Summary
A proposal to renew Hypernative’s 12-month engagement with OlympusDAO on continuous real-time monitoring and proactive threat prevention to enhance the resiliency and security of the OlympusDAO protocol and augment the DAO’s security operations, while minimizing the risk of hacks and exploits, loss of funds and prevent catastrophic loss to create long-term sustainable growth.
The proposal below includes detections of malicious DAO proposals, which have proven to be a significant threat vector as Olympus transitions toward an on-chain governance structure.
The request is to approve a $60K budget expenditure paid in OHM for 12 months, approved and released by the DAO contributors.
Results
Since 2023, our real-time monitoring and proactive threat prevention platform has been used by the OlympusDAO team to preemptively detect attacks and attempted exploits prior to actual exploitation on the OlympusDAO contracts, including various attack vectors such as price manipulation, oracle manipulation, reentrancy vulnerabilities, and more.
The Hypernative system is configured to monitor and generate 'out-of-the-box' real-time alerts across Security, Financial, Technical, Governance, and Community categories for OlympusDAO core contracts, multi-sig contracts, treasury contracts, emergency contracts, and periphery & dependencies contracts. Additionally, the OlympusDAO team has configured the system for custom purposes, such as monitoring the treasury balance and the Uniswap V3 OHM 3 pool TVL.
The Hypernative team, together with the OlympusDAO team, built an incident response and mitigation plan to review:
- Involved parties
- Identity communications channels
- Decide on roles and responsibilities in case of events
- Conducted testing of triggering response
- Hypernative has maintained continuous engagement with the OlympusDAO protocol team through ongoing
Discord communication and recurring meetings.
-This collaboration aims to refine monitoring, response strategies, and necessary adjustments.
Our contributions have included:
- Highlighting to the team relevant events within the Olympus ecosystem, such as integrations in new protocols,
exploits, and attack behaviors, even when Olympus isn't the direct target.
- Providing alerts about security incidents in the broader ecosystem, including breaches in other protocols.
- One notable achievement was the Hypernative system's detection of the FloorDAO attack. Our advance detection
covered various stages, including identifying malicious contract deployments, failed attack attempts, the actual
attack, and even attempts to replicate the attack targeting the Olympus protocol, which occurred in early
September.
- Throughout our engagement, we've also engaged in discussions and made suggestions for further security
enhancements for the protocol
- An X (formerl twitter) account affiliated with OlympusDAO was compromised and was posting links to phishing
websites which posed a risk to Olympus Community. For days until control was regained of the account (via a
contact at X), Hypernative constantly reported malicious websites to various ecosystem partners to make sure
those are taken down as soon as they are noticed.
- OlympusDAO was supposed to invest in the Blueberry protocol (although it didn't eventually due to a timing
issue).On February 23, the Blueberry protocol was exploited for approximately $1.3 million. The Hypernative
system detected the attack on the Blueberry protocol four minutes prior to the first hack transaction. The
engagement will also include monitoring and detection of third-party protocols that the DAO considers investing
in, such as Blueberry.
Background
About Hypernative
Hypernative actively detects and responds to zero-day cyber attacks, financial risks, on-chain anomalies, and safeguards digital assets, protocols, and Web3 applications from significant threats and losses.
Hypernative today works with some of the leading crypto organizations, such as Balancer, Polygon, Starknet, Zetachain, Linea (Consensys), Circle, Galaxy, OlympusDAO, Karpatkey DAO, Chainalysis to name a few and many others)
Hypernative is an active participant in many crypto security organizations and committees geared towards helping projects and the industry as a whole to create new security solutions and standards.
Hypernative team is well experienced in crypto and cyber security with 10’s of years of combined experience from companies like: Microsoft, IBM, Google, VMware, CyberArk, ChainReaction, Orbs, Intel and others.
Motivation
The overall motivation is to augment security and risk operations and help Olympus DAO team both with our team security and data expertise and with using the Hypernative platform.
It's hard to keep track of all various different security risks and exposures in crypto and Web3, having a dedicated team and a real time platform to mitigate and detect these risks for the community, is of first priority in our vision.
The result of implementing this offer will be to provide real time detection of any security attack vector on Olympus DAO and its participants and prevent that threat by defining together with the community various preventive workflows. (Leveraging the Hypernative Platform)
A security and solidity expert contact in Hypernative which will provide its expertise and help regarding any security incidents, bug/vulnerabilities disclosures or processes.
