Reimbursing costs incurred to JPEG’d DAO during the July exploit


This proposal aims to address the financial setbacks experienced by JPEG’d DAO and its community due to the Vyper exploit on July 30th, 2023 while having more locked veCRV owned by ecosystem participants. JPEG’d is a leading NFT lending protocol, which has had an active presence on Curve since its inception in early 2021 and has a good track record of safe and professional operation. They swiftly mitigated the impact to their users using their treasury and recovered funds. Passing this proposal would demonstrate Curve DAO’s commitment to supporting DAOs who work at growing the Curve ecosystem.


On July 30th, 2023, Curve DAO faced an exploit that impacted various pools, including the pETH/ETH and JPEG/pETH pools. This exploit resulted in a loss of approximately worth 1,375 ETH both in JPEG tokens in ETH equivalent, significantly affecting JPEG’d DAO and its users. We acknowledge that this loss was not a result of any action taken by JPEG’d DAO, and we appreciate the timely actions taken by the JPEG’d team to recover and redistribute the majority of the losses to their community members. In fact, JPEG’d worked days and nights to compensate their users faster than anyone else affected.

Since inception in March 2021, JPEG’d DAO has a proven track record of consistent Curve governance participation, with holdings of over 1.5 million CVX tokens, and of Curve liquidity provision with over $20 million in the pUSD/3CRV pool and holding over $20 million in the pETH/ETH pool at the time of exploit… During the aftermath of the exploit, JPEG’d commendably focused on resolving the financial losses of their users and not blame attribution. The team managed to recover 90% of the exploited funds and disbursed them to their affected users, and non-users.

JPEG’d users were made 100% whole at JPEG’d DAO’s expense, while non-users were reimbursed ~80% of their value. The recent Curve DAO proposal managed to make the other pETH/ETH LP whole, but didn’t address the cost incurred by JPEG’d DAO as a Curve user.


In recognition of the loyalty and resilience demonstrated by JPEG’d DAO during this challenging period, this proposal is to compensate JPEG’d DAO for the losses incurred due to the exploit on July 30th, 2023.

The losses incurred by JPEG’d are split as follows:

Token Amount
ETH 809.27
JPEG 1,617,164,411.78
USDC 50,000.00

Based on the price of CRV in ETH at the time of the hack, and accounting for a 25% premium request for the risk undertaken by JPEG’d DAO. We propose offering 6,042,462.25 veCRV tokens as compensation, a form that aligns with the risk undertaken by JPEG’d DAO. The premium aligns with a market precedent: Frax Finance charges up to 20% penalty for exiting 4y voting escrow position. The inverse math of 1/0.8 would yield a 25% bonus for entering voting escrow position. Alternatively, buying CRV OTC with a lock would result in a similar discount. We believe this compensation is fair, considering the circumstances, and will contribute to driving liquidity back to Curve.

JPEG’d DAO was already whitelisted to be eligible to lock CRV, and they will lock and use the resulting veCRV for participation at Curve governance.

State of DAO finances

Curve DAO has spent 71’768’597.75 CRV out of 123’915’151 CRV available in the DAO for the hack compensation already. However, there is also Curve Community multisig [0xc420C9d507D0E038BD76383AaADCAd576ed0073c] which currently holds 13M worth of already vested CRV. I propose to use CRV from that reserve. The Community Grants Council who controls it, however, doesn’t want to singlehandedly make such an important decision, so it is proposed that the multisig will transfer 6.042M CRV tokens to Curve DAO, and the DAO will hold a fully decentralized vote about this compensation.


This proposal presents an opportunity for Curve DAO to reaffirm its commitment to fairness and support for loyal members within its ecosystem and is a fair gesture seeing we already compensated all users affected by the July exploit, except JPEG’d DAO. Providing compensation in veCRV will not only close this gap but encourage further participation in Curve governance.


a proven track record of consistent Curve governance participation

I give you…a proven track record of consistent Curve governance participation

CRV Locked after whitelist in September 23


1 Like

JPEG’d DAO would have been much better to have sought reimbursement under the same conditions as Alchemix and Metronome at the same time their reinbursement rather than to seek an extra “loyalty” bonus compensation. I personally did not agree with the total compensation given in the original proposal, as smart contracts carry risk, and there is a reason most smart contract insurance has gone bankrupt. Not that I believe they deserved no compensation, but not to that extent. Now, JPEG’d dao seeks more compensation than what was fairly given to Alchemix, Metronome, and Curve CRV/ETH LP users?

