Sushi RouteProcessor2 Post-Exploit Request For Comment

Hi everyone! I’m María, from PeaceKeepers a web3 dispute resolution project.

We started PeaceKeepers because the need for native dispute resolution systems between DAOs was forseeable.

As a developer working on future resolution systems PeaceKeepers has interest in this conversation, and many that have come before this one, and many more to follow. Along our journey we have collected some level of experience and observations.

Clearly everyone wants to help. The gap is differing interests. Some of the suggestions turn around the exploit treated on an ad-hoc basis versus how to treat any problem withing existing precendents, or by setting a new generalized precedent that could apply universally.

The contrasting ideas could be described as as “strictly speaking, the ETH from a hack ended up in deposit contract and to claw it back would require an Ethereum hardfork” on the one hand, versus “if in the course of an incident like this the MEV tokens ended up in my own pocket, I’d send it back out of goodwill becasue sending back is a good thing to do - I think that this same logic should apply to Lido treasury” on the other hand.

I do agree, based on our work, with the importance the role of neutrality plays within the ecosystem.

PeaceKeepers is a not-for-profit and relies on grants and donations to develop and support its intiatives that help address unsolved issues across web3. Donations always welcome.


The rough consensus so far looks like the proposal requires not singular decision, but setting up a policy regarding similar cases. Options voiced out so far are:

  1. More research on potential policy is required (Sushi RouteProcessor2 Post-Exploit Request For Comment - #5 by Misha_Statemind)
  2. Any funds received due to the hack are stolen property and have to be returned (Sushi RouteProcessor2 Post-Exploit Request For Comment - #6 by k06a)
  3. Lido DAO shouldn’t act as an arbitrator between stakers, Node Operators and third parties (Sushi RouteProcessor2 Post-Exploit Request For Comment - #7 by Hasu)
  4. There’s a set of criteria designating “major hack” where the refund should be administered (Sushi RouteProcessor2 Post-Exploit Request For Comment - #9 by will_harborne)

Any feedback and other options voiced out by EOD Wed 26th would be incorporated so the signalling snapshot vote could be set up. Please, share yours!


Untangling the original post, it’s clear there are two, largely orthogonal, decisions at hand:

  1. A decision on an outflow of ≈40 ETH from the Lido DAO treasury to help Sushi (this is the amount which came into the treasury as a result of the exploit).

  2. A wider policy decision on whether or not the DAO should ever act as an arbiter between stakers, node operators, and third parties – and if so, how, and under what conditions.

The discussion so far has revolved almost entirely around the second decision – yet this has not been made clear within the discussion itself.

To minimize the risk of decisions, on both fronts, being made for the wrong reasons, it makes sense to move these two decisions into separate threads where they can be discussed individually.

I’ve created a child thread for the first decision here. Snapshot date will be this Thursday (May 4th). Please chime in with your thoughts, but try to keep it focused on the decision at hand.

As for the second decision, which @kadmil has touched on above, we’re starting work on a Swiss Booklet style document which summarizes the debate so far and presents the full spectrum of options and their respective tradeoffs as clearly as possible (see here for a prior example). Realistically, doing this well will take a couple of weeks, so expect this to be posted for further discussion on the week of May 15th (we will cross-link it here).