CP90: Recovery of lost CFG tokens

Uses component: CP4

Author(s): @stefan

Technical/non-technical proposal: Technical

Date proposed: 2024-02-14

Short Summary

• Recovery of lost tokens

High-level objective

• Burn tokens on an inaccessible wallet address and mint the same amount of tokens on a new wallet address while increasing the vesting schedule lock

Background

I, Stefan George, am writing this proposal to request the burning and reissuing of my personal CFG tokens.

Unfortunately, I lost access to my Centrifuge wallet, which makes it impossible to access my Centrifuge tokens. For unfortunate reasons, the wallet is dysfunctional, and the backup of the wallet is not complete making it impossible to restore access even after significant effort was applied to restore access.

The respective tokens are held in the following wallet:

The tokens were purchased from members of the Centrifuge founding team on 04.04.2022 through an OTC transaction, contractually assigning the account above to me, Stefan George. Tokens were issued in a vesting contract for 730 days.

I am serving as CTO and co-founder of Gnosis. This proposal is coming from me, personally, and not from Gnosis. There are ongoing collaborations between Gnosis and Centrifuge, which I did not initiate but supported. Those should not be considered for this proposal. Independent of the outcome of the proposal, I will continue to support Centrifuge. I participated personally again in the last round of Centrifuge and believe in the mission of Centrifuge to provide the platform for real-world assets.

I propose to reissue the tokens to a newly created wallet with an additional 360 days vesting, extending the total period to 1090 days.

Description of Activity

Please be informed that this proposal does not aim to augment the token issuance. Instead, it seeks to solely regain access to irretrievable tokens and increase the vesting lock period for the recovered tokens.

The action plan structure:

• Create an on-chain governance vote (democracy proposal) for burning tokens on the inaccessible wallet address (4gResb8JcTKHgm99XHTcfeXKzYwsL7kyaPQJzqtfK53ZHdy2) and mint the same amount of CFG tokens on a new wallet address (4gKHDr9DkLz2GDbYTfZME174Q8CLoDpbgW9iXykiuHXba4Pv) while increasing existing vesting by + 360 days (total period to 1090 days).

Change or improvement

• SetBalance 10,000,000,000,000,000 ( 0.01 CFG ) tokens on lost hardware wallet 4gResb8JcTKHgm99XHTcfeXKzYwsL7kyaPQJzqtfK53ZHdy2

• Setbalance 1,123,090,000,000,000,000,000,000 ( 1,123,090 ) CFG tokens on a new wallet address 4gKHDr9DkLz2GDbYTfZME174Q8CLoDpbgW9iXykiuHXba4Pv

• Increase vesting schedule lock by 360 days ( total period of lock 1090 days ). Starting vesting block #161,613 will remain unchanged.

The RFC will be open for a minimum of 14 days.

Update 2024-03-07:

The proposal was submitted on-chain by @stefan via Democracy proposal. All CFG token holders can vote on this proposal from 20:05 CET on 9 March 2024.

• Link to the proposal on Github
• Link to the proposal on Subsquare: CP90: Recovery of lost CFG tokens

Pre-Image: 0x634c787ba6a38898dcb27bf0c8e85a1d05a4c73ffc8efd863313f1aa85f6dbe8

IPFS: QmQ4iDRTQHjYJkGFqqtdCNaRGvRYBBPZWdxTVBMqhPZyxN

Hi Stefan,

Sorry that you lost your credentials — but it’s great to see how our system of onchain governance can be useful here!

I am for this proposal, on the condition that we are able to verify the addresses.

1. The initial account to burn from: is it your own or from the Centrifuge team in which it vests your tokens? Could a member of the Centrifuge founding team (@lucasvo?) confirm that this is the correct address?

2. Likewise for the account to mint into: we should confirm it’s yours and you are the real Stefan George :). The first action that comes to mind is to get verification from you via personal channels you’ve used to contact the Centrifuge team members you made the OTC / investment transaction with and for them to confirm here.

Devin

Wondering if it’s possible to burn tokens in an inaccessible wallet? How does that work? I was always of the understanding that to burn tokens they must be sent to a burn address.

I guess that in this case is referred to extrinsic call:
First step:

• Set balance (Old wallet address) → set 0 CFG
  Second step:
• Set balance (new wallet address) Set X CFG
  Third step:
• Add vesting : vesting → VestOther

Or could be used another way:
Vesting - > ForceTransfer from Wallet A to wallet B + add vesting

image1753×567 28.4 KB

I guess that more expert users can correct me.

Ahhh, ok. Didn’t know such an extrinsic call existed. Makes sense.

Hi Devin,

Thank you for commenting on the proposal. I agree, the two conditions have to be met. I have contacted the founding team to comment here confirming the ownership of the old and new accounts.

Stefan

Hi folks, Philip Stehlik here. One of the Centrifuge co-founders and a counterparty to the OTC deal with Stefan George.
I can confirm that 4gResb8JcTKHgm99XHTcfeXKzYwsL7kyaPQJzqtfK53ZHdy2 was Stefan’s wallet address in our OTC contract papers.
I can also confirm that I have been in contact with Stefan outside the governance forum about this issue and that he is the one who authored this post.

Hi there, Maex here, or Markus Ament. I am one of the co-founders of Centrifuge and was also a counterparty to the OTC deal of Stefan.
I am in contact with Stefan about the post and the issue.

@lucasvo or @itsbhaji could you confirm the above? Philip and Maex’s input is good here, but we can’t be 100% sure it’s legitimate from the above two posts alone as these accounts were recently created and these are the first posts they’ve made.

