Neemo Exploit Reimbursement Plan

and do you intend to do this by repaying the remainder of the community with the proceeds from dapp staking?

Thanks for your feedbank.

In most incidents of this kind, compensation is typically based on a snapshot from before the attack. Does this mean that Neemo has intentionally decided not to follow such a snapshot-based compensation plan in this case?

We did consider using a snapshot-based approach. However, with nearly 10 different dApps involved, the calculation would become overly complex and might cause miscalculation and significantly delay the process. Moreover, compensation to DeFi users who make up the majority, would be greatly reduced under that model. For these reasons, we chose to propose the current structure.

This amount appears to be around 30M less than the ASTR recovered. Was this difference intentionally excluded for operational purposes?

As @Gaius_sama explained, this excludes the Chunk1 amount because that portion was no longer held in nsASTR at the time.

Thank you very much for your valuable feedback. We are actively listening to the community’s input and working to address the concerns raised.

I strongly believe Neemo should include this in their compensation plan as a second phase .

Regarding this point, we’ve already begun discussions with both protocols. Since it’s essential to both eliminate bad debt and prevent unnecessary liquidations, we are moving forward on both fronts.

Our current intention is to include these users in the future nsASTR cohort for compensation. However, we haven’t explicitly stated this yet, as the exact amount of bad debt will be still uncertain at this stage.

Regarding point 2, DeFi user, we will be making an announcement on the next steps shortly.

As for UntitledBank and Sake, we’ve already had multiple discussions around liquidation and bad debt. However, in order to prevent any potential malicious actions, we believe it’s important to first conclude this current discussion before moving forward with further steps.

It is included in the protected 200M ASTR

As mentioned earlier, this part is confirmed and will be implemented as planned:

100% of rewards — minus minimal operating costs — will be forwarded to the compensation pool each month until the pre-hack exchange rates are fully restored. In addition, any extra funding sources from Neemo Finance — including new protocol revenue and assets recovered from the hacker — will also be directed into the pool.

As for other options, while not finalized, we have indeed been exploring possibilities such as investment, acquisition, or loans. However, since nothing has been confirmed yet, disclosing premature information may lead to unnecessary confusion so we will provide further details only when appropriate.

First of all, I believe an additional option must be introduced, rather than limiting us to the three options that were proposed by the team without prior consultation. The new option should be: the ASTAR team directly returns all custodied ASTR to the original stakers, while those who actually suffered losses in ETH should be compensated through the recovered ETH and the protocol’s future revenues. These two groups must not be lumped together for compensation.

The reasons are as follows:

1. The ASTR currently under custody belongs to the original stakers and should not be treated as compensation funds controlled by the NEEMO team.
2. The nsASTR obtained from staking is merely a certificate. While excessive minting may have deprived original stakers of the ability to redeem their funds, most of the ASTR is still safely held in custody. Therefore, we can bypass nsASTR entirely and return the funds directly to the affected original stakers.
   This would honor the protocol’s custodial commitment to its stakers and avoid complications arising from nsASTR.
   Although this may impact a small group of investors who directly purchased nsASTR with USD, it should be noted that in DeFi, assets like nsASTR that are intended to be pegged can easily become depegged. Price depegging risks are inherent and should be properly assessed and borne by those choosing to invest in such assets.

Furthermore, this approach brings another benefit: for those who staked ASTR, converted it into nsASTR, and then used it in other DeFi protocols for staking, borrowing, or liquidity mining (e.g., SAKE Finance, KYO Finance, Untitled Bank, etc.), they would be spared the cumbersome processes of redemption, unstaking, LP removal, and gathering enough nsASTR to retrieve their frozen funds.

Therefore, I strongly recommend adding this option:
“Let the ASTAR team directly return all custodied ASTR to the original stakers, while ETH victims are compensated using recovered ETH and future protocol revenues.”

I was not feeling directly attacked, but it seemed like i had to clarify some points. Not only for you but the broader audience, that is also following those discussions intensively.

I can assure you that this topic has been deeply discussed within the Astar Degens Council and also DAO-Members were providing helpful input. We are well aware of the situation. In any case there is not enough dry powder to cover such a loan and justify its allocation based on our portfolio. Yet we always have the best interest of the ecosystem and holders at heart. We will follow the discussions closely and provide input or help when necessary.

We do appreciate what Neemo is doing and we are very sorry for the current situation. I also think it was a genuine oversight, but we can not confirm. We do not know who the hacker is and that part of the funds were recovered sort of fast does raise questions.

