Executive Summary

Hello to the Gro community! We are DeFiSafety and have been discussing with the Gro core team members on a security opportunity we think could greatly benefit the protocol.

We would like to formally propose to the Gro protocol the creation of a comprehensive security process and documentation set based on the DeFiSafety Security Framework customized for Gro protocol, without requiring significant effort from the Gro team.

Funding is for $70k in 2 milestones that covers 12 months

Proposal

DeFiSafety aims to help Gro improve their security processes. We want to do this in two separate parts.

First Part:

Our initial battle plan can be summarized in as follows:

We will implement enhanced security processes for Gro protocol. This includes:

• Generating a threat list on Smart contract, website, and economic threats
• Software upgrade processes
• Key and treasury best practices

For each threat, we supply corresponding documentation that will identify:

• Mitigation plan
• Monitoring strategy – this can involve active alerts managed by either Gro or DeFiSafety
• Specific Response Playbook (for each threat)

At the completion of this section Gro will have a customized documentation list consisting of best practices documents, threat lists, mitigation plans, response plans and some implemented active alerts. Finally, GRO will have an action list of tasks to complete in order to improve their risk profile before the next meeting.

Second Part:

DeFiSafety will continuously review Gro’s security practices and its implementation of the previously covered part to support the Gro team through meetings. Review meetings (set quarterly) will cover the following:

• Updates in best practices (revise docs as appropriate)
• Review action items from previous meetings
• Review new or changed threats (revise docs as appropriate)

Agreement

This section outlines the terms of a master services agreement between DeFiSafety Inc. and Gro for security assessment/consulting services:

• Duration of the Agreement: 12 months
• Commitment: 35 person-days
• Start Date: November 1st, 2022 (flexible)
• Fee: US$ 70,000 paid in USDC and/or USDT
• Payment terms: ○ 50% of the Fee at the signing of the contract. Remaining Consultancy Fee 4 months after the first payment

Schedule:

• First 2 months, DeFiSafety will do internal document development
• Month 3 and 4 DeFiSafety and Gro hold meetings to customize the documentation set to Gro. At the end of month 4 Gro will have the full documentation set.
• Month 6 DeFiSafety will schedule a set of review meetings.
• Month 9 DeFiSafety will schedule a set of review meetings.
• Month 12 DeFiSafety will schedule a set of review meetings.

DeFiSafety Background

DeFiSafety is a DeFi specific security firm who specialize in development process review. We’re located in Montreal, Quebec.

We have been providing security assessment services to protocols across DeFi for 2 years now through critical development process review work that trends towards reduced security incidents, as proven by our analyses. We’ve worked with almost every big names and smaller names alike, not only critiquing their methods but also suggesting improvements that have been implemented.

For those unfamiliar with our 260+ free process quality reviews, feel free to browse them at https://www.defisafety.com/app.

Some examples of critiques and improvement (or not), or general contributions to the space include:

• Solana: we critiqued them for only having one node implementation resulting in network instability, now they’ve hired Jump to fix this

• Goldfinch: we suggested they might want to explain how their protocol mitigates common DeFi vulnerabilities and they produced a clear document explaining so, and reported that increased the strength of their internal process as they did it.

• The Macalinao brothers: we correctly identified that their poor development practices were an indicator of foul play

Offering generalized, low barrier to access advice to all DeFi users on how to identify projects that will not disappear to news outlets. Repeatedly identifying poor development that subsequently suffer exploits

Thanks for posting the proposal and sharing that in our Risk call earlier @Rex_DeFiSafety!

My understanding is that we’ll need another protocol to make this work, so want to check if we need to have another protocol that sign up and want to start the process at the same time in order to proceed?

No, this proposal stands on its own. We can accomplish a full implementation with only a GRO commitment. We are looking for another protocol, but it is not required.