OIP-180: Hypernative offer to OlympusDAO - Security and Threat Prevention

Snapshot note: this proposal has been truncated to fit in the 10,000 character limit. Full details of the proposal can be found at the linked discussion.

Summary

A proposal to renew Hypernative’s 12-month engagement with OlympusDAO on continuous real-time monitoring and proactive threat prevention to enhance the resiliency and security of the OlympusDAO protocol and augment the DAO’s security operations, while minimizing the risk of hacks and exploits, loss of funds and prevent catastrophic loss to create long-term sustainable growth.

The request is to approve a $60K budget expenditure paid in OHM for 12 months, approved and released by the DAO contributors.

The proposal below includes detections of malicious DAO proposals, which have proven to be a significant threat vector as Olympus transitions toward an on-chain governance structure.

Motivation

The overall motivation is to augment security and risk operations and help Olympus DAO team both with our team security and data expertise and with using the Hypernative platform.
It's hard to keep track of all various different security risks and exposures in crypto and Web3, having a dedicated team and a real time platform to mitigate and detect these risks for the community, is of first priority in our vision.

The result of implementing this offer will be to provide real time detection of any security attack vector on Olympus DAO and its participants and prevent that threat by defining together with the community various preventive workflows. (Leveraging the Hypernative Platform)
A security and solidity expert contact in Hypernative which will provide its expertise and help regarding any security incidents, bug/vulnerabilities disclosures or processes.
Real time detection and warning the community/DAO of anomalies and risks in governance proposals, bridges, oracles, participants, phishing or scamming campaigns affecting OHM and its holders. (Leveraging the Hypernative Platform)

Proposal

Below is a preliminary list of features that Hypernative offers for OlympusDAO protocol to establish and ensure protocol security soundness, detect anomalies and malfunctions in 3rd-parties like Oracles, Bridges, and other tokens and protocols, and monitor off-chain and on-chain participants for suspicious behavior

A. Protocol Security

Reviewing security framework and response procedure, assigning a contact person for various events

Set standard operational procedure (response & contact points) on category of events and time-sensitivity for any security or operational case
Understand and create pre-incident measures to mitigate risk and react in time (pause contracts, limit/cap protocol, blacklist addresses, move funds to a safe/vault for emergency etc.)
Understand and create post-incident measures

Protocol Security Alerts

Leverage Hypernative zero-day detection modules to detect threat and alert in real time on security incidents related to or directed at Olympus DAO contracts

Incident Response

Identify root cause(s) and suggest remedies / repairs and communication
War room management and connection with community volunteering help and Olympus team members
Connection to and management of vendors and network of contacts (Circle, Bridges, Zeroshadow,, Chain security teams, etc) to help with recovery of stolen funds and post incident help to the DAO
Community communications and post mortem
Creating best practices based on historical incidents and create playbooks with the learning

Security Operations Augmentation

Create a security team for Olympus DAO by receiving and reviewing security disclosures and helping investigate issues as they arise

Security Advisory Services

Explore and research tools (open source and commercial) to be used in the process and suggest to the DAO
Create educational material and sessions with the community and developers teams
Hypernative will explore OlympusDAO's operational security procedures and create a threat report with suggested recommendations to be considered by the DAO
Help with security vendors assessment and conduct security/risk due diligence for any vendor or 3rd-party
Presenting the research and market assessments on demand from security standpoint to the DAO and community
Help with total security budget planning, negotiations and proposing the budget to the DAO for decision making

Security detections on third-party protocols:

On Sept. 21, Hypernative detected unusual activity related to one of Olympus DAO's utility contracts. Within 3 minutes early on Saturday morning U.S. time, Hypernative notified the Olympus team. Thanks to the quick response and efficient collaboration between the teams, the damage was limited to $29K. More information here
The Hypernative system will be used to monitor and detect hacks in third-party protocols that Olympus is integrated with or invested in.
Olympus was supposed to invest in the Blueberry protocol (although it didn't eventually due to a timing issue).
On February 23, the Blueberry protocol was exploited for approximately $1.3 million. The Hypernative system detected the attack on the Blueberry protocol four minutes prior to the first hack transaction.
If Olympus had invested, Hypernative could have alerted Olympus to withdraw their funds before the attack occurred.