Neemo-astr-bank is not putting nsastr as collateral. It’s putting simple astr in Earn Pool. How can I withdraw nsastr?

This proposal was not made by Neemo team alone. As mentioned earlier, it was developed with input from the Neemo community, the Astar community, the Astar Main Council, the Astar Collective, and relevant DeFi protocols.

We did consider using a snapshot-based approach and refund to nsASTR and nrETH only. However, with nearly 10 different dApps involved, the calculation become overly complex and significantly delay the refund process. Moreover, compensation to DeFi users who make up the majority, would be greatly reduced under that model.

For these reasons, we chose to propose the current structure.

That is not a supply of nsASTR, but of ASTR. We are currently working with Sake and UntitledBank to enable supply withdrawals.

Understood. Given the practical limitations in tracking data, if that is the basis for your decision, I have no objections. However, since there is still no clear information regarding compensation for DeFi participants, we must also consider this point; otherwise, distortions may arise later.

Apologies — that was my misunderstanding.

I fully agree with @Gaius_sama 's opinion. The approximately 200M ASTR was protected by the Astar Foundation and the community, and should be returned directly to nsASTR holders. It is not an asset that Neemo can use at its own discretion.

Here is a recap of the current situation:

1. ASTR protected in the treasury: 204,283,546.036 ASTR
2. Chunk1 amount returned to users: 26,783,546.036 ASTR
3. Remaining ASTR available for nsASTR redemption: 177,500,000 ASTR
4. nsASTR eligible for redemption: 204,375,104.425 nsASTR
5. Total ASTR required for redemption: 226,856,365.912 ASTR
6. ASTR shortfall: 49,356,365.912 ASTR
7. (*ASTR needed for redemption based on pre-hack snapshot: 175,796,365.912 ASTR)

As shown, there is a shortfall of approximately 50M ASTR.

If redemption is carried out based on a pre-hack snapshot and DeFi users (likely primarily liquidity providers) are handled through a separate process, it would be possible to complete the repayment immediately — though it’s unclear whether such a decision would gain consensus.

Also, I had overlooked it earlier, but could you clarify what the “Discount Ratio” refers to?
Why was this specific percentage chosen?

Having you around makes me feel at ease.

2 Secure ownership transfer Revoke old keys; assign control to a new Neemo multisig.

3 Direct staking via Astar portal Users stake ASTR directly to Neemo dApp through the [official portal].

So the astar team can make sure neemo not getting hack again.
Dose contract update need to go through Astar council?
If this still happen and this will really kill community.

I just can’t believe on Neemo. Neemo multisig dosen’t even matter.
Because it’s still on Neemo’s team.not community not astar council.
How to avoid they update the hack contract again.

To clarify, the Astar Foundation does not own or control the 200M ASTR that were protected during the incident. These funds are currently held by the on-chain treasury, which means that only a governance referendum can authorize their transfer for any distribution.

The Astar Foundation, via its team members and as a LP provider, holds the same status as any other community member in this matter, is impacted and has no special privileges.

Additionally, this is far more complex than simply redistributing funds to stakers. The affected users were liquid stakers on Neemo Finance on Soneium, which means:

• The 200M ASTR would need to be transferred back to Soneium.
• A snapshot of all nsASTR holders would be required.
• A mechanism to burn nsASTR and redistribute ASTR would need to be put in place.

As @you425 rightly pointed out, there is also a shortfall of ~50M ASTR, meaning nsASTR holders will not be able to recover 100% of their funds.

Given the complexity of the situation, the most appropriate party to lead and coordinate the reimbursement process is Neemo Finance, not the Astar Foundation. Placing the full burden, resource responsibility, and risk on the Foundation would be inappropriate and unsustainable.

There’s no way to guarantee this won’t happen again. Neemo Finance is an independent project, and although it was audited, the exploit resulted from human error and a vulnerability in the key storage system, something even we could not have anticipated.

Expecting the Astar Foundation to oversee all DeFi projects using ASTR tokens is simply not operationally feasible and not scalable.

That said, the Astar Foundation remains committed to supporting, guiding, and advising on the best possible process for the benefit of ASTR holders and the ecosystem as a whole, but is not responsible for execution or operational decisions.

Gaius_sama, Main Council

Is there really that much liquidity provided by Astar before the snapshot?
49,356,365.912

And most of the liquidity providers are Neemo, the project team, and AFC.
Why not prioritize the users of the ecosystem?

So why was it decided to put it on the official website?
Please be very careful
@you425 @Mouthmouth68

@you425 and @Mouthmouth68 . You are the only two I can trust.
I jsut don’t understand the Astar team’s thinking right now.If this plan is review by the Astar team.

