[BIP:82] Security Monitoring Budget

TL;DR - Seeks approval for a 2-year budget of $80,000 total to spend on third-party security services. Proposes to execute an initial contract for Hexagate’s comprehensive Web3 Security Platform.

Background

To make DeFi safe and effective for billions, security has to be the first, final and foremost consideration in everything that we build. Over our 4-year history, Beefy has carved out a reputation for security, having never being directly hacked, and responding promptly and professionally when dozens of other hacks, exploits and rugs have caused issues in the protocols we build on top of.

Though our reputation for security precedes us, we must not become complacent about the importance of security. A lot of the time, the biggest risks come from “unknown unknowns” - risks that sit beyond our awareness, and where a route to learning about the possible risks isn’t even apparent to us. To combat unknown unknowns, it’s important to be conscious of the limitations of our competence, and to look to experts in the field to bridge those gaps.

One such area is in onchain security monitoring and proactive threat prevention - i.e. systems which monitor all manner of activity taking place onchain looking for active exploits or suspicious circumstances to allow for quick and effective response. Longstanding DAO members will be aware that Beefy has constructed proprietary tooling - both publicly and privately - to monitor for onchain risks of this nature. However, where Beefy has built specialist applications to meet the individual needs of our project, the pursuit of a general-purpose monitoring solution could easily consume the capacity of teams many times our size. Ultimately, security is not an area where it is helpful to keep reinventing the wheel.

As security practices across the industry are becoming increasingly sophisticated, it has become apparent that preemptive monitoring has the potential to save billions of dollars in lost funds by either preventing or expediting the resolution of malicious attacks on defective systems. It is an area worth exploring for DeFi protocols of any real size or importance.

Review Process

In view of this, Beefy’s core team have run a comprehensive procurement process to test out and evaluate the current security monitoring services on the market. Over the last year, we have spent weeks testing out solutions from Hexagate, Hypernative, CUBE3, Cyvers and Lossless, as well as exploring alternative automated response tools from developers like SphereX and Forta.

Our process has provided a lot of insight about our own security practices, and successfully made out the positive case for an initial contract for security monitoring and threat prevention services. Having weighed up all of the providers in detail, it has become clear both that there are well-established market leaders in this space, and that effective solutions will require plenty of ongoing development work - meaning a good relationship with our security partners is vital to building an effective solution.

From that evaluation, we’re happy to announce that the core team are proposing to instruct Hexagate to act as our lead partner for security monitoring services during the course of this budget.

Hexagate

Founded in 2022, Hexagate bring years of experience from Web2 cybersecurity to building comprehensive monitoring services for Web 3.0. With key customers like Coinbase, EigenLayer, Kiln and Consensys, Hexagate is well known in Web 3.0 security as one of the first names you want in a war room. Their innovative platform includes a vast array of tooling for specialized monitoring and automated responses, including a bespoke code language for programming monitors. The platform was a breeze to use, with simple but powerful insights into all manner of onchain activity.

Hexagate’s standard contracting terms render the terms of each commercial deal confidential in nature, meaning we are not able to disclose the exact details of the proposed agreement. However, the Beefy core team have been successful in negotiating: (i) discounted prices for the first 2 years; (ii) options to exit without penalty midway through the 2-year period; (iii) a generous allocation of free support hours from the Hexagate team; and (iv) various amendments to ensure that Beefy’s needs and rights are properly reflected and protected.

The Hexagate team have demonstrated a lot of willingness in the process so far, and a substantial appreciation for Beefy and our significance in the industry. Both sides are clearly focused on the kind of long-term relationship that’s needed to build comprehensive and cutting-edge security monitoring systems. As such, we are confident that we have found the right partner for our security monitoring needs.

The core team therefore recommends that this proposal is promptly approved, so our initial agreement with Hexagate can be executed.

Extensions & Additional Work

The amount of Hexagate’s fees is confidential, so this proposal represents our current estimate of appropriate costs for the budget period, and ad hoc additional labor needed to develop and maintain Beefy’s instance of the Hexagate solution.

Though Hexagate have already allocated a number of hours of free support, we fully expect that ongoing support will be required during the life of this agreement, such that asking for prior approval is the most prudent way forwards.

Any funding that is not used in the first year of the budget will be automatically rolled into the second year. And any unused funding at the end of the second year will be retained in treasury. Our intention is to revisit the topic for an updated and revised proposal at the end of the two-year budget, to determine whether the investment has been a success and what the best route forward is.

Fallback Plan & Alternatives

Though this proposal favors Hexagate as our key partner for security monitoring services, we are conscious that often the value of a service isn’t borne out until a full initial term is worked through. It is possible that we may seek to exercise the 1-year termination right in the agreement where performance does not match our expectations.

In such circumstances, this proposal contemplates that the budget would remain open for use in other ways, whether that be in trialing another security monitoring service, or instead focusing on solely-automated response services (such as those offered by SphereX or Forta).

Though finding the right partner is important, ultimately we feel that a broader budget for third-party security services will be key to keeping Beefy safe in the coming years.

Proposal

Beefy should establish a yearly budget for spend on third-party security services, to run for an initial period of 2 years, and with a maximum spend of $80,000 over the 2-year period.