Per this announcement, Jason, aka punk1004.eth, has been removed as a contributor to YAM and had all permissions removed from github.
Here is the conclusion that the YAM core team has come to after reviewing all the evidence that was presented to us (copied from the statement made on Medium):
- There are multiple connections between the contributor’s public wallets and the exploiting (bad actor) wallets.
- There are multiple connections between the contributor’s public github account and the second github account that was used to do work on these other projects that had funds stolen from them.
- There are connections between the contributor’s github account and Ethereum wallets to other github accounts and other Ethereum wallets that have worked on, deployed, or been the recipient of funds from projects that many would consider to be scams, or at the very least, suspicious.
- There is circumstantial evidence including chats and a voice recording that seem to match characteristics of the contributor.
- The distinction of whether this contributor was personally responsible for these actions or unwittingly caught up in the actions of other individuals ultimately does not matter. Their involvement shows extremely bad judgement and is a serious security risk for YAM.
There are additional decisions that need to be made regarding the payment for previous work Jason has done and continued membership on our discord that need to be answered by the YAM community.
YAM token holders will have the opportunity to vote on 2 proposals that affect this situation.
Contributors are paid in both stablecoins and YAM based on their approved compensation proposals. The YAM is streamed over 3 months and the stablecoins are paid retroactively every month for work done over the past month. Jason’s YAM stream has ended and will not be renewed. His payment in stablecoins typically would be paid in the monthly on-chain vote with the rest of the contributor’s payments.
The question here is whether the DAO thinks that Jason should receive payment for his last month of work. He has performed the work and tasks that he was given over the last month, and the exploit of which he is accused occurred on the 3rd of November, after the period of work for which he would be paid.
Jason has been removed as a contributor from YAM and his status as a core team member has been revoked. All access to YAM code, contracts, private chats, etc has been removed. The security risk to YAM has been dealt with. But as of right now punk1004.eth is still a member of the YAM discord.
All should be aware that if banned there is no way to prevent him from creating another account and re-joining the discord. So banning him is a statement rather than a functional action.
Should punk1004.eth be banned from the YAM discord?
These decisions are either beyond the scope of what the core contributors believe they should be deciding upon or are unclear on the best course of action. We feel our best way forward is to put these questions to the DAO as a whole and follow the will of the YAM token holders.
Snapshot votes for these 2 questions will be created and their outcome will be followed by the contributors with the power to carry them out.
- If the vote to pay Jason is successful, he will be paid for his work done in October in the next on-chain proposal
- If the vote to pay Jason is unsuccessful, we will not be included the next on chain proposal.
- If the vote fails to meet quorum then Jason will be paid for his work done in october in the next on-chain vote.
- If the vote to ban punk1004.eth from discord is successful, he will be banned by a moderator.
- If the vote to ban punk1004.eth from the discord is unsuccessful, he will not be banned. He can still be banned in the future for breaking the rules of the discord.
- If the vote fails to meet quorum then punk1004.eth will be banned as that is how a majority of core contributors voted in an internal poll.
Snapshot for YIP 92: Snapshot
Snapshot for YIP 93: Snapshot