Upcoming Grant Proposal from Chainalysis (Feedback Requested)

[RFC] - Implement Chainalysis Crypto Incident Response plan for Ajna’s Smart Contracts

Summary (TL;DR)
This is a proposal to adopt Chainalysis Incident Response to protect Ajna in the event of a hack or exploit. After a hack commences, investigative response time is the most critical vector to asset recovery. Chainalysis Incident Response (CIR), the leading crypto asset recovery solution, is an important security measure to have in place to protect Ajna in the event of a hack. It also serves as a strong deterrent to help minimize the risk of a hack in the first place.

References
● Website: Chainalysis Professional Crypto Investigations & Special Programs
● Customer Stories / Customer References:

• Blog post on the Axie Infinity Hack & Successful Asset Recovery: “$30 Million
  Seized: How the Crypto Community Is Making It Difficult for North Korean
  Hackers To Profit”
• Twitter Post from Morpho: “Morpho Labs has partnered up with Chainalysis to
  strengthen the Incident Response Plan for Morpho protocol!”
• Twitter Post from Algorand: “We have engaged Chainalysis to help trace
  compromised wallet transfers and freeze funds if they are deposited in an
  exchange that integrates with and acts upon Chainalysis data.”
  ● Source Data:
• Chainalysis: The Chainalysis 2023 Crypto Crime Report, including original data
  and research into cryptocurrency-based crime.
• Security Intelligence: Cryptocurrency-Related Crime Boomed in 2022
• Sharedum: Top 10 DeFi Hacks You Should Know in 2023
• Cointelegraph: DeFi exploits and access control hacks cost crypto investors
  billions in 2022: Report

Main Objective
Context: Hackers are stealing more cryptocurrency from DeFi platforms than ever before. In last year’s “Crypto Crime Report,” Chainalysis detailed how DeFi protocols in 2021 became the primary target of crypto hackers. That trend intensified in 2022 and is expected to continue. By the numbers, 2022 was the biggest year ever for crypto hacking, with $3.8B stolen, primarily from DeFi protocols and by North Korea-linked attackers. DeFi protocols as victims accounted for 82.1% of all cryptocurrency stolen by hackers in 2022 — a total of $3.1 billion — up from 73.3% in 2021. As a result, it has become a top priority for DeFi projects to have protection in place above smart contract audits.

Motivation: Response time is one of the most important factors in successful asset recovery as a fast response significantly increases the opportunity to control and recover funds before they are gone (sent to a fiat off-ramp, moved to a sanctioned exchange, etc.) By procuring Chainalysis CIR, Ajna would have Chainalysis’ world-class team of professional investigators, cybersecurity experts, and data engineers on standby in the event of a hack or exploit, ready to respond immediately and thus increasing the likelihood of recovering funds. To date, Chainalysis has aided in the recovery of over $11B in stolen funds through our own investigations and others we supported.

Further, Chainalysis’ reputation is known across the world. By implementing CIR and
broadcasting your Chainalysis partnership like Morpho did in the tweet above, you’re creating a strong deterrent. Hackers know that even if they do exploit your protocol, they won’t be able to easily profit from the stolen funds, thus diminishing their financial incentive to attack.

