Towards a Security Pod

As I gain more experience in DeFi, I am convinced by the need for a stronger internal security footing and reduced reliance on external auditors.

It’s difficult for an outside audit firm to have deep familiarity with a codebase and the implications of a change, and there are both large expenses and long delays in getting audit slots at top tier firms.

A six month lead time is simply too much to work with many our engineering goals and the relatively small iterative changes that go into many projects, both Volt and Fei Protocol.

I’m not saying we should stop pursuing Trail of Bits or Dili audits, but more is needed.

The solution: hire a full time security engineer for the Tribe DAO, whose role is exclusively security across all Tribe DAO projects and not in charge of new features code for any one project.

This person would do things like:

  • pair programming code reviews with devs across the Tribe DAO on any new code
  • regular pair programming review and audit of all existing code and systems, so the entire codebase receives a reaudit every X period, taking into account all changes
  • diligence into security of any external venues where PCV is deployed
  • penetration testing/security review of systems like websites, access permissions, etc
  • work with outside security professionals on the above and help to manage audit and bug bounty programs

Such an engineer could deliver enormous value in preventing a future exploit in Rari, Fei, Volt, or any other Tribe DAO protocol in the future. Internalizing this type of talent will build a stronger moat around the DAO, and Volt Protocol could contribute alongside the Tribe to offer upside and attract really great security talent.

10 Likes

I’m strongly in support of hiring a dedicated security engineer for the Tribe DAO! Saving us from one exploit in the future will pay for their cost many times over. Internal code reviews are where the most emphasis should be placed as auditors are a last line of defense before going into production. This engineer should evaluate all yield venues where PCV is deployed, audit all new and existing code on a regular basis, and help ensure that our systems are safe across multiple platforms and attack surfaces.

2 Likes

I 100% agree with this. Given the problem with avoiding bugs is highly contextual and experiential, I do believe a proper security dev will do wonders to increase the proficiency of code Joey, Elloit, Transmission, and others push out.

Full for this. Should we include in this proposal or the next market rate for a security engineer along with a list of potential security engineers who would be good candidates?

In response to a comment by @klob , noting that these “auditor” duties seem more important in the immediate term than the penetration testing/red team role. The latter can more easily be accomplished by outside professionals, and the security industry is well established. Hiring someone with strong smart contract skills and security mindset seems the highest value as a first step.

1 Like

Hey Tribe DAO,

Introduction to Danish Blockchain Lab
We at Danish Blockchain Lab have picked up on your search “Towards a Security Pod” from DioDionysos#0001, and we’d love to be the chosen company for this partnership!
To give you guys a little bit of context, Danish Blockchain Lab is a company that specializes in blockchain security from a holistic point of view.

Historically, cryptocurrency thefts have largely been the result of security breaches and code exploits in which hackers gain access to victims’ private keys — the crypto-equivalent of pickpocketing. These keys could be acquired through phishing, keylogging, social engineering, or other techniques. It’s also about exploiting the architecture and misconfigurations of smart contracts in a blockchain-based structure and gain access to the keys through here. From 2019 to 2021, almost 60% of all value was stolen from just these two types of hacks. Digital thieves had a big year in 2021, stealing $3.2 billion worth of cryptocurrency. But in 2022, they’re shaping up to steal even more. In the first three months of this year, hackers have stolen $1.3 billion from exchanges, platforms, and private entities—and the victims are disproportionately in DeFi – Tribe DAO’s segment. Almost 97% of all cryptocurrency stolen in the first three months of 2022 has been taken from DeFi protocols, up from 72% in 2021 and just 30% in 2020. If need be, I gladly link to the report.

So when @OneTrueKirk says “As I gain more experience in DeFi, I am convinced by the need for a stronger internal security footing and reduced reliance on external auditors.”, he’s absolutely right; with the numbers presented, and the trend towards DeFi-hacking, there is a stronger need for internal security, and a decrease in external dependency, especially with the long waitlists!

This is where we, Danish Blockchain Lab, come into play.

