Discover more from Bankless Publishing
Our Decentralized Selves | BanklessDAO Weekly Rollup
Catch Up With What Happened This Week in BanklessDAO
Dear Bankless Nation 🏴,
Season 4 officially kicks off at the start of May, but many of us never stopped working. For example: our Governance Solutions Engineer (GSE) team — Above Average Joe, Saulthorin, ManuelMaccou, 0xJustice, and Rotorless.
This new team will help us set precise and efficient goals by having clear prioritization and alignment aims. The GSE’s strategy includes building a community handbook we can use as a reference for projects and branding, as well as formalizing an improvement proposal process for such a community constitution.
The first draft, the alpha stage of development, is underway and expected for feedback at the beginning of the season. Our community Operating System is evolving, and it’s exciting to imagine what bDAO will look like after another year of building. Be sufficiently bullish. 🐂
🙏 Sponsored by CitaDAO
🗓 Weekly Recap
🧑🎨 Artist: Legends of Cypher
🏦 Auction Type: Limited Edition, 215 Total
💰 Price: 0.053 ETH
Starship and Scoutship: Lunastus and Sine Ripae
“Welcome to Legends of Cypher, a multimedia project that tells the story of a future human civilization fighting for individual freedom. On one side is Hash and his ‘gift’, a technology that can free humanity from bondage.”
Legends of Cypher is a much larger digital art project than just this one NFT, with a whole universe coming from these bDAO alumni. Make sure to check out their website to keep tabs on the project and check out the full NFT, including the audio and video, as this isn’t just a jpeg.
If you are ready to go full-time DAO, but you are in need of some funding to make it happen, this grant might just be the kick you need to get there.
“This is an experimental grant program built and governed by the DAOpunk community. It is intended to provide individuals with the initial resources that are needed to take the leap and go full-time DAO.”
The DAOpunks community is looking to help three grantees by awarding each up to 1 ETH. Applications are open until May 4, 2022.
🧑🎨 Artist: Cosmic Clancy
💰 Price: 69 USD
👔 DAO FTP Emoji T-Shirt
“This DAO For the People tee was created with the BanklessDAO Discord Community at the forefront. Each emoji was pulled from the myriad channels that make up this incredible DAO, and hand drawn to add the personalized flare we members feel as we log on each day.”
Wear this shirt with pride, knowing you are supporting a community of hard working, dedicated individuals (including yourself!), and spread the good word that BanklessDAO is “Of the People, By the People, For the People."
Bankless Academy is hosting a free public learning series that will start the week of May 2, with classes on Monday, Wednesday, and Friday. First up is a security series, focusing on how to avoid scams.
These will be run as small group Q&A sessions of approximately five people in the audience, so please sign up to reserve your place.
Future participation in Fight Club, both for the educational webinars and as a potential investor, will be gated to those who hold the Red Glove NFT. This is a limited edition set of 150 NFTs, on sale for 200 MATIC each. If you are not already whitelisted for minting, that is still available by filling out this form.
Once the public sale goes live, around the time of Permissionless, it will cost 400 MATIC to mint a Black Glove NFT. Even if you don’t qualify as an accredited investor in the U.S., the educational webinars will still be valuable.
🎙 BanklessDAO Podcasts
💰 Coordinape Allocations Disbursed!
The BANK from the April Coordinape round has now been disbursed. As a refresher, here's the sheet with the info on disbursement amounts. If you have any questions about the DAO-wide Coordinape round, please pop into #contributor-remuneration channel and tag @joer!
🔥 GMI Rari Fuse Pool Upgraded
BanklessDAO collaborated with Index Coop to launch a GMI fuse pool that can provide capital efficiency to the community members of GMI's constituent protocols by providing them with a venue in which they can collateralize and borrow against their assets. This pool has been further upgraded. Depositors can now use UST as collateral and borrow up to 80% of that value. Depositors can now borrow gOHM, ALCX, CVX, PERP, FXS, and TRIBE! This is the FIRST & ONLY Fuse Pool in which you can do so.
💪 AMA with Beanstalk
Tomorrow at 3:00pm EDT, the Research Guild is hosting an AMA with Beanstalk. After suffering a recent exploit, they are now looking at relaunching, starting with this emergency AMA.