Benefit Recap
● Deter Hacks. The best outcome is you never get hacked. CIR helps deter hackers by letting them know a leading global crypto investigative team is on your side. Chainalysis is also partnering with Hypernative to detect zero day cyber attacks to help prevent funds from being stolen in the first place.
● Project your Community, Boost your Brand. By adopting CIR, you can show the Ajna community (and the broader DeFi community) that you’re taking serious action when it comes to cybersecurity and consumer protections, thus improving your brand
reputation and differentiating yourself in the market.
● Partner with the Best. With CIR, Ajna can tap into Chainalysis’ expertise for complex blockchain analysis and investigations. The CIR team is ready to respond to
cybersecurity breaches, ransomware attacks, recovery of stolen cryptocurrency, and
perform other analyses involving blockchain data. The team consists of respected
professional investigators, cybersecurity experts, and data engineers.
● Reaction Time. Having a proactive solution in place decreases the time to respond
and increases the likelihood of asset freezing and recovery by the customer or law
enforcement should the worst happen.
● Technical Skills. The ability to trace funds through various types of complex platforms is a crucial part of the CIR incident response and the ability of our customers to recover funds successfully. This applies to identified mixer platforms but also unidentified mixers and new bridging protocols between blockchains.
● Network. Chainalysis has a huge customer base and, with it, a sizable network with
personal connections to almost all significant exchanges and services in the crypto
space. Also, their strong relationship with Law Enforcement Agencies around the
world makes them very efficient in engaging the relevant entities when needed.
● ROI: In over 80% of all cases where an incident has occurred, Chainalysis investigators have been able to give our customers valuable information that leads to recovery of more than what their CIR fee was. This demonstrates a great return on investment for CIR customers.

Scope of Work

1. Monitoring & Alerts
   ● Objective: To provide a robust monitoring and alert system to assess smart contracts
   and on-chain holdings for potential security threats or anomalies.
   ● Tasks: a) Conduct an initial assessment of client’s smart contracts and asset holdings. b) Set up the HyperNative tool, tailored to the client’s specific needs. c) Establish thresholds and criteria for alerts based on potential vulnerabilities or unauthorized activities. d) Provide ongoing monitoring and promptly relay alerts to designated client contacts.

2. OpSec Guidelines
   ● Objective: To lead a Web3-specific discussion that ensures the client’s operational
   security is at its highest standard.
   ● Tasks: a) Conduct an operational security discussion specific to Web3 threat vectors and assets at risk. b) Create a report detailing potential vulnerabilities, risks, and recommendations of how to improve Web3 specific Operational Security. c) Support the OpSec through quarterly reports of emerging threats and trends and immediate communication of urgent or imminent risks in the market that may be applicable. *Note: This OpSec review is not intended for the complete technology stack. It is specifically focused on wallets/vaults, access points, community engagement and external social communication.

3. Emergency Response Plan
   ● Objective: To help establish a well-defined and actionable crisis management plan to handle potential security breaches or threats.
   ● Tasks: a) Develop an external communication strategy to inform stakeholders,
   partners, and users, ensuring accurate information dissemination. b) Create an internal communication protocol to ensure immediate and cohesive action across the team. c) Outline a technical response procedure to identify, isolate, and mitigate threats in real-time.

4. Incident Response
   ● Objective: To provide swift action in the event of a security incident, ensuring minimal damage and maximum recovery potential.
   ● Tasks: a) Trace and attribute unauthorized or suspicious transactions to their source. b) Engage with involved platforms, exchanges, or Web3 entities to assist in obtaining a temporary freeze on suspect funds. c) Provide detailed reports of incidents to assist in legal or organizational action.

5. Recovery Support
   ● Objective: To assist clients in the aftermath of a security incident in the fund recovery process.
   ● Tasks: a) Offer digital forensics services to understand the depth and source of the breach. b) Provide malware disassembly, identifying potential threats and ensuring their removal. c) Aid in the asset recovery process, leveraging relationships with platforms and exchanges. d) Provide recommendations and guidance on post-incident best practices to prevent recurrence.

Considerations/Risks
There is a significant risk of not adopting a proactive asset recovery plan (that is, not having a plan in place before an attack). Waiting until after a hack occurs to partner with Chainalysis will create a significant delay in their ability to act, as it takes time to go through the approval and contracting process. As mentioned above, time is of the essence in a hack, and any delays reduce the chance of asset freezing and recovery.

Specification
Procuring Proactive CIR costs $25,000 for 12 months of coverage (paid upfront). This
includes up to 100 hours of investigative work and support for any hacks or incidents that occur in the covered 12 month period. Approval of this grant shall begin the onboarding process for CIR, and transfer of payment for 12 months of coverage.

