In late April 2024, Pike Finance, a cross-chain lending protocol, experienced two significant security breaches - on the 26th and the 30th - resulting in total losses of approximately $1.9 million.

The protocol, in its Mainnet Beta phase, was disabled and the Pike team began their investigation.

Just a few days later, on May 2nd, they released a post-mortem detailing the mechanics of the hack along with a post explaining their plan going forward. That was fast!

The plan included steps on how to learn from the exploits they suffered, plus details of a user compensation plan.

The compensation plan was spelled out in detail, including a clear and easy-to-understand explanation of how restitution funds would be allocated. Nicely.

Sure enough, just two weeks later on May 18th, all restitution transfers were completed. There were some complaints, but the community was generally appreciative of the team's efforts and supportive of the project going forward.

And the Pike team got back to work developing their v2 and they continue to enjoy significant community engagement. Who knows whether their v2 launch will be a success but their exploit response positions them to carry on with their mission.

Pike was able to stay in the good graces of their community by responding to the exploit quickly and executing on a fair compensation plan. Admittedly, they got a bit lucky because of the manageable size and the timing of the exploit.

But, other projects might not be so lucky and that's why we encourage all projects to have an incident response plan in place with a dedicated fund for user compensation.

Even better, set up a Cozy Safety Module so that your safety fund has all the best practices already in place: funds on-chain, trigger conditions defined in advance, built-in payouts, etc.

Or roll your own. But, please god, have something.