Umbrella Arbitration Criteria:
When considering our role as arbiters within the Umbrella system, we must carefully lay out how we plan to determine the validity of an exploit. The two main protection providers today (Cover and Nexus) take highly divergent paths. Cover has no publicly stated criteria and the community is free to vote as they please, before it goes to a council of auditors that make a final ruling. Nexus, on the other hand, requires proof of loss when submitting a claim, as well as requiring the hack to specifically occur in the covered protocol (ie. Harvest exploit resulting from Curve manipulation would not be covered for Harvest protection seekers).
There are multiple angles to consider here:
Arb vs. Exploit - Code is Law?: Where is the line for an exploit vs. intended code functionality that was not fully appreciated by users? What’s an arb vs. an exploit? A good example is Compound’s recent DAI liquidations as a result of single-source Coinbase oracle. It was always known that Coinbase is the single oracle, and this was a somewhat known attack vector – is it an exploit?
- Proposed Policy: When you get car insurance or home insurance, it’s because you know you might get in a wreck or have a home fire, but it is not expected or intended behavior. In general, Yam’s guiding principle should be related to loss of funds related to unexpected or unintended behavior.
Composability vector: Affected protocol is NOT the manipulated protocol (ie. all the Curve flashloan exploits) - Which does Umbrella protect?
- Proposed Policy: Umbrella is most concerned with loss of funds. In most of the Curve cases, Curve LPs actually profited. Umbrella will arbitrate claims according to loss of funds – if a composability exploit results in loss of funds for more than one protocol, each would be valid for a payout.
Severity of Exploit: Sushi recently experienced an exploit totalling approximately $15k in lost rewards prior to the exploit being discovered and stopped. Cover did not consider this a valid claim. What is Yam’s threshold for a valid exploit that deserves a payout? This is likely the most difficult decision to make.
- Proposed Policy: Perhaps there is a threshold that exists as a ratio of (exploit lost funds) / (total coverage purchased) such that if the amount lost to exploit is less than say 50% of coverage purchased, a payout does not occur.
This is an open discussion, and there may be additional considerations to account for and different solutions.