“Beanstalk is a decentralized and transparent solution to DeFi's endemic stablecoin supply shortage. It was designed from first principles to be a paradigm-shifting DeFi primitive that makes decentralized, cost-efficient stablecoins available to anyone with an internet connection.”
🥊 Fight Club Education: Twitter Fireside Chat
The Fight Club Education Program Series will be hosting a fireside chat on Twitter Spaces next Thursday, April 28, at 18:00 UTC (14:00 EDT) to discuss ‘How traditional VCs invest in Web3?’ with the following panelists:
Danielle from Blueyard Capital
Victoria Klich from w3.fund
Fauve Altman from Fauve Ventures
Miriam Neubauer from Catena Capital
If you’re interested in learning how traditional VC firms are investing in Web3 today, drop in and level up! Excited to see you there!
🙏 Sponsor: CitaDAO - Marketplace for Tokenized Real Estate
Our Decentralized Selves
In a world of abundance, attention is the scarcest asset. The internet has made it cheaper and more efficient to share articles, images, and videos than ever before, creating a wealth of data.
In the computerized world, your data is the fuel that drives decisions. Centralized governments work together with the walled gardens of social media to control how we are represented online. The data is not owned by us. It’s owned by them, and they can do whatever they want with it, whether that means using it to show you ads or deleting you from the platform, destroying all the posts and social capital you created along the way.
Now we have a new tool: blockchains. Blockchains provide a credibly neutral settlement layer to account for scarce digital assets. Everyone that uses the blockchain has a unique identifier (a public key) and transactions are verifiable. These simple features enable Decentralized Identity (DID), an online profile where your reputation is not in the hands of third party actors.
Decentralized Identity or Digital Identity?
Digital Identity can be thought of as your collective actions on the internet. This can mean:
The sites you visit
The purchases you make
Accounts and posts created
These are all separate from each other. Each site has a particular idea about who you are. Yelp knows the kind of food you like, Facebook knows who you’re friends with, and Google knows what you’re interested in. Each makes a killing on the data you create by showing you ads and selling ad space to other companies.
With the advent of blockchain technology, we also have a decentralized, on-chain identity. Your decentralized identity (DID) is made up of three parts: your wallet address (public key), the assets you own, and the transactions you’re associated with (sent and received).
What makes decentralized identity so interesting is the fact it is blockchain-based. This makes activity a scarce asset. In Web2-land, the cost of creating a new account is often the same as creating a new email address (~2 minutes), making it trivial to spin up accounts to “brigade” and hate on something, and people are often not privy to who is actually behind these accounts.
But in Web3, each wallet has to have some money to pay for gas, obtain membership, and critically, the history of user activity is entirely public! This creates a novel way to evaluate online personas and users still get to control their data.
Certifications can be associated with wallet addresses, artists can identify their true fans via NFT purchases, and financial agencies can leverage online transaction histories to determine the optimal level of credit for lending.
The cost of creating a new identity is not just the cost of creating a new wallet, but also the cost of creating a transaction history.
Reputation accrues to your wallet through the protocols you’ve interacted with and the assets you own. These are hard to fake. As mentioned before, each interaction with the blockchain network has a transaction cost — in terms of fees and time.
This history of financial transactions has been used to determine users’ eligibility to receive token airdrops from various protocols. Compound kicked off DeFi summer with their airdrop, and protocols now have access to a granular history of early adopters and devout believers.
Another example is BANK. The BanklessDAO token, BANK, was distributed to wallets that held a BanklessHQ membership POAP. POAPs and NFTs can be used as portable credentials and certificates of completion. No one can take them away without a serious breach of wallet security. In the future, when people earn a degree, they’ll likely receive an NFT as well.
The protocols you interact with can also tell a story about who you are. Did you participate in ConstitutionDAO? How about Gitcoin? Or maybe you donated some crypto to a COVID relief fund? If you answered “yes” to these questions, it would appear that you’re charitable giver, but you might be fibbing. On the other hand, if you can sign a message to prove you own the donating wallet address, you could prove these interests and the degree of your enthusiasm.