Real time detection and warning the community/DAO of anomalies and risks in governance proposals, bridges, oracles, participants, phishing or scamming campaigns affecting OHM and its holders. (Leveraging the Hypernative Platform)
Proposal
Below is a preliminary list of features that Hypernative offers for OlympusDAO protocol to establish and ensure protocol security soundness, detect anomalies and malfunctions in 3rd-parties like Oracles, Bridges, and other tokens and protocols, and monitor off-chain and on-chain participants for suspicious behavior
Compared to Hypernative’s 2023 engagement, the proposed 2024 renewal has broader coverage and includes front-end monitoring, security advisory services and advanced custom monitoring.
A. Protocol Security
1. Reviewing security framework and response procedure, assigning a contact person for various events
- Set standard operational procedure (response & contact points) on category of events and time-sensitivity for any security or operational case
- Understand and create pre-incident measures to mitigate risk and react in time (pause contracts, limit/cap protocol, blacklist addresses, move funds to a safe/vault for emergency etc.)
- Understand and create post-incident measures
- Automatically notify Chainalysis to label attacker wallets and track stolen funds
2. Protocol Security Alerts
- Leverage Hypernative zero-day detection modules to detect threat and alert in real time on security incidents
related to or directed at Olympus DAO contracts
3. Incident Response
- Identify root cause(s) and suggest remedies / repairs and communication
- War room management and connection with community volunteering help and Olympus team members
- Connection to and management of vendors and network of contacts (Circle, Bridges, Chainalysis, Chain security
teams, etc) to help with recovery of stolen funds and post incident help to the DAO
- Community communications and post mortem
- Creating best practices based on historical incidents and create playbooks with the learning
4. Security Operations Augmentation
- Create a security team for Olympus DAO by receiving and reviewing security disclosures and helping investigate
issues as they arise
5. Security Advisory Services
- Explore and research tools (open source and commercial) to be used in the process and suggest to the DAO
- Create educational material and sessions with the community and developers teams
- Hypernative will explore OlympusDAO's operational security procedures and create a threat report with suggested
recommendations to be considered by the DAO
- Help with security vendors assessment and conduct security/risk due diligence for any vendor or 3rd-party
- Presenting the research and market assessments on demand from security standpoint to the DAO and community
- Help with total security budget planning, negotiations and proposing the budget to the DAO for decision making
6. Security detections on third-party protocols:
- The Hypernative system will be used to monitor and detect hacks in third-party protocols that Olympus is
integrated with or invested in.
- Olympus was supposed to invest in the Blueberry protocol (although it didn't eventually due to a timing issue).
- On February 23, the Blueberry protocol was exploited for approximately $1.3 million. The Hypernative system
detected the attack on the Blueberry protocol four minutes prior to the first hack transaction.
- If Olympus had invested, Hypernative could have alerted Olympus to withdraw their funds before the attack
occurred.
B. Oracles, Bridges, and related Tokens
7. Oracle Reliability
- Offer:
- Detect deviations between two updates of an oracle
- Detect deviations between two updates on two different chains
- Detect deviations between on-chain and off-chain prices
- Detect a lack of updates and staleness
- Assist in evaluation of different oracle providers and share historical data
8. Bridge Security Monitoring
- Offer:
- Provide security alerts related to bridge security incidents and risks
9. Related Token Monitoring
- Offer:
- Monitor tokens dependent on or related to Olympus DAO for anomalies, market economic conditions, security,
holdings concentration and supply changes (mints / burns)
C. Phishing and Scamming Detection
10. On-chain detection
- Offer:
- Detect phishing campaigns targeted at OHM token holders and provide alerts to warn the community
11. Off-chain detection. (* Roadmap item)
- Offer:
- Detect phishing and scamming campaigns on the web
- Detect phishing campaigns on social media (Discord, Telegram, Twitter) and alert related parties
D. On-Chain Governance
12. Monitor Governance Decisions
- Offer:
- Monitor OlympusDAO governance proposals on-chain and apply Hypernative models to detect suspicious
proposals
- Simulate governance proposals and add relevant automated testing of invariants/conditions for every proposal
- Monitor proposers history and risk parameters
Example: Tornado Cash exploit through on-chain governance proposal: On 2023.05.20 Hypernative system detected an attack on Tornado Cash through a malicious DAO proposal which resulted in ~$2.7M exploit. This attack spanned across 3 transactions within a couple of hours, $25,000, $39,000, and $2.7 million were stolen. Hypernative flagged the malicious proposal creation through its proprietary ML bytecode model which analyzed the contract automatically upon deployment. Through the proposal, the attacker managed to acquire 1,200,000 votes, surpassing the legitimate votes of approximately 700,000, and by that gaining control over the Tornado Cash governance. The attacker's address was funded via Tornado Cash. The attacker crafted a malicious proposal, cunningly stating that it followed the same logic as a previously approved proposal. However, the attacker had introduced an additional function into their proposal, which allowed them to self-destruct the contract. Approximately 430 ETH were laundered by the attacker through Tornado Cash. Later, the attacker submitted a proposal to reverse the hostile takeover, restoring governance control to the DAO.
