Hi All,
Thank you all for the feedback. The team has taken all the points of discussion into improving the proposal. Please take a look at the refined proposal below:
Title: Request for Assistance in Recovering the Treasury of The Idols NFT
TLDR / Summary: The Idols NFT community is seeking the support of the Lido DAO to help recover locked stETH from the project’s treasury which has recently been exploited. The Idols has ~2704.95 stETH that is locked on chain. As part of this proposal, a bounty of 20% of the recovered stETH (~540 stETH) will be sent to the Lido DAO. As detailed below, we believe the implementation is not technically complex. However, given that LIDO is a large entity ADR, LIP and audits will be required. We recommend net stETH after any costs be split amongst all LDO holders who vote YES.
What is The Idols NFT?: The Idols NFT launched in March 2022 as a first of its kind project with the intention of locking away stETH on-chain, securing the Ethereum network forever. At the time, NFT projects were flooding the market, many of which were rug pulls, with founders profiting from mints and trading royalties before abandoning the project. The founders of The Idols wanted to create an NFT project which had immutable, verifiable value on-chain. This intention led to the idea of locking up LIDO’s stETH token on chain and distributing stETH rewards to NFT holders forever. Unlike other NFT projects of the time, the founders of The Idols took 0% of proceeds from the mint funds (100% was locked into the on-chain treasury). The Idols also distributed 100% of secondary sales royalties to the project’s ERC20 token holders. All of these decisions were made with the intention of creating the most community-aligned NFT project to date. Links are not allowed in this proposal but please look at @TheIdolsNFT on X and look at our docs and medium to learn more.
Problem Overview: On Tuesday January 15, 2025, The Idols NFT was exploited by 0xe546480138d50bb841b204691c39cc514858d101. That attacker was able to drain ~97 stETH from our treasury (100% of the unclaimed accrued interest). Any future stETH rewards will be inaccessible under normal conditions, as the contract is being continually exploited daily by attackers on each rebase (for example, 0x7885a44d861851bdb4f3d6b246301c0bb702ac6da8470cc8d2af2909c619feea). This means that in the project’s current state, community members will effectively never again be able to claim their accrued stETH rewards.
We recognize that certain members of Lido DAO have concerns around this proposal setting a general precedent for Lido DAO to intervene in clawing back stolen stETH from third parties.
While concerns about clawing back stolen funds in general are understandable, we believe The Idols situation is distinguishable from other hacks.
This is not a request to claw back the stETH that has already been exploited. Rather, this is a request to effectively “unlock” stETH currently locked in The Idol’s treasury address to prevent future exploitation.
### Technical Proposal
Ultimately, The Idols community is asking Lido Contributors to assist in moving ~2704.95 stETH locked in the Idols NFT contract (0x439cac149b935ae1d726569800972e1669d17094) to The Idols DAO Multisig (0x82AF9d2Ea81810582657f6DC04B1d7d0D573F616). The Idols community will then manage the distribution.
To execute this, a working group would need to be formed to analyze the feasibility, prepare an ADR, LIP, and conduct audits. If the DAO approves, the project would be developed by Core contributors or a third party that will agree to develop and be funded via EGG, with potential reimbursement from the bounty.
There are multiple ways to implement this via a protocol upgrade, but one of the simplest approaches is to add an onlyOwner function to the stETH contract, allowing Lido DAO to move stETH on behalf of The Idols. The function could look like this:
function idolRescue() external onlyOwner returns (bool) {
address from = 0x439cac149b935ae1d726569800972e1669d17094; \Idol NFT Contract
address to = 0x82AF9d2Ea81810582657f6DC04B1d7d0D573F616; \Idol NFT Multisig
uint256 value = balanceOf(from);
_transfer(from, to, value);
return true;
}
The Idols developers are ready to be contributors alongside LIDO in assisting with implementing this solution.
Based upon how narrowly-tailored and simple this solution is, we believe that the costs and risks associated with this upgrade should be minimal. We understand that even though the upgrade is not technically complex, given that LIDO is a large entity ADR, LIP and audits will be required. The offered bounty should sufficiently cover all costs associated with the technical implementation and also provide additional stETH for the Lido DAO.
### Vote YES
Lido DAO agrees to intervene and initiate a protocol upgrade to unlock and transfer the locked stETH (~2704.95 stETH) from The Idols NFT treasury to The Idols DAO multisig.
- This includes funding and overseeing the necessary ADR, LIP, audits, and implementation.
- The proposed bounty (20% of recovered stETH) will be allocated to Lido DAO to cover costs and provide additional stETH to the DAO.
### Vote NO
Lido DAO remains neutral and does not take action to modify the protocol in response to this case.
- The principal stETH in The Idols NFT treasury remains locked on-chain.
- No special intervention is made by Lido DAO to address this specific exploit.