Proof of Fandom
Fans can choose to buy NFTs from their favorite artists in support of their craft. This creates an on-chain Patreon, where creators can gift special products or services to early fans.
Imagine a promising musician is looking for a way to release an album. The artist might release music on SoundCloud that has a lot of plays and a following on social media, but the income they receive is not enough to fund a studio session. The artist then tells his fans that he’s releasing a commemorative NFT to help launch his next album, and earns enough to make the studio session affordable.
If the album does well and launches the musician’s career, that NFT becomes a valuable collector’s item, potentially making the buyer/holder a profit. The musician also knows the wallet address of this “super fan” and can give them special privileges to shows, merch, or token airdrops.
DID has the potential to open up the data that makes Facebook, Twitter, and other social media sites so powerful: the social graph. The social graph is used to determine one account’s relationship to another, mapping the network effect that makes these social media services “sticky”.
On blockchains like Ethereum and Bitcoin, public transactions show the relationships between wallets openly and transparently. This creates an instant social graph for payments and allows any service to bootstrap their own network, avoiding the “cold start problem”.
Blockchain transactions may also be used to determine your credit risk, enabling under collateralized lending — a huge catalyst for increasing capital efficiency.
DIDs and Sybil Resistance
Sybil attacks are security exploits that take advantage of an application’s reputation systems, or lack of, by creating many accounts. Both Bitcoin and Ethereum’s consensus protocols are methods of protecting against such attacks. DIDs are a great tool to resist sybil attacks as a direct result of the cost to build a reputation associated with that DID’s address.
We’ve mentioned Gitcoin and how having contributed to a Grants round adds to your address’s publicly verifiable level of philanthropy. By GitCoin Grants Round 10 the team had to implement a tiered DID trust system where users stack several crypto-native identity projects together in order to increase the weight of that account’s donation towards the matching pool.
Because of the way the matching curve distributes the funds from GitCoin’s matching pool, it’s more favorable for the project to receive many modest donations as opposed to fewer, but larger, donations. This creates vulnerability for a possible sybil attack. GitCoin’s solution was to implement their tiered trust system to mitigate this exploit.
Currently, there are nine trusted identity applications including Gmail, Twitter, SMS, and Facebook, with the remaining five being crypto-native. Donors can maintain complete anonymity if preferred, but this is the least efficient contribution method.
DIDs are an important tool in solving these sybil and proof of humanity problems, not just for GitCoin, but any application that needs to gate access for similar reasons, or against yet unforeseen exploits. Although your GitCoin account isn’t blockchain-based like your wallet, it is an excellent example of an early stage use case for a DID system. Gitcoin is already trying to further integrate Web3 through the use of applications like ENS — allowing users to verify accounts by linking to an ENS domain.
Emerging DID Systems
ENS, the Ethereum Name Service project, is maybe the most well-known DID protocol to date. Even though ENS is an Ethereum native project, it integrates data from the Bitcoin, Litecoin, and Doge blockchains, associating all those L1 addresses with the same ID. They also have several Web2 integrations such as Discord and Twitter.
Modeled after the domain name system (DNS), a core system of the global web’s digital infrastructure, ENS acts as a very versatile, modular, building block for your DID. Having an ENS name not only just makes it easier to identify an address, but it’s self-sovereign and permissionless when compared to DNS. Represented as a very versatile NFT, ENS aggregates all the pieces of who we are in cyberspace.
Proof of Attendance Protocol
The POAP project builds on the Gnosis L2 network and provides a cost effective way for projects and communities to keep track of their users and each user’s commitment to the project. Users receive NFTs to prove their attendance of certain events, adding a new dimension to your DID.
Did you attend ETH Denver? Did you participate in a hackathon? Did you sign up for a Bankless premium membership? POAPs aren’t just for proving each user’s event attendance, they can be used to measure engagement with these events. Bankless Academy issues them at the end of each completed lesson. They have an accurate record of completions, and each user has permissionless proof of participation: no need to come back to Bankless Academy to ask for a reference letter or get the certificate reissued if it’s lost.