This is what neemo say .

Incident: Unauthorized upgrade and exploitation of Neemo Finance’s nsASTR and nrETH deposit contracts, resulting in a loss equivalent to 182.6741 ETH + 166,027.12 USDC (post conversion). Mitigation: The Neemo app was transitioned into maintenance mode. The Neemo team collaborated with the Astar team to pause the dAppStaking module to prevent further loss.

1753344858138@2x1586×940 103 KB

166,027.12 USDC (post conversion)=5357869.675250944277823099astar

You can check the following ressources for the full context of the situation:

• dApp Staking Temporarily in Maintenance Mode Due to Neemo Finance Incident
• Urgent Proposal: Secure Custody of Neemo dApp Staking Funds, Ownership Transfer & Reactivation of dApp Staking
• Urgent Proposal: Enable Maintenance Mode to Recover Neemo Chunk 2
• Urgent Proposal: Recover Neemo Chunk 2 (~177M ASTR), Transfer to Treasury & Resume dApp Staking

@LiangYu
Let’s take a moment to calm down. We need to confirm the facts objectively.

Neemo applied for the UCG program in July of last year and was approved, followed by its mainnet launch. The UCG approval went through community governance, and the Astar Foundation does not bear responsibility for it. This is true for all projects listed on the Astar Portal.

There has been repeated misunderstanding that it is “officially certified,” but being listed on the Astar Portal does not imply official endorsement, and even if it did, it does not make the Astar Foundation fully responsible. If a bank in a building is robbed, would the building’s owner be held accountable? Of course, if there was a security oversight, that’s a different matter — but in this case, there was no fault in the platform itself.

Despite that, when the incident occurred, they coordinated with Neemo and acted promptly to protect ASTR. I believe this already fulfills a sufficient level of responsibility.

Additionally, although the protected ASTR is currently held in the treasury, it is not managed by the Astar Foundation. It is managed through on-chain governance by ASTR holders, including us in the community. The Astar Foundation cannot move funds at its sole discretion.

Given that, it would be difficult for the Foundation to carry out operations such as burning nsASTR or redeeming ASTR. Moreover, this spans across both the Soneium and Astar platforms, and the steps involved in the repayment process are highly complex. Having the Astar Foundation handle all of this would be inefficient and unnecessarily complicated.

The key issue now is how to handle the nsASTR that was used in DeFi protocols. This has created a 50M ASTR liability that would not have existed otherwise — and that’s a major problem.

It may not be entirely fair, but personally, I think the following process is a reasonable direction to take:

1. Distribute ASTR based on a snapshot of nsASTR holdings before the hack

This will allow simple nsASTR holders to receive 100% redemption of ASTR at this point.

2. Distribute ASTR to nsASTR used in lending, based on their positions

The issue here is how to handle loops. As long as the pre-leverage collateral is returned, I believe it should be acceptable — though this may need more careful consideration.

3. Distribute ASTR to nsASTR used for liquidity provision

This is the most difficult part. Due to AMM mechanics, liquidity providers will likely end up holding a large amount of nsASTR. If we try to repay them fully, it would be clearly unreasonable.
Therefore, we could take half of the position amount from the pre-hack snapshot as nsASTR and redeem that amount in ASTR. The remaining half will be allocated for future repayments.

This plan would not require burning of the existing nsASTR.

Under this plan, DeFi users would be at a slight disadvantage, but personally, I believe this is just the nature of DeFi “Lego” systems. I’m actually a liquidity provider myself, but I accept that this level of risk is inherent.

Additionally, if consensus can be reached within the community, I believe there is an option for the treasury to loan the missing ASTR, and for Neemo to repay it later. However, even if that approach is taken, the compensation amount to DeFi users must be adjusted — because at present, it is excessive.

Also, in order to properly execute this plan, having the Astar Foundation take on the operational work would be inefficient. I understand the concerns about trusting Neemo, but the most effective way to proceed is to have Neemo carry out the necessary tasks.

If trust is still an issue, one potential compromise could be to include a representative from the Astar Foundation in the multisig until the work is completed.

You really understand the situation.
Must join astar official multi-signature. Then, if the project makes misleading statements, it should be clarified specifically.

List on Astar portal make sense but direct staking via Astar portal it have different meaning must clarified
Can stack througt portal list right now not need to point this.Will make people think neemo can direct use on portal.

This is why I ask thie question.Because I trust Astar not neemo.