[Brainstorm] Immunefi Security Topics

In an effort to hit the ground running, on behalf of the nascent Immunefi Security CU, I want to invite some brainstorming on security topics that may be of interest to the Maker community. Here are some topics that we thought of,

What kind of questions would you like to have addressed by a security professional?

3 Likes

Josh Malware and Inadequate due diligence.
And last but not least, insider threats.

1 Like

For what specifically? I can imagine lots of places where we should exercise due diligence, for example, personnel hiring and collateral onboarding. Did you have a particular area in mind?

Hm, what do you have in mind? Perhaps a new protocol engineering hire is a plant from Compound protocol trying to stealthily insert bugs into executive spells? Or do you imagine that an employee of google business services is leaking proprietary info that a Maker CU employee stored on a google drive?

Everything and anything related to MakerDAO, including but not limited to due diligence of this Forum, Discord, (both centralized), cybersecurity risk assessment for All CUs using multi-sigs (security ratings + best practices), metrics for mitigating CU team members risk (cyber attacks), educating the former, and that’s all I can think of right now…

Yes, a new hire, or an NSA undercover CU team member, breakdown silos, etc.

Thank you in advanced Josh!

And always remember, Great Facilitators always channel their inner James Bond, their MacGyver, their Wonder Woman. :slight_smile:

1 Like

Ha! I know you’re being jovial, I can’t let that go without a comment. :nerd_face:

Presumably, his bravery, ingenuity, and luck minus the blatant misogyny.

Not the horrid Marvel film? If you meant to reference Professor Marston & the Wonder Women then sure :heart:

1 Like

This might be a good case study — looks like the team signed into a malicious frontend. How do we avoid our CU team members making this same mistake? @psychonaut via a Gnosis Safe Multi-sig

“I never sleep, because sleep is the cousin of death” —Nas

1 Like

One for the list: the practice of regularly reviewing ERC20 allowances and deauthorizing what’s not strictly needed in the short term.

Also setting up “prepaid” wallets with small amounts to move required authorizations to. So that the loss is limited to this separate wallet in case of a hack.

Inspired by recent events :).

2 Likes

Looks like another front-end attack:

BTW, when will this Forum be on a decentralized Cloud? Akash and Ceramic can’t come soon enough…

Infrastructure redundancy distributed among multiple cloud providers in different jurisdictions may be a more practical first step. But I agree that this one is becoming more of a priority every week.

1 Like

Josh, how about best practices for CU teams to avoid frontends getting hacked? If your websites Cloudflare API key gets compromised, you might as well kiss that baby goodbye.

1 Like

Maintaining pseudonymity :slight_smile:

2 Likes

Whoa! Maintaining pseudonymity is extremely difficult, but might serve as a topic for an advanced tutorial.

Josh—check out this Forta SDK for building “threat detection agents(scripts)”—wondering if Immunefi will be able to produce something similar for auditing & detecting bugs: FORTA

Looks like some work with Forta is already underway.

1 Like