Curve governance participation is sighted as a reason for this loyalty bonus, but JPEG’d DAO’s governance participation consists of only voting on Convex Gauge proposals.

Furthermore, “Alternatively, buying CRV OTC with a lock would result in a similar discount.” If you would have liked to seek an OTC deal with Mich, you should have done so when he was offering the deal. Curve DAO has no reason to honor deals that Mich made with his personal vested CRV.

In addition, the calculations from the original compensation proposal were far less than this by a third at 2,157,132.57 CRV.

This proposal makes no case that JPEG’d DAO should receive better treatment than Alchemix, Metronome, and Curve’s own CRV/ETH LP users. This proposal seems to be in bad faith and is unfair to other protocols that have already received compensation.


I concur with this sentiment


I agree with WormholeOracle’s assessment stated below.


I don’t understand the price comment?

The JPEG’d DAO calculation are based on 0.0002844192377 ETH per CRV. AFAIK this is the same price as the one given to Alchemix and Metronome.

0.0002844192377 ETH per CRV is the price given to Alchemix and Metronome!


When JPEG’d DAO locks the veCRV, they’ve given up their only chance to claw back 1,300 ETH, and commit to the Curve Ecosystem to take on perpetual platform risk from perpetually locking the veCRV.

JPEG’d could’ve sold the CRV on the open market to create a whole year of perpetual downward pressure, but they chose to support the Curve Ecosystem with permanent liquidity and incentive to defend it no matter what.

JPEG’d is down 1,300 ETH, but they choose not to dump CRV on the open market. JPEG’d is also the only DAO who made users whole using the DAO’s own reserves. The risk taken on by sacrificing our ETH compensation and taking on perpetual risk warrants the 25% compensation bonus for perpetual support of the Curve Ecosystem.

Last but not least, everyone has different judgement of what’s fair and what isn’t, so we will speak through our votes!



First of all, I would like to welcome this proposal.


I understand where you’re coming from, but I believe the situation for JPEG’d is slightly different.
At the time of the hack, JPEG’d was heavily impacted, due to how JPEG’d relies on Curve for our services. Not only did the pETH/ETH pool get exploited, but the pETH/JPEG was used to in the exploit dumping the token price by 54% and directly impacting all JPEG token holders as well as JPEG’d users on Curve. Afaik, with Curve, it is the only other protocol whose token directly suffered from the exploit.

During this time of duress, our priority, was to make sure our users and our services could get back up and running. JPEG’d has done everything to get its users and also Curve users in the pETH/ETH and JPEG/pETH pool back on their feet.
The team has done all the recovery work, settlement with the white-hat, disbursement of funds to affected users before any other protocol could do it. During this time, JPEG’d received little support from Curve. I think it’s fair to say it was extremely stressful times for everyone then.

In my opinion, it is fair to take into account the JPEG price right before the exploit, as it is, afaik, the price taken as a basis to reimburse all affected users in the JPEG/pETH pool. Similarly, it is also the price that was used to complete the reimbursement by Curve to non-JPEG’d users, which has already been used as a basis for reimbursement calculations that are in effect.

I fail to see how the proposal is in bad faith. If anything JPEG’d paid upfront for an exploit that was on Curve’s contracts (while Curve’s social media accused JPEG’d contract to be at fault during the exploit, creating extra and unnecessary FUD on the protocol). In this sense, the situation seems slightly different than for others.

Taking this into account, what do you feel would be fair and equitable?


