Author: stackthat.eth#5136 and BogDrakonov#1337
Date Created: January 11, 2023

Season 6 Summary

Our primary role and responsibilities is to collaborate heavily with every guild and project to provide security consultation and infrastructure automation whenever they may be needed. The InfoSec team stays on top of attack vectors being used to target members and the web3 ecosystem and report them and if possible how to mitigate them.

The InfoSec team continues to oversee and provide the following services:

• Management of infrastructure via automation with strict access policies.
• Gatekeeping, auditing and providing least privilege on web2 platforms
  • JumpCloud
  • Google Cloud
  • Google Workspace
  • AWS
  • CloudFlare
  • GitHub
• Prevention of anti-spam, phishing scams on Discord and other communication platforms
• Monitoring and alerting of critical systems where an intrusion would publicly harm the DAO (ie: defaced websites, DEGEN infrastructure takeover, email spam from @bankless.community addresses, secret leaks etc…)
• Securing the bankless.community DNS with strict access policies, auditing for Route53 and Cloudflare
• Help with improvements to onboarding new DAO members, and the DAO-curious to proper personal operational security (OpSec) around protecting your accounts and assets. (ie: Bankless Academy lessons, First quest security tasks, easy to follow guides and educational material, newsletter and Medium content)
• Collaborate with various projects during their design/incubation stages to help keep a “Security First’’ mindset without getting in the way of work. As well as speed to acquiring proper resources to host the project for any architecture requirement without having to hire an expert
• Continue collaboration with the Writers Guild and EPA to develop and publish content on the DAO’s weekly Rollup

Since Season 4 & 5 we’ve seen the amount of phishing scams and attacks on DAO members decrease dramatically with the implementation of the Wickbot.

In Season 6, the InfoSec Team worked with @twoeggs on an InfoSec Web3 User Safety Survey. Users of the survey gained a shiny new POAP for aiding in making Web3 safer for all!

Objective: survey Bankless community members to understand prevalence of crypto scams, factors that increase scam risks and features that crypto users want to improve Web3 safety.

Method: conducted survey of Bankless community (with ~35,000 members) December 14 to 30, 2022

Results: 354 survey responses from active crypto users (average 37 transactions per year) 66% of users have experienced a crypto scam and 39% lost money. Crypto scams cost victims an average of $2,900. Users would pay on average $6/month for crypto scam protection.

This has led to multiple Product offerings that can be built within the bankless community to protect users.

Full Report here Crypto Scams Survey.pptx - Google Slides

The InfoSec Department continues to stay on top of security and fine tune our measures and best practices to ensure all members, guilds and projects needs are met.

Season 6 Budget Summary

• S6 total budget was 562,657 BANK
• Extra BANK identified in the multisig from previous seasons: 0 BANK
• Extra DAI identified in the multisig from previous seasons: 6,788.47 DAI
• S6 total allocated as of 17 Jan 2023 was 562,657 BANK
• S6 Anticipated Rollover = 0 BANK

Season 7

Season 7 Forecast

Season 7 Anticipated Spend 734,000 BANK
BanklessDAO Treasury Ask: 734,000 BANK

Season 7 Role Budget

Season 7 Budgets

Season 7 Miscellaneous Budget

Season 7 Plans and Goals

In Season 7 we plan to increase awareness of the attacks being committed within the crypto community with millions of assets stolen from users each day. We plan to be an integral part of the DAO in continuing to keep members and users safe online.

Infrastructure

In Season 6 we’ve revamped the infrastructure automation and created a secretless environment. This season we plan on expanding further with the migration of the primary DNS services from Route53 to CloudFlare. We also plan on investigating the migration of infrastructure to a decentralized vendor such as Akash.network / Edge.network. This in turn reduces the amount of BANK → DAI → Fiat swaps for web2 payments as well as provides a way to pay with BANK and remove the requirement of having a DAO Members personal credit card information.

We also plan on investigating the use of Cloudflare’s Ethereum Gateway within the DAO ecosystem which gives you read and write access to the Ethereum network without installing any software in your infrastructure…

In particular, users can read all information that has been agreed upon by the consensus of existing nodes in the network. In addition, they can write their own transactions and smart contracts to be stored by these nodes in a distributed manner. Anyone else on the network will be able to view these transactions, and even run your smart contracts using their own supply of the Ethereum currency.

Discord

• Bot integrations and security management
• Permissions management and auditing
• Documentation in Notion of Admin processes for level 2 guidance of decentralized expansion
• Spam / Fraud mitigation
• Moderation and violations of community standards enforcement (Bans)
• Role management and auditing

In Season 7 we plan on coordinating with the Operations Department and reducing some overlap in roles and responsibilities regarding Discord

Google Cloud / Workspace

This season we plan on migrating SSO/SAML (Identity Management) from JumpCloud to Google Workspace. Accounts will be stored as code and maintaining such accounts is as simple as a Pull Request. This reduces administration overhead and provides abstraction from the platforms themselves.

VaultWarden

This season we plan to coordinate the VaultWarden password management system to be managed under the InfoSec team using automation and to ensure strict security policies are in place as well as updates and patches to the platform itself.

• VaultWarden Hosting and Maintenance
  • Coordinate with Operations Department on planned updates to keep VaultWarden secure and reliable
    • Potentially pass hosting from Ops → Infosec
  • Create maintenance documentation to make it easy to maintain

InfoSec Website

The InfoSec website uses a microservice “codename: kapture” to automatically crawl news articles, blog posts and other media to collect and store specific content (recent hacks, attacks and scams within the web3 ecosystem) in a BigQuery Database. Using machine learning to sort and catalog these assets and make them displayable on the website. This will provide a single location for reviewing the recent information on the sector.

InfoSec Consulting

Using the information gathered from the InfoSec Kapture Project we can analyze how people in the space are being hacked, falling for phishing scams, how to avoid scams etc. and provide that as a Mitigation as a Service offering for InfoSec Consulting Services.

Furthermore we can use the information collected to create new Bankless Academy content/quizzes, as well as the Bankless newsletter / weekly rollups.

Do we fund InfoSec for Season 7?

Is there a way of monetizing any of the lessons learned, data obtained, etc., via the InfoSec department and the work that it does?

Whether that be to other DAOs, discord/telegram groups or social media platforms and the like?

Thank you for protecting us from bad actoooors infosec crew!

• I was wondering if you have any thoughts on including this as a workstream under OPs?
• I would like to double click on @DoubleB 's point with offering this as a service/product to other DAOs?
• In the survey it says most folks would be happy to pay 6 bux for this service, do think there could be some sort of insurance folks can add-on to this as well?

We had this come up last season as well, we should be our own full department in order to remain impartial when investigating incidents involving DAO members. We’ll end up reporting only to the DAO as a whole, and not other individual members/guilds.

Thanks. We have been brewing over an idea of a risk council which identifies and mitigates risk vectors under several categories for the DAO such as governance, legal, ops tools etc. Do you think there can be a Risk department or is it better to focus on infosec by itself as a specialised crew?

Speaking with the InfoSec team regarding this and it’s advised that @Tertius has already started putting a proposal for those from Governance, Legal, Ops and InfoSec that are interested to start a risk council. Having this done by InfoSec was a suggestion but it’s probably better to have multiple heads on this one.

However I am not sure if this will be ready for S7 and more likely something we do for S8.

Yes this is something we’re working on with Bankless Consulting