for CeFi failures? DEX suppoused to be the alternative system not the copycat one…

Ethical consistency matters. If we return these funds, where do we draw the line in the future? The philosophy of “Code is Law” underpins DeFi for a reason. Changing the rules post hoc undermines the credibility of DAOs as autonomous and predictable entities.

Friedrich Hayek once warned against systems where “rules are changed at the discretion of authorities” because they ultimately erode trust in the structure itself. The same applies here,if we bend the rules for Bybit, we undermine the very foundations of DeFi governance.

A fair middle ground would be returning a percentage of the funds with a conditional of (e.g., the standard 10% bounty), as this aligns with industry norms. But the broader question remains: should DAOs absorb the risks of centralized exchanges? If so, what does that mean for the independence of decentralized governance moving forward?

They are requesting a full refund of 44 ETH, which, as you pointed out in the proposal, seems entirely one-sided. A fairer approach would be for at least 50% of that amount to be converted into PSP and staked in Earn for a prolonged period, generating revenue for Paraswap.

Why? Because this refund represents a direct financial loss for the DAO, which had no involvement in the incident and holds no responsibility for Bybit’s security lapses. Meanwhile, Bybit would simply recover funds without offering anything in return. Even the most basic exchanges charge a recovery fee of 10% or more for fund retrieval, yet here, Bybit expects a full refund at no cost.

More importantly, the price DeFi will pay for exempting Bybit from the rules is too high. This sets a precedent that could seriously damage DeFi’s autonomy and governance in the long run. If we bend the rules for Bybit today, where does it stop? This moment will be remembered as a turning point—and not in a way that benefits the future of decentralized finance.

Maybe we should start distributing fees (automatically) to PSP Stakers on a daily basis and permissionless maner.