B. Oracles, Bridges, and related Tokens

Oracle Reliability

Offer:
Detect deviations between two updates of an oracle
Detect deviations between two updates on two different chains
Detect deviations between on-chain and off-chain prices
Detect a lack of updates and staleness
Assist in evaluation of different oracle providers and share historical data

Bridge Security Monitoring
Offer:
Provide security alerts related to bridge security incidents and risks

Related Token Monitoring

Offer:
Monitor tokens dependent on or related to Olympus DAO for anomalies, market economic conditions, security, holdings concentration and supply changes (mints / burns)

C. Phishing and Scamming Detection

On-chain detection

Offer:
Detect phishing campaigns targeted at OHM token holders and provide alerts to warn the community

Off-chain detection. (* Roadmap item)

Offer:
Detect phishing and scamming campaigns on the web
Detect phishing campaigns on social media (Discord, Telegram, Twitter) and alert related parties

D. On-Chain Governance

Monitor Governance Decisions

Offer:
Monitor OlympusDAO governance proposals on-chain and apply Hypernative models to detect suspicious proposals
Simulate governance proposals and add relevant automated testing of invariants/conditions for every proposal
Monitor proposers history and risk parameters
Example: Tornado Cash exploit through on-chain governance proposal:
On 2023.05.20 Hypernative system detected an attack on Tornado Cash through a malicious DAO proposal which resulted in ~$2.7M exploit. This attack spanned across 3 transactions within a couple of hours, $25,000, $39,000, and $2.7 million were stolen. Hypernative flagged the malicious proposal creation through its proprietary ML bytecode model which analyzed the contract automatically upon deployment.
Through the proposal, the attacker managed to acquire 1,200,000 votes, surpassing the legitimate votes of approximately 700,000, and by that gaining control over the Tornado Cash governance.
The attacker's address was funded via Tornado Cash. The attacker crafted a malicious proposal, cunningly stating that it followed the same logic as a previously approved proposal. However, the attacker had introduced an additional function into their proposal, which allowed them to self-destruct the contract. Approximately 430 ETH were laundered by the attacker through Tornado Cash.
Later, the attacker submitted a proposal to reverse the hostile takeover, restoring governance control to the DAO.

Monitor Governance token holders

Offer:
Monitor government token transfers
Alert on governance token concentration

Monitor lockdown policies

Offer:
Apply a policy to verify lockdown of token holders based on their wallet addresses ( for example, vendors, employees, special participants, etc.)

D. Participants Monitoring

Monitor suspicious users

Offer:
Monitor large transfers or movements of funds from participants in the protocol
Monitor suspicious or illicit activity, or illicit funds holdings for protocol participants

Monitor blacklisted addresses

Offer:
Monitor addresses from OFAC lists or that were part of a hack/exploit/fraud

E. Protocol Operations Monitoring

Monitor protocol treasury and wallets

Offer:
Monitor large transfers or movements of funds from protocol treasury
Monitor protocol multi sig wallets for anomalies and suspicious transactions
Pre transaction API that can simulate a transaction outcome before applying it on-chain

Monitor protocol defined parameters / invariants

Offer:
Monitor specific invariants, functions and events as specified by OlympusDAO team

F. Front-end Monitoring
Offer:
Detect Web application security incidents like DNS hijacks, DNS provider compromises, compromised plugins and backends
Provide real time alerts on any suspicious change to the web application
Related examples that could have been early detected using the suggested frontend monitoring:
Balancer DNS attack, September, 2023
Ledger Connect compromised javascript library, December 2023
Velodrome DNS attacks, November and December 2023
Trader Joe’s compromised plugins attack, November 2023
BadgerDAO
Convex Finance