Author: stackthat.eth#5136 and BogDrakonov#1337
Date Created: October 12, 2022
Date Posted: October 14, 2022
Season 5 Summary
Our primary role and responsibilities is to collaborate heavily with every guild and project to provide security consultation and infrastructure automation whenever they may be needed. The InfoSec team stays on top of attack vectors being used to target members and the web3 ecosystem and report them and if possible how to mitigate them.
The following services include:
- Management of infrastructure via automation with strict access policies.
- Gatekeeping, auditing and providing least privilege on web2 platforms
- JumpCloud
- Google Cloud
- Google Workspace
- AWS
- CloudFlare
- GitHub
- Prevention of anti-spam, phishing scams on Discord and other communication platforms
- Monitoring and alerting of critical systems where an intrusion would publicly harm the DAO (ie: defaced websites, DEGEN infrastructure takeover, email spam from @bankless.community addresses, secret leaks etc…)
- Securing the bankless.community DNS with strict access policies, auditing for Route53 and Cloudflare
- Help with improvements to onboarding new DAO members, and the DAO-curious to proper personal operational security (OpSec) around protecting your accounts and assets. (ie: Bankless Academy lessons, First quest security tasks, easy to follow guides and educational material, newsletter and Medium content)
- Collaborate with various projects during their design/incubation stages to help keep a “Security First’’ mindset without getting in the way of work. As well as speed to acquiring proper resources to host the project for any architecture requirement without having to hire an expert
- Continue collaboration with the Writers Guild and EPA to develop and publish content on the DAO’s weekly Rollup
Since Season 4 & 5 we’ve seen the amount of phishing scams and attacks on DAO members decrease dramatically with the implementation of the Wickbot.
The InfoSec Department continues to stay on top of security and fine tune our measures and best practices to ensure all members, guilds and projects needs are met.
Season 5 Budget Summary
- S5 total budget was 390,000 BANK
- Extra BANK identified in the multisig from previous seasons: 30,000 BANK
- Extra DAI identified in the multisig from previous seasons:
- S5 total allocated as of 14 Oct 2022 was 420,000 BANK
- S5 Anticipated Rollover = 0 BANK
Season 6
Season 6 Forecast
Season 6 Anticipated Spend 737,657 BANK + 250,000 BANK buffer
BanklessDAO Treasury Ask: 987,657 BANK
Season 6 Role Budget
Line Item | Budget | S5 Role Holder |
---|---|---|
InfoSec Team Coordinator | 120,000 BANK | BogDrakonov |
InfoSec Technical Writer | 40,000 BANK | d0wnlore |
InfoSec POAP Manager | 10,000 BANK | Dysan |
Season 6 Budgets
Line Item | Budget | S5 Role Holder(s) |
---|---|---|
Infrastructure | 153,000 BANK | |
* Automation | 65,000 BANK | stackthat.eth / BogDrakonov |
* Education | 38,000 BANK | stackthat.eth |
* Project Incubation Buffer | 50,000 BANK | buffer for projects without funding or PoC |
Discord | 110,000 BANK | |
* Administration / Moderation | 50,000 BANK | BogDrakonov / Dysan |
* Permissions Auditing / Cleanup | 60,000 BANK | stackthat.eth / BogDrakonov to assist with role definitions |
Google Cloud / Workspace | 21,657 BANK | |
* Administration | 13,000 BANK | BogDrakonov / Dysan |
* Account Registration | 8,657 BANK | stackthat,eth |
VaultWarden | 108,000 BANK | |
* Coordination Security Assets | 10,000 BANK | stackthat.eth / links from ops |
* Automated Infrastructure (terraform) | 60,000 BANK | stackthat.eth |
* Documentation | 38,000 BANK | downl0re |
bDAO InfoSec t-shirt branding | 45,000 BANK | downl0re / stackthat.eth |
InfoSec Website | 170,000 BANK | |
* bDAO Kapture Crawler (golang) | 50,000 BANK | stackthat.eth / tony.stark |
* Machine Learning (BigQuery ML) | 120,000 BANK | stackthat.eth / tony.stark / Dysan |
InfoSec Consulting | N/A | |
* bDAO Asset Recovery Project (MEV) | N/A | N/A - new for S6 |
* Mitigation as a Service (MaaS) | N/A | N/A - new for S6 |
Matrix | 75,000 BANK | From Buffer |
* Security Review | 25,000 BANK | N/A - new for S6 |
* Moderation Bot | 25,000 BANK | N/A - new for S6 |
* Architecture | 25,000 BANK | N/A - new for S6 |
Season 6 Miscellaneous Budget
Line Item | Budget |
---|---|
Scribe Incentive | 10,000 BANK |
Buffer | 200,000 BANK |
Season 6 Plans and Goals
In Season 6 we plan to increase awareness of the attacks being committed within the crypto community with millions of assets stolen from users each day. We plan to be an intrical part of the DAO in continuing to keep members and users safe online.