We analyze and security test the system architecture surrounding your blockchain setup and ensure that it is adequately secure. Our team of white hat crackers tests and analyze this by reverse engineering and we focus on the implementations and system integrations. It’s about thinking like the “bad guy”, to prevent them from pickpocketing and exploiting the architecture and misconfigurations.

We aspire to help your DAO reach its maximum security potential, by creating a core-team of internal security experts with full responsibility for security across all three Tribe DAO pillars; Fei Protocol, Turbo and Rari Capital. If we assess that a team is too much, we can instate a duo.

We experience that it’s important that the engineers have proficient developer skills as well as security experience (auditing, reverse-engineering, code review) – not just the latter – in order to give the most value to Tribe DAO’s security. As Elon Musk said recently:
“I strongly believe that all managers in a technical area must be technically excellent. Managers in software must write great software or it’s like being a cavalry captain who can’t ride a horse!”

e exact same thing goes for security and development. If you can’t develop blockchain infrastructure on the highest level – using the language the ecosystem uses – you can’t secure it either. We suggest a duo, as four eyes are better than two, and it gives the duo the possibility of articulating issues with a peer at the same level, which, in turn, enhances the security further!

When bigger audits are required (which should still be performed once or twice a year), Danish Blockchain Lab can even supply the extra hands required. We’ll be discussing it with the then already internally instated security-duo as well as the engineer-team, and then perform the bigger audit. @OneTrueKirk states “work with outside security professionals on the above and help to manage audit and bug bounty programs”, which we can also manage. Since our duo would know the rest of Danish Blockchain Lab’s processes and engineers, the bigger audit would also run faster and more seamless, and be much more thorough.

@Elliot states that just a single avoided explot can cover the cost of this duo, which is definitely correct. According to DeFi Pulse, Rari Capital has $389m in TVL. Protecting this is uttermost important! And as stated earlier, 97% of all cryptocurrency stolen has been stolen from DeFi projects in early 2022. We want to prevent Tribe DAO contributing to this statistic!

All in all, we believe that we can deliver the enormous value that Tribe DAO is searching for, and cover the entire spectrum, so there will be no need for other audit companies and long wait-lists.

How do we normally work?
Scoping session – We bring in either our blockchain experts holding PhD’s in Cryptography (Tokenomics/ Game Theory) and Math or our practical experts, depending on the project.

Together with world leading experts from University College London and Cambridge University, we will do a workshop of 1 to 1 ½ hour to establish a common ground, becoming the baseline for the areas you would like us to pursue and the areas we see as crucial. Before we start any auditing process, we need to establish an overview of the architecture, infrastructure, and the business model to see the coherence.

Estimation – We will return with an estimate based on the scoping session. We will present a gameplan based on whether we shall start security auditing the infrastructure and architecture, or if we shall start on smart contract security audits immediately.

Audit report – We usually work in two different ways regarding reporting of our audits:

  1. When we focus on infrastructure and architecture, a lot of our clients prefer a verbal report through a workshop, although we also offer written reports, with our findings.
  2. When we do manual security code reviews of smart contracts, we focus on mis-configurations in relation to the client’s documentation, and vulnerabilities.

Our team - who does manual security code reviews - consists of very skilled developers, with white hat hacker mentalities. Therefore, we do not only focus on finding the vulnerability, but we also write documentation on best practices and how to fix said vulnerabilities, as well as general ways of optimizing the code.
In the report we rank the vulnerabilities and findings in severity of Low, Medium, High, Critical, and Informational with a description connected to the issue.
We analyzed the provided code, checking for issues related to the following categories:

  • General code safety and susceptibility to known issues.
  • Poor coding practices and unsafe behavior.
  • Leakage of secrets or other sensitive data through memory mismanagement.
  • Susceptibility to misuse and system errors.
  • Error management and logging

We hope we’ve covered all your questions and concerns, and that you see us as the perfect fit! If there is some details you’d love us to elaborate on, we’ll be glad to do so!