I spoke with Maex directly and can validate the legitimacy.

While I have no problem doing this, especially through governance actions, I believe this will have ramifications beyond just Centrifuge’s one time use of this extrinsic. I understand that the wallet is confirmed by a number of Centrifuge personnel and the OTC counterparty himself, but the use of this extrinsic, even once, will invite a lot of negative feedback.

Although it’s not the exact same case, ChaosDAO went through something similar when it issued a very contentious proposal via OpenGov to use the “forceTranser” extrinsic for lost funds that were paid out by the treasury to the Supercolony team. At the time, they had to make a quick exit from Ukraine, and understandably left behind the private keys to the wallet in question in their haste. Though they did not ask for the forceTransfer (which is where the analogy also breaks down a bit due to this request coming from the wallet owner), the attempt to even do such an action created a heated dialogue about whether or not this extrinsic should even exist (financial sovereignty, etc).

In the end, the proposal failed, but it highlighted a part of the code that many did not know even existed (it makes sense that Parity would build this in after the famous early Parity hack circa 2017). I had no idea this extrinsic even existed until I read this proposal, and one of the unintended consequences of its use is that it will raise a very similar specter and its attending thorny questions about whether anyone should ever wield such power over another user’s wallet (even if requested and the identity thereof is unquestionable). I only broach this topic because I fear it may get people chatting about this again, for better or worse.

Again, when this goes on chain, I have no qualms with voting AYE (just as I did with the Supercolony vote), but it will potentially have a similar backlash with people stating this will set a precedent, etc.

Best of luck,

Ryan / Phunky

Thank you for your feedback.
For those who missed this proposal:

• Returning Supercolony lost funds back to the Treasury | Polkassembly

Thank you for your feedback @The_Phunky_One_Lucky

I agree, it is an important discussion. Similar discussions have been done before dating back to the times of TheDAO hard fork or even in the case of stolen funds on Agave on Gnosis Chain. It boils down to how a community reacts to the loss of funds and if the community can coordinate around one decision. In the case of TheDAO it did lead to a successful hard fork but also the existence of ETC. If I were to submit a similar proposal to Ethereum today, no one would take me seriously for obvious reasons. In the case of the Agave money market failure, the Gnosis community decided to make the users whole again. This decision was mostly informed by users being early adopters of the Gnosis ecosystem and also mostly contributors.

In my specific case here, as the ownership is apparent and the community is seemingly aligned, I hope coordination is possible to restore access to funds The main difference is that I am a single person asking for a favor in a situation that, while unfortunate, is solely my responsibility.

Thank you @maex242 , @pstehlik for commenting on this proposal.
Tomorrow we have a Governance Call and we would like to invite you. @stefan will present his proposal and it would be great to have you on that call.

• Centrifuge Governance Call #25 | 2024-02-21

Thanks for the invite. I don’t know yet if I will be able to join the call.
I hope the comments on this thread by @maex242 and myself, confirmed by @itsbhaji (at least for @maex242 involvement) suffice in any case to legitimize @stefan 's requets.

Recovering lost tokens is always hard as it’s almost always impossible to actually prove ownership of the tokens. In this instance there seem to be credible evidence and with the 1yr lock placed on the tokens it means governance can always react and undo there was ever a dispute.

Overall I wanted to share though that there have been a few improvements made. The only cold wallet that was supported originally was Parity Signer. I have heard from multiple people that they have had issues with it and it’s a less than ideal version. Adding EVM support means that Ledger is now supported very easily for anyone and people who want to use a hardware wallet can use a Ledger; a product a lot of crypto users are already familiar with. Hopefully that improves the situation for everyone!

I am in favor of a version of this recovery

• demonstrating social consensus in DAO supersedes on-chain consensus
• creating a streamlined way for such recovery
• enabling future CFG owners to make such claims, verify them, and with sufficient buy-in, cause the execution of extrinsic call.

This proposal was discussed by @stefanand CFG Token holders during the Governance Call #25.

For those who missed it, you can watch the rec here - Centrifuge Governance Call #25 | 2024-02-21 - #3 by ImdioR

I just watched the recorded governance call and I would vote AYE on this proposal to restore access to Stefan’s funds, given the predicament and proposed due diligence approach to verify the legitimacy.

I was already aware that the forceTransfer extrinsic existed and I believe it should stay.

Potential similar requests in future to recover lost funds

I think similar proposals should also be allowed in future, but since there is always the possibility that such a request could be fraudulent, I think that an on-chain refundable deposit to the treasury should be required to discourage any such fraudulent requests that wouldn’t be returned to the proposer if the request was deemed fraudulent, since that could at least compensate the community for lost time in handling the request.

I think the due diligence procedure that is followed in this proposal should also be standardised and published publicly on IPFS or similar, and with a link to it included in a new standard procedures section in the governance process section of the Centrifuge website.

Hi there!

Over the past few years, I have been asked to help restore access to several Parity Signer accounts.
Sometimes it was possible to restore it, in others, unfortunately, it was not possible. Not all cases of recovery assistance were successful.

The main problem with this recovery request is proof of ownership.

Due to the fact that in this particular case the legitimacy (ownership) is confirmed:

1. Transaction from a wallet with identity.
2. OTC contract.
3. Confirmed by two co-founders of Centrifuge.

In addition, the additional condition for adding a lock favourably influences my final decision.

Personally, as a token holder, I support this proposal and will vote for it.