For additional context, here is an overview showing how the values of cost to JPEGd DAO and request for CRV are arrived at:

The 1,374.87 ETH value takes the sum of ETH/pETH/ETH-pETH LP + JPEG + USDC. It prices JPEG and USDC in ETH with values from just before the hack. It uses the CRV/ETH exchange rate from the snapshot date taken on Dec. 13th that was used to determine CRV allocations to all other victims of the Curve pool hacks. Those values are found in the script in current_prices = {"crveth": 0.62686 / 2204}.

Finally, it uses those values to get 4,833,969.8 CRV as the total DAO cost denominated in CRV and adds a 25% premium to get 6,042,462.25 CRV as the proposed recompensation value.

For consistency and fairness to the other CRV distribution, I propose to calc all values from the Dec. 13th snapshot. That changes the ETH price in USD and JPEG price in ETH to values from Dec. 13th. Modified calc below:

Furthermore, I’m not in favor of the 25% premium. I’m not really clear on why the premium is warranted; the fact that JPEGd has the prospect to receive funds immediately is already a unique benefit. So I would counter-propose to remove the premium and make the total compensation to JPEG’d at 4,601,409.57 CRV.

Modified spreadsheet here: Copy of Reimbursements Costs For JPEG'd - Google Sheets


For CRV DAO and CRV holders, DO NOT vote “AGREE” for this. JPEG’d DAO distributed the recovered funds unfairly, which result in the ~80% recovery from the 90% refund. They took our money to fully compensate themselves. If you took a look at the spreedsheet here, the gap of the unreimbursed funds are only 613 ETHs, which should be delivered to the unpaid victim. But now they are so greedy to ask for 1,375 ETH to be delivered to JPEG DAO multi sig wallet which only owned by their boss PennilessWassie. I don’t care how much that rich guy want to ask from Curve, but please compensate to the real victim first. Don’t let them to take our compensation again!

You took a look at their profile (


Thank you very much for this clarity.

1 Like

Protocols like JPEGd, much like Alchemix, are all about synergies when something goes wrong but all about taking as much as possible when things are going well.

Multiple strategies to farm and dump CRV but when there are broken plates, everyone is aligned and supportive. I see JPEG’d having locked a total of 0 CRV ever and only voting on proposals they care about and yet CRV holders are yet again footing the bill.

DeFi protocols that lose your money don’t owe you to give it back to you and it’s a shitty precedent to suggest otherwise because it implies risk free yield.

I say let’s empty this treasury to compensate everyone and find out where that lands CRV :teddy_bear::dart:

I’d personally like 5M CRV for the stress the hack caused me and although I was unaffected, it’s important to do what’s fair and equitable.


I feel your frustration, however I feel that this is an unfair comment, and you seem to be lacking information regarding recent developments.
Curve reimbursed all the affected users the missing 20%, with numbers and addresses provided by the JPEG’d team. All non JPEG’d users affected by the exploit of the JPEG’d related pools have now been made whole.
If you were affected, you should be able to claim what was missing. I hope this solves your frustration.

Seeing the confusion and insecurity at the the time, it is understandable that the community first voted to protect its users. There was no indication whatsoever back then that Curve would work out a refund plan like they did and that was welcomed by all affected users.
I believe it is the right thing to reasonably help out your peers and community if you can, especially in the field of DeFi.


I concur with it, plus, JPEG’d DAO is so greedy, they took LP users’ money to their own users in the initial refund, which result a 20% loss for partial LP users. And now they wanted to take our compensation from the Curve again, no reason to allow it.

1 Like

The same reimbursement amounts should be given to all users. There shouldnt be a “bonus” amount. And if the vecrv is handed up front for locking instead of vesting, thats a bonus in and of itself.