13. Monitor Governance token holders
- Offer:
- Monitor government token transfers
- Alert on governance token concentration
14. Monitor lockdown policies
- Offer:
- Apply a policy to verify lockdown of token holders based on their wallet addresses ( for example, vendors,
- employees, special participants, etc.)
D. Participants Monitoring
15. Monitor suspicious users
- Offer:
- Monitor large transfers or movements of funds from participants in the protocol
- Monitor suspicious or illicit activity, or illicit funds holdings for protocol participants
16. Monitor blacklisted addresses
- Offer:
- Monitor addresses from OFAC lists or that were part of a hack/exploit/fraud
E. Protocol Operations Monitoring
17. Monitor protocol treasury and wallets
- Offer:
- Monitor large transfers or movements of funds from protocol treasury
- Monitor protocol multi sig wallets for anomalies and suspicious transactions
- Pre transaction API that can simulate a transaction outcome before applying it on-chain
18. Monitor protocol defined parameters / invariants
- Offer:
- Monitor specific invariants, functions and events as specified by OlympusDAO team
F. Front-end Monitoring
- Offer:
- Detect Web application security incidents like DNS hijacks, DNS provider compromises, compromised plugins
and backends
- Provide real time alerts on any suspicious change to the web application
- Related examples that could have been early detected using the suggested frontend monitoring:
- Balancer DNS attack, September, 2023
- Ledger Connect compromised javascript library, December 2023
- Velodrome DNS attacks, November and December 2023
- Trader Joe’s compromised plugins attack, November 2023
- BadgerDAO
- Convex Finance
The request is to approve a $60K budget expenditure paid in OHM for 12 months, approved and released by the DAO contributors.
2023 Full Results
Below is a full description of the results of the engagement between Hypernative and OlympusDAO during 2023.
Product
- Monitor OlympusDAO contracts to detect attacks in advance prior to actual exploitation and preventive attempts
- Detect wide variety of attacks vectors like price manipulation, oracle manipulation, malicious DAO proposals, failed
attacks attempts and more
Configuration
- Out-of-the-box real-time monitoring to detect abnormal behavior across 5 categories: Security, Financial,
Technical, Governance, Community.
- Hypernative system is configured to monitor the following OlympusDAO contracts:
- Core contracts
- Multi-sig contracts
- Treasury contracts
- Emergency contracts
- Periphery & Dependencies contracts
- Custom monitoring - the system was configured by the Olympus team to monitor the following balances:
- The Olympus treasury daily balance
- When the value of OlympusDAO: OHM Token, Wrapped Ether is less than $5,000,000 in Uniswap V3: OHM 3
Expertise
The Hypernative team built together with the Olympus team, incident response and mitigation plan to review:
- Involved parties
- Identity communications channels
- Decide on roles and responsibilities in case of events
- Conducted testing of triggering response
- Continues engagement with protocol team including scheduled meetings, to refine the monitoring, response and
adjustments as needed
- Highlighting to the team any relevant event including Olympus such as integrations in new protocols, exploits and
attacks behavior even when olympus isn't the target
- Alerts about security events in the ecosystem such as other protocols being breached
- Hypernative system detected the floorDAO attack, detection in advance included:
malicious contract deployment, failed attack attempts and actual attack, including
attempts to replicate the attack targeting the Olympus protocol - beginning of September
- An X (formerl twitter) account affiliated with OlympusDAO was compromised and was posting links to phishing
websites which posed a risk to Olympus Community. For days until control was regained of the account (via a
contact at X), Hypernative constantly reported malicious websites to various ecosystem partners to make sure
those are taken down as soon as they are noticed.
- Discussed and suggests further security enhancements for the protocol