At StableLab, we will vote against it for now. But have some questions to consider in the future.

How much is it if 100 hours of investigative work was done afterward without the coverage? Unless we know this, we don’t even know how much cheaper it is.

Any real case this actually happened?

Thank you for the feedback and those are good questions. Below are some responses that we hope help and please let us know anything else we can clarify or answer for you.

(1) Cost - The hourly rate for our expert investigation team is $650/hr. Calculating out the 100 hours, the cost for that would be $65,000. If the only value was the investigation, the discount for this program is already over 50% less expensive. One part that a straight hourly calculation does not take into account is the fact that with the other parts of our program (some noted below) that because of our prevention/preparation/readiness, we can act faster and decrease the total number of hours required to handle an incident. So instead of it taking 100 hours if we are ready, engaged and prepared, if we are not, it it likely to race towards 1,000s hours of work because they have a significant headstard in obfuscating the funds (this data is based on cases we have taken on in the past after the incident took place).

(2) Additional (Greater) Value - while we want to make sure it is more cost effective to be in our program than to engage us after an incident, we have found and believe that prevention, preparation & deterrence are priceless . This is why the other parts of our program that are also included in the fee (no additional cost) and aim to dramatically decrease the risk of an incident even happening.
- Monitoring & Alerts (we have the best tools in the world which are trained on all of the previous exploits on the blockchain) that are handled by our 24/7/365 Incident Command Center (staffed across the globe) to identify threats and exploits as quickly as possible to mitigate the damage. We are able to be on constant lookout for threats across all areas of attack: Financial, Technical, Governance, Community & Suspicious Activity.
- Emergency Response Plan - a comprehensive playbook customized for Ajna detailing what to do in the event of an incident crisis. This is critical to accelerate the time to action and rapidly mobilize to both minimize the impact and also have the greatest probability of recovery. This includes external comms, internal comms/coordination, technical response, and 3rd party coordination.
- Quarterly Updates - due to the nature of the changes, the attacks constantly evolve, we provide quarterly updates and recommended adaptations. This is to keep everything from technical monitoring and responses, to people processes in the emergency circumstance
always sharp and ready.
- Limited Capacity - given the increasing number of incidents as the market gains traction, we may not be able to even take the case if we are not engaged already. This is very unfortunate as we always want to help, but we need to keep adequate resources ready at all time for our existing clients and have had to turn cases away recently because of the surge in demand.

(3) Real Cases - there are many active cases we are working right now and clients have ranged from those who have billions of TVL (Axie) and the hack was in the hundreds of millions all the way to emerging companies who are even just launching or smaller TVL and need for the customers to be confident that they have taken the extra steps to keep them safe and be there if anything is to happen. We use our experience and global reach to be an extension of your team whether they are actual incidents or if we can provide insight and expertise on other security related questions and situations that arise.

To see other organizations we partner with, here are a few examples:

• Abracadabra: https://twitter.com/MIM_Spell/status/1658834773156982785
• ZetaChain: https://twitter.com/zetablockchain/status/1697112293287526550
• Morpho Labs: https://twitter.com/MorphoLabs/status/1645788874592112644
• Nibiru Chain: https://twitter.com/NibiruChain/status/1714430378885439563?s=20
• Elixir: https://twitter.com/elixirprotocol/status/1719119403814387813?s=46
• Factor: https://twitter.com/FactorDAO/status/1720093033193238868
• DeltaPrime: https://twitter.com/DeltaPrimeDefi/status/1724118022351393094
• Benqi: https://twitter.com/BenqiFinance/status/1727614604258521089

Hypernative stated to me in a call that this part of the proposal is very misleading because we will not be able to use the tool unless they are a formal part of this deal/proposal.

I spoke with Adi and Janny from their BD team.
adi@hypernative.io
janny@hypernative.io

This seems like it needs some resolution.