GRO Risk Facilitator Refined Proposal

Hi Guys,

Please find my reapplication as risk facilitator.

Process weaknesses are a huge risk (if not the biggest) in today’s DeFi. Just look at a recent rekt “The exploit was due to a private key compromise of the Ankr deployer address on BSC, potentially the result of a phishing campaign 1.” And even the rekt article misses the point. It does not discuss how the keys were compromised, or why there was no timelock. It does not touch key and wallet management. These are preventable errors. Solid, boring written processes can fix this.

How would you mitigate a stolen deployer key? Maybe add an alert upon execution and a timelock, then a process so that if the alert goes off, the team know what to do.

This is the first part of the value I bring. The second part is having a risk process that investors can respect. This will put GRO above other protocols.

Budget breakdown (six months): $60.000 1 facilitator:

60,000 USDC over 6 months plus 80,000 GRO tokens (vested)
This accounts for a minimum of 16 hours per week or 40%of my time

My time:

The allocated time spent will be a minimum and priority will be put on any specific risk tasks the other pods may request. The remainder of my time will be spent as president of DeFiSafety. This means 100% of my time is spent on DeFi risk and security. Everything I learn will be brought into Gro. If Gro has an intense period risk wise, I will spend whatever time needed.

Tasks;

When I am not on a specific protocol tasks, I will be developing written strategies for all of the risk types listed below. For each risk there would be mitigations, alerts and a written response plan. Much of the time generating these NOT be paid by GRO, as the generic docs are for DeFiSafety. We continually update risks (such as the incompatible token bug, I recently added 1.

Within six months, I expect GRO to have a documented risk framework that would make any DeFi fund confident that GRO’s security is unparalleled.

  • Key Treasury Risk
    • Keys stolen
    • Token price plunges
    • Internal Bad actor damages protocol
  • Pool
    • External bad actor drains pool
    • Undercollaterization
    • Incompatible token incorporated into protocol
    • Bad co-efficient updates
  • Financial Operation Risk
    • Rapid loss of value of asset(s)
    • Bad tokenomics causes problem
    • Stable coin depeg
  • Software Operation Risk
    • Loss of Funds via Hack
    • Website script injection (hijack website code)
    • Website Impersonation (DNS)
    • Scams to fake websites
    • Fake google ads
    • Bad strategy deployment
  • Governance Risk
    • Automated governance hack (a la beanstalk)
    • Have you considered voting distribution (one dude getting control)
    • VC takeover of DAO
  • Regulatory Risk
    • A government makes the use of a countries population
    • Is it a security
  • Environment Risks
    • Blockchain Risks
    • Blockchain Loses faith, users run
    • Bridge Risks
  • Software Development Risk
    • Flaw created by a changed contract
    • Bad Algorithmic validation during development
    • Stolen deployer key

My background is in avionics (aviation software). In aerospace, procedures are defined, updated rigorously followed and then continuously improved. This culture of continuous improvement and solid documentation is what I am to bring to GRO.

2 Likes

that’s just weird

what?

lmao

what problem? what ‘bad’ tokenomics

ok

but how?

‘bad’? how bad?

what risks? dissertations are being defended on this.

why? what type of stablecoin?

certainly needs elaboration

what kind of hack?

that’s just so vaguely superficial hand waiving, don’t even know where to start asking questions

Admittedly the phrasing is bad in some of these.

“A government makes the use of a countries population” – eg US citizens cannot use your protocol (legally)

“Blockchain Loses faith, users run” what happens if a small chain dies. Will that detroy your protocol?

“Fake google ads” advertising protocols to fake sites is a real and active problem. I have a list of reactions. Should someone from the protocol monitor or do you just react?

“Internal Bad actor damages protocol” look at the recent ankr hack. They adding a timelock and multisig after the fact. Had they considered the risk before, it would not have happened. That is risk management.

“Bad co-efficient updates” and “Bad strategy deployment”. Look at the depth of yearn’s process. How much damage can a sloppy mistake cause? How many checks should be added.

“Bridge Risks” means a check if too much of the token has been bridged and could be lost in a bridge hack.

There is no quality management or risk management in this industry even as it is hacked daily. When will people wake up that this is necessary.