Raid Guild built Quadratic Lenster as a proof of concept stemming from an idea by Kevin Owocki - why couldn't a web3 social platform include a Quadratic Funding mechanism?

There were quite a few constraints at the time of inception as the Allo protocol and Lens v2 had not yet been announced, and our first iteration included a few hacks to make it all work proper. Our deadline was for EthCC 2023, where @owocki.lens and @stani.lens i took the main stage to announce a $10k matching round for the initial iteration.

We loved working with @owocki.lens , Supermodular, @lensprotocol, and @gitcoin.lens teams to be able to ship this in time and overall the alpha round was successful with the QF mechanism working as intended.

However, we encountered two major issues from this experiment - there was initially an exploit that was noticed by early users where malicious users or bots abused a loop in the allowance flow.

While we were fortunate to catch this early on, the fix to this initial exploit led us make a mistake when making the actual matching payouts once the round concluded.

This ended up leaving a few participants not getting paid appropriately from the matching funds, as well as a handful of gross overpayments. This was definitely our mistake, but we hope that this community and the participants of this experiment can be understanding and forgiving here. We reached out to two of the highest overpayments @punkess.lens @definn.lens and they were generous in understanding the situation when we reached out to ask if they would consider returning portions of the funds. This community is amazing!

We want to issue a formal apology to all affected by this - yes, this was an experiment and overall we want to make sure everyone who participated have a good experience and will participate in any future iterations! Our amends here were delayed due to summer travel and conferences, but we hope that we can make right and have taken the appropriate steps to get all participants paid appropriately.

polygonscan.com/tx/0x54872d2ecfa2d20e73a65ebc39e8fb80632d196f9998e1a5699a471fb8334308

Thank you all for your patience and participation here - we look forward to future rounds and implementations of Quadratic Lenster!

Payouts for #ethcc have been sent out! Many thanks to everyone who participated!

Stay tuned here for information on upcoming rounds and further developments with quadratic lenster. The future for all of us is looking bright.

[polygonscan.com/tx/0xbbf708f145598d9ea21249415b6dcc13475e25d0cd072c6862ba4451afd2970c](https://polygonscan.com/tx/0xbbf708f145598d9ea21249415b6dcc13475e25d0cd072c6862ba4451afd2970c](https://polygonscan.com/tx/0xbbf708f145598d9ea21249415b6dcc13475e25d0cd072c6862ba4451afd2970c))

Great questions @DeFinn!

👉 1+2. They didn’t get past this, they simply called the round. The vote function was called on the round contract by the attacker and then the round contract called the function on the voting implementation. So the is round contract modifier didn't actually help in this case. To your second point: the relayer address is automatically set as the msg.sender in the round implementation. This way, when the function was called from the lens module we had originally designed to use/be the relayer which would have to be an approved address. You can inspect the vote method in the round contract on our GitHub.

Voting in round contract: [github.com/bitbeckers/grants-round/blob/16b786db1367b1248e83b732cfcce5676ee54846/packages/contracts/contracts/round/RoundImplementation.sol#L384C6-L384C6](https://github.com/bitbeckers/grants-round/blob/16b786db1367b1248e83b732cfcce5676ee54846/packages/contracts/contracts/round/RoundImplementation.sol#L384C6-L384C6](https://github.com/bitbeckers/grants-round/blob/16b786db1367b1248e83b732cfcce5676ee54846/packages/contracts/contracts/round/RoundImplementation.sol#L384C6-L384C6))

👉 3. Let’s dive a little deeper in the code. 
For the vote we expect the decoded data (address _voterAddress, address _token, uint256 _amount, address _grantAddress, bytes32 _projectId) . It’s not the project ID but the grantAddress that set’s the tip recipient. The project ID is the encoded Lens publication ID. Admittedly, this could also be something else. 
In our app, the encoding happens client side as you can see in Tipping component. (LINK). The attacker(s) mimicked the functionality of the frontend but with parameters that allowed the exploit.

Data encoding: [github.com/psparacino/qf-lenster/blob/3bc857cd2462fd6c6d953017c4ea28e61b7c327f/apps/web/src/components/Publication/Actions/Tip/Tipping.tsx#L211](https://github.com/psparacino/qf-lenster/blob/3bc857cd2462fd6c6d953017c4ea28e61b7c327f/apps/web/src/components/Publication/Actions/Tip/Tipping.tsx#L211](https://github.com/psparacino/qf-lenster/blob/3bc857cd2462fd6c6d953017c4ea28e61b7c327f/apps/web/src/components/Publication/Actions/Tip/Tipping.tsx#L211))

Data decoding: [github.com/bitbeckers/grants-round/blob/16b786db1367b1248e83b732cfcce5676ee54846/packages/contracts/contracts/votingStrategy/QuadraticFundingRelayStrategy/QuadraticFundingRelayStrategyImplementation.sol#L72](https://github.com/bitbeckers/grants-round/blob/16b786db1367b1248e83b732cfcce5676ee54846/packages/contracts/contracts/votingStrategy/QuadraticFundingRelayStrategy/QuadraticFundingRelayStrategyImplementation.sol#L72](https://github.com/bitbeckers/grants-round/blob/16b786db1367b1248e83b732cfcce5676ee54846/packages/contracts/contracts/votingStrategy/QuadraticFundingRelayStrategy/QuadraticFundingRelayStrategyImplementation.sol#L72))

👉 4. Yes! Lens did a very good job at establishing that pattern and this is probably also why they’ve been pretty restrictive in allowing new modules into their production environment. A powerful property of the protocol is to have Modules with specific functionalities that are controlled by Lens users/application via the LensHub. At the risk of cutting some corners: If you create a post as a user you configure the module with specific parameters that will be used when the Module is called. Additionally, if you’re not a user or the post doesn’t have the module enabled, you can’t execute the module.

And this brings us back to the Relayer setup. The Module would be the Relayer and should have the allowance set.

Here is a link to our post mortem of the attack: [hackmd.io/@6dNOI9lFQYGC280d09lkqg/SJTkBtSc2](https://hackmd.io/@6dNOI9lFQYGC280d09lkqg/SJTkBtSc2](https://hackmd.io/@6dNOI9lFQYGC280d09lkqg/SJTkBtSc2))

We’ve launched a new round with the same #ethcc hashtag. When processing the voting data the old and new voting data will be merged, with the exception of the two malicious addresses.

If you are manually selecting a round, the correct round is ethcc round- 2.
However just using #ethcc will put you in the correct round.

We have all been extremely touched by the lens community's response to this. You have all been so compassionate and understanding. It's a beautiful thing. We hope to keep cranking up the vibes here with you until the whole world can't help but to join in!

<span className="hidden"> This post is included in the ethcc round- 2 round (0xfc68882a250f5c444f737b8e4ffbfa6ca769efcd) at quadraticlenster.xyz </span>

If you were affected by the recent exploit we deeply apologize for our oversight in allowing this to happen. The bug has been fixed, and reimbursements have been sent out. We hope to have a full fix deployed and to continue the round tomorrow morning.

Please verify that you have received your Wmatic back. If you were affected and didn't receive compensation please notify us here.

The post mortem will be published when the current round is continued.

Thank you for your patience and understanding,

The quadratic lenster team.

We have temporarily disabled tipping on our front end. please use [revoke.cash/](https://revoke.cash/](https://revoke.cash/)) to revoke any outstanding allowances to our round implementation contract (0xA2ae8421776035c398c22e143290697DA09d19D7). The round payouts will be unaffected by this change and a fix has been implemented. We have identified the affected users and will be sending out compensation.

A full breakdown will be coming shortly.

Thank you.