Infrastructure
In Season 5 we’ve revamped the infrastructure automation and created a secretless environment. This season we plan on expanding further with the migration of the primary DNS services from Route53 to CloudFlare. We also plan on investigating the migration of infrastructure to a decentralized vendor such as Akash.network / Edge.network. This in turn reduces the amount of BANK → DAI → Fiat swaps for web2 payments as well as provides a way to pay with BANK and remove the requirement of having a DAO Members personal credit card information.
We also plan on investigating the use of Cloudflare’s Ethereum Gateway within the DAO ecosystem which gives you read and write access to the Ethereum network without installing any software in your infrastructure…
In particular, users can read all information that has been agreed upon by the consensus of existing nodes in the network. In addition, they can write their own transactions and smart contracts to be stored by these nodes in a distributed manner. Anyone else on the network will be able to view these transactions, and even run your smart contracts using their own supply of the Ethereum currency.
Discord
- Bot integrations and security management
- Permissions management and auditing
- Documentation in Notion of Admin processes for level 2 guidance of decentralized expansion
- Spam / Fraud mitigation
- Moderation and violations of community standards enforcement (Bans)
- Role management and auditing
In Season 6 we plan on coordinating with the Operations Department and reducing some overlap in roles and responsibilities regarding Discord
Google Cloud / Workspace
This season we plan on migrating SSO/SAML (Identity Management) from JumpCloud to Google Workspace. Accounts will be stored as code and maintaining such accounts is as simple as a Pull Request. This reduces administration overhead and provides abstraction from the platforms themselves.
VaultWarden
This season we plan to coordinate the VaultWarden password management system to be managed under the InfoSec team using automation and to ensure strict security policies are in place as well as updates and patches to the platform itself.
- VaultWarden Hosting and Maintenance
- Coordinate with Operations Department on planned updates to keep VaultWarden secure and reliable
- Potentially pass hosting from Ops → Infosec
- Create maintenance documentation to make it easy to maintain
- Coordinate with Operations Department on planned updates to keep VaultWarden secure and reliable
bDAO Branded T-Shirt
An effort to create exposure of the DAO’s InfoSec team when attending events and conferences within the InfoSec and Web3 communities. The next event that an InfoSec member is attending is the Taiwan Blockchain Week and we’d like to have the Bankless Brand be in attendance thanks to downl0re.
InfoSec Website
The InfoSec website uses a microservice “codename: kapture” to automatically crawl news articles, blog posts and other media to collect and store specific content (recent hacks, attacks and scams within the web3 ecosystem) in a BigQuery Database. Using machine learning to sort and catalog these assets and make them displayable on the website. This will provide a single location for reviewing the recent information on the sector.
InfoSec Consulting
Using the information gathered from the InfoSec Kapture Project we can analyze how people in the space are being hacked, falling for phishing scams, how to avoid scams etc. and provide that as a Mitigation as a Service offering for InfoSec Consulting Services.
Furthermore we can use the information collected to create new Bankless Academy content/quizzes, as well as the Bankless newsletter / weekly rollups.
Matrix
This item came up for discussion during Season 5 from AustinFoss (UTC-6)#7340 and while watching the Tornado Cash fallout, we observed their Discord server, Github Repositories and other assets wiped from web2 platforms.
Fund InfoSec for Season 6?
- Yes
- No
0 voters