It seems like many factors are pointing this way as a possible future. Given the breadth of the Tribe DAO across Rari, Fei and Volt I think this’d be a sensible investment.

Having a dedicated in house expert helps with two additional areas where protocols are experiencing difficulty with audit firms:

  1. Audit firms often lack protocol specific context on the code that they’re auditing.
  2. Incentive alignment

Thank you for your interest, an outside company is not within the scope of this proposal, though a future security engineer in the Tribe DAO may help in selecting and engaging with outside auditors.

1 Like

Hello again @OneTrueKirk ! I’ve written to versions; a long, elaborative and precise answer, as well as a TL;DR.

TL;DR
Danish Blockchain Lab is offering a full-time, in house Security Engineer expert, and Tribe DAO has 100% ownership of them for as many years as you want. This is not a temporary solution, it’s permanent. You can keep the engineer for 6 months, 12 months, 5 years, or even 15 years if you want. It’s all in Tribe DAO’s hands.

The long and elaborative answer, on how we can help Tribe DAO with exactly what you need

I think that we’re talking past each other and that my intentions are being misunderstood, so I’ll give you an elaborative answer here on the forum, just as I promised on Discord (anyone can find me as Frostlight#2572 if they want a chat)

My entire proposal is to assist Tribe DAO by instating one of our Security Engineer experts into your development team full-time, and Tribe DAO has 100% ownership of them for as many years as you want.

So the Security Engineer will be just like any other full-time employee!

However, now you might be thinking, “why is Danish Blockchain Lab interested in this?”

The reason is simply that we’re in this space to promote the technology, and our skillset is within security, not coming up with DeFi ideas. Therefore, we want to maximize the security on these super interesting projects, and help blockchain evolve so it’ll be a common technology worldwide even faster.

Let me write some bullets on why this is a mutually beneficial agreement:

  • You don’t need to waste your time interviewing hundred’s of scammer-profiles to find the gem amongst the dirt; we already have the diamond at your disposal.

  • The legal work is a lot easier, as we’d make a simple contract between us as beneficial partners. We hate contract complexity.

  • We guarantee that the Security Engineer has all the protocol-specific skills you need (we never use so called “experts” on a chain they’ve never worked on intensively before)

  • If you dislike the Security Engineer for whatever reason, we’re capable of supplying a new one from our team. Again, you don’t need to scout the dirt for another gem. And it happens that there’s just not a personal match between the engineer and the dev team, which is okay!

  • It opens the doors to future cooperation between Tribe DAO and Danish Blockchain Lab regarding future audits, meaning you don’t have to wait 6 months for a huge corporation (that has a lot of automated processes) to audit your ecosystem. Besides, the other audit firms won’t know your ecosystem as well as we will, since our engineer is already working full time, 100% on Tribe DAO’s ecosystem meaning a more thorough security assessment can be achieved.

  • We have done this a few times before for other projects, where we instate one of our Security Engineers full time at a project, to maximize their security, and it has always resulted in a much better outcome for the project.

  • We believe that certifications/stamps are a “here-and-now” picture of the ecosystem, but a few months later the landscape has changed and therefore the certification is no longer valid. This is another reason why the internal security engineer is so crucial, and that’s also why it has our interest; to continuously keep you guys safe! We don’t want you to contribute to the 97% as described in my first post.

  • The incentive aligns perfectly, as it’s in our interest to keep your ecosystem as safe as possible, and therefore we’ll do our outermost for you guys! Again, it has to be mutually beneficial.

I hope this has cast some light on my first message, but I’ll just write it once again for clarification.

Tribe DAO will have 100%/ full ownership over Danish Blockchain Lab’s Security Engineer for as many years as you want

I don’t know how you guys normally operate, but if you want, we can host an AMA for you and everyone else who has an interest in this proposal, where we can clarify every single question you might have. We’ll be doing everything we can to make you guys as secure as possible, which is why we believe the approach with an in-house Security Engineer expert is the best possible solution.

I look forward to your answer ^^

Is it allowed to bump threads on this forum?