[BIP-456] - Funding Hypernative as Balancer Security Advisor

PR with Payload

https://github.com/BalancerMaxis/multisig-ops/pull/573

Service Provider Name: Hypernative

Leader(s): Gal Sagie, Dan Caspi, Andrey Dulkin

Pledge to abide by the DAO's Code of Conduct (or link to your own): Yes

Pledge to abide by the Accountability Guidelines: Yes

Domains of Operation: Web3 Security, InfoSec/OpSec and on/off chain security

Key Objectives & Success Metrics:

Summary

We propose the introduction of Hypernative as a security advisor to Balancer DAO, Hypernative will leverage its in-house expertise to provide a full security risk and threat assessment to Balancer infrastructure, processes, on and off chain postures, devices, supply chain, 3rd-parties and more.

The initial assessment will follow a continuous support for all things Security as advised below including incident response, vendor assessment / interaction and others on an hourly rate as deemed and needed by the DAO and its teams.

The Proposal Motivation

There are many security tasks, processes and incident handling that need to be augmented in a protocol like Balancer.

The idea of this proposal is to provide a virtual CISO (Chief Information security officer) services to augment Balancer infosec and on-chain/off-chain security postures by leveraging Hypernative in-house expertise and network of connections.

The proposal will outline the responsibilities addressed and handled which will be organized and advised by Hypernative but carried and implemented fully by a combination of Hypernative and the DAO.

Balancer + Hypernative

Hypernative team has been an instrumental helper in the last security incidents that Balancer has undergone, both from helping with automated tracking of the hacks and stolen funds movement, communication with external entities like exchanges/Chainalysis and helping with the war room and bringing the relevant help to the table.

We believe that Balancer and Hypernative can together create a new standard of security program that will emphasize the DAO commitment for its users and the security of their funds.

The Proposal Details

The following are describing the various areas Hypernative can provide guidance and help in terms of the security advisory, the initial stage of the proposal will be mostly from risk and threat assessment point of view tackling all the various areas described below

1. Review development processes and code deployment, supply chain strategies to add secure by design processes to code development

• Explore and research tools (open source and commercial) to be used in the process and suggest to the DAO
• Create educational material and sessions with the community and developers teams

2. Provide security comments for code reviews and best practices by Hypernative security researchers team

3. Help with security vendors assessment and conduct security/risk due diligence for any vendor or 3rd-party

• Presenting the research and market assessments on demand from security standpoint to the DAO and community
• Help with total security budget planning, negotiations and proposing the budget to the DAO for decision making

4. Help interact and manage engagement with security and other related vendors and offload the DAO from interacting them directly

5. Audit and formal verification processes management

6. Bug bounty program help and disclosures handling and processing

7. Infosec processes for Governance participants and Wallet security

• Anti phishing/scamming monitoring for DAO members
• Personal computers security suggestions
• Multisig and wallet security hygiene and review
• Explore multisig protection services and suggest to the DAO
• Create Monitoring for DAO governance tokens and wallets

8. Governance proposal review

• Review proposals from security point of view and add relevant remarks
• Review the framework for automated testing of governance proposals - including code deployment and transactions (to address supply chain security risks) and suggest changes and new additions

9. Infrastructure Security review

• Frontend review and vendor handling
• Explore security measures for DDoS, frontend attacks, key management and integration security (3rd-party security)
• Review all SaaS and other 3rd-party vendors for security assessment and risk exposure
• Help with creating a monitoring plan (either internally or with a vendor) for Balancer infrastructure

10. Incident response management

• War room management and connection with community volunteering help and Balancer team members
• Connection to and management of vendors and network of contacts (Circle, Bridges, Chainalysis, Chain security teams, etc) to help with recovery of stolen funds and post incident help to the DAO
• Community communications and post mortem
• Creating best practices based on historical incidents and create playbooks with the learning

11. Community security representation

• Create a group of security committee members combined of Balancer team members and external security experts that participate in events/conferences and security related groups to represent Balancer security efforts
• Create and prosper connections with other protocol security groups, chain and bridge security teams, wallet companies and other external members to create a wide network of security collaboration and help for Balancer

12. Social media channels security

• Discord, Twitter, Slack, Telegram security handling and best practices

13. Phishing/Scamming and brand reputation

• Help detect phishing and scamming campaigns targeted at Balancer (with or without external vendors)

  • Address community reports
  • Report addresses and help take them down
  • Manage reporting to block explorers and phishing sites
  • Create warning channels for the community

• Engage and suggest relevant vendors for the DAO

• Help protect private DAO/Governance members personal wallets and computers from phishing and scamming campaigns

  • Monitor for any suspicious on-chain activity related to that

14. Monitor protocol contracts, multi sigs and detect chain-wide phishing and scamming campaigns targeted at Balancer

• Suggest criteria and requirements for a real time security monitoring and incident response packages from external vendors

15. Publish and share with the community about Balancer commitment and actions for security first and the investment done in this OpSec, InfoSec and chain security programs (With the needed sensitivity)

About Hypernative

Hypernative actively detects and responds to zero-day cyber attacks, financial risks, on-chain anomalies, and safeguards digital assets, protocols, and Web3 applications from significant threats and losses.

Hypernative today works with some of the leading crypto organizations (Polygon, Starknet, Zetachain, Circle, Galaxy, OlympusDAO, Karpatkey DAO, Chainalysis to name a few and many others)

Hypernative is an active participant in many crypto security organizations and committees geared towards helping projects and the industry as a whole to create new security solutions and standards.

Hypernative team is well experienced in crypto and cyber security with 10’s of years of combined experience from companies like: Microsoft, IBM, Google, VMware, CyberArk, ChainReaction, Orbs, Intel and others.

The following are a list of various protocols Hypernative was able to assist:

https://twitter.com/DeusDao/status/1661751727228596226

https://blog.hundred.finance/15-04-23-hundred-finance-hack-post-mortem-d895b618cf33

https://mirror.xyz/bonqdaoblog.eth/Mq4qgNieUi-ytphYzPU-lWY_E1J2F7STq_xlCR3qGsE

https://twitter.com/senamakel/status/1610953131252416513

https://twitter.com/Palmswaporg/status/1684902587303104512

https://twitter.com/jaypeggerz/status/1608395021031723010

https://twitter.com/0xGreg_/status/1608418111887396864

https://twitter.com/XaveFinance/status/1579735814824931329

https://www.coinage.media/s2/he-stole-200-million-he-gave-it-back-now-hes-ready-to-explain-why

Length of Engagement & Budget: Initial stage of risk assesment - 3 months - $15,000 USDC

After the initial period, $30,000 USDC will be allocated to be paid by the DAO multisig for onward work in an hourly matter based on need. Payments will be done for the same address below.

ETH Address to Receive Funds: 0x5CA24e2A586834A7B96216D68b26A82405e3DC15

Link to SLA (if going through the Foundation: Hypernative will enter into an agreement with the OpCo in the event that this proposal is accepted. At that time, we will edit this post with a link to the agreement.