As I highlighted above your message, I believe the context of JPEG’d is different from the other impacted protocols. I’ll try to highlight them below:

  1. The JPEG’d team did a lot of work, as did everyone affected, to get the best resolution back in August. The DAO single handedly reimbursed affected users. This was done before knowing of any compensation plan.JPEG’d took it upon itself to make users whole and feel safe again using both JPEG’d and Curve.
  2. All previous reimbursement done by JPEG’d accounted for a the prices right before the exploit. It’s also important to note that the JPEG token price was directly affected by the exploit as the pETH depeg directly opened up a door for a huge arb in the JPEG/pETH pool.
  3. JPEG’d reimbursed users already in August, while Curve only did in December. The DAO distributed a total value of ~1347 ETH to reduce the impact on both user communities. All users were made whole, except for non JPEG’d users (neither borrowing on JPEG’d or using the JPEG’d auto-compounder) who were reimbursed 80% of their valu, but were ultimately made whole with Curve’s recent reimbursement.
  4. JPEG’d did most of the work to assess the amounts left that was covered by Curve in the recent disbursement.
  5. The disbursement method was chosen by the JPEG’d tokenholders as a DAO and several options were proposed. Ultimately, the community decided to do the best possible for non-JPEG’d users.

As such, I feel it’s difficult to exactly compare the recent reimbursements to JPEG’d’s case. JPEG’d acted with the benefits of users in mind before anything. I understand it seems similar at first, but I hope this clears up why I feel they are not and that they should be treated the same.

JPEG’d has been created with Curve in mind from the start and always intended to use it synergistically. Sure some of the voting is just gauges, but the protocol is working synergistically with the Curve ecoystem. I’m convinced it’s possible to find a fair solution that will strengthen this synergy.

Taking the above into account I would be curious what you would feel would be a fair reimbursement and how to apply it.


I am among the ranks of those who are for the exact same terms for JPEG as for all the previously-reimbursed entities.

Every one of these entities handled the situation differently, the events were very unfortunate for all involved (end users, projects building on Curve, and Curve itself), and this reimbursement campaign is a goodwill gesture from Curve to help everyone who was impacted.

This goodwill gesture should be as fair as possible, and fair is giving everyone the same terms. Given that most reimbursements have gone out already, using a single set of terms, it follows that the remainder should follow the exact same set of terms and calculations: same CRV price, no bonus, and same vesting terms.

This opinion is NOT against JPEG or anyone, rather it’s in favor of fairness to everyone involved.


Nothing you have said warrants a different dispensation terms than anyone else. In fact, I would argue that if you want to lock the CRV as veCRV directly with no vesting terms, then there should be a discount applied of 25% or more, not a premium, as you are receiving immediate benefits from the CRV you receive.

1 Like

JPEG’d didn’t just play their part; they led the charge when it mattered most. It’s time we recognize that.


Ladies and gentlemen, let’s get one thing straight – this isn’t just about a financial decision. It’s about recognizing a heroic act in the face of catastrophe. JPEG’d DAO, they didn’t just step up; they leapt into the fray when disaster struck. Remember the chaos, the fear when Curve was hit? There was Mitch, on the edge of a financial cliff, and with him, the future of Curve dangling by a thread.

But here’s where the story turns. JPEG’d, they didn’t just stand by; they took action. They dug deep into their own treasury, not just a few pennies, but enough to hire someone to turn the tide, to recover the funds. This wasn’t a gamble; it was a calculated rescue mission. If those funds hadn’t been recovered, we wouldn’t just be talking about losses; we’d be talking about the end of the line for Mitch. The fallout? Unimaginable. The FUD, the anger from customers left in the cold – it would have been a knockout blow.

Now, think about the courage that takes. While others were thinking about damage control, JPEG’d was out there, fighting to pull back every last dollar. They put their own future on the line, not just for themselves, but for the whole Curve community. They weren’t just saving their own skin; they were saving everyone’s, Mitch’s included.

So here we are, deliberating over compensation, over whether it’s deserved. Let me lay it out for you – this isn’t just deserved; it’s a debt we owe. It’s about standing with those who stood guard when the storm was at its worst. It’s about honor, about doing right by those who did right by us.

JPEG’d didn’t just prevent a disaster; they preserved our future. And for that, they deserve more than just our thanks. They deserve our unwavering support. So when you cast your vote, remember what’s at stake here. It’s not just numbers; it’s about acknowledging a savior in our time of need. It’s time to step up, just like JPEG’d did