Bankless Academy could use similar methods as GitCoin to prevent POAP farmers attempting to gather as many POAPs as possible, but there has to be a more decentralized way to tackle this problem (without resorting to Twitter).
Having an ENS name is one thing, but the cost of being on L1 is high and ENS does not guarantee that each account has a unique owner. No project has provided a full solution yet, but BrightID is trying by constructing a decentralized, crypto-native, social graph specializing in this ‘uniqueness’ problem.
It works by allowing other users to confirm your humanity, and you confirm theirs, and the certainty to which BrightID can attest to your uniqueness is related directly to how many confirmations/connections you have in your social graph. This turns uniqueness into a question of probability.
BrightID has been around for a couple of years, featured on the Bankless Podcast in 2020, and they are one of the five decentralized options GitCoin trusts to verify your account. Their aim is to provide a blockchain-agnostic social graph that proves you are a unique person by mapping your connections (your social graph) to guarantee that you haven’t made multiple accounts.
The Lens Protocol is the newest addition to the DID ecosystem. The developers of the DeFi lending/borrowing protocol, Aave, announced the project in February 2022, and subsequently held their inaugural hackathon.
Lens is built on Polygon and works by tokenizing everything we consider ubiquitous on social networks — likes, follows, shares, profiles — and wraps them all into NFTs.
‘NFT-ifying’ these social capital assets creates new primitives that Web3 can leverage across the ecosystem. This could make it more expensive to buy likes, retweets, or followers.
The hackathon, LFGrow, spawned some proof-of-concepts, one of which enables gated commenting based on the on-chain reputation of the address and encrypted messaging. While it’s still in very early stages, the crypto-native, social capital legos being added to our DIDs can change the way we interact online. Instead of being forced to use walled gardens, we can create and give social capital on a credibly neutral settlement layer.
Graphs of Graphs
DID applications have not had their own bubble, like DeFi and NFTs did, but their time is coming.
Because these protocols are permissionless, they can build upon each other and create value for everyone: the essence of positive-sum games. Twitter and Facebook engagements are not portable. The reputation you accrue on one platform is not immediately valuable on another. But with DIDs, interoperability is enabled by default, and the ownership of your social capital will be under your control.
As new primitives are added to the crypto ecosystem, each adds to the total potential strength of the overall DID system. POAPs can add to the value of your BrightID social graph, and conversely your BrightID reputation could act as a key to acquire gated POAPs. Both could add to the value of your more universal ENS.
Your DID is almost certainly not going to be one protocol, but many, building a social graph of social graphs.
🎣 Phishing School
Authors: d0wnlore and the InfoSec Team
Welcome back to the Phishing School! This week will be a quick run through of two scams that made the news in our Discord in the past week.
NFT Offer Acceptance + RUNE Drain Scam
On April 15th, bDAO member 0xJustice reported being targeted in an OpenSea scam, where all RUNE tokens in his wallet were drained after the attack. This occurred after he accepted a bid offer on OpenSea for an NFT that had been dropped into his wallet. The NFT was part of a fake collection masquerading as another, legitimate project, which made it more difficult to verify whether this particular NFT was a proper airdrop or part of a bid offer exploit campaign.
Accepting the offer triggered interactions with two contracts, one of which had exploited a bug — or feature, depending on who you talk to — in THORChain's RUNE token contract that allowed all RUNE tokens from the wallet to be transferred. This has been a disclosed vulnerability for a while and can theoretically be exploited through other NFT marketplaces.
Assume that all NFT airdrops in your wallet are malicious until proven otherwise, just as you should with random token airdrops. Leave yourself a few days after discovering these NFTs before you take any kind of action on them, especially anything that involves a smart contract interaction.
Get a second, or even a third, opinion on an NFT you just noticed in your wallet before you interact with it. Can anyone you know vouch for the NFT collection? If they heard about it and you asked them to send you a link to the contract or OpenSea collection, would their link be the same as the one you have?
If you still want to interact with the NFT, do a lot of due diligence on the collection before proceeding. Assuming you gave it a few days before first discovering the NFT and now wanting to do something about it, has anything changed in that period? Has there been any negative chatter about the specific collection or smart contract on Twitter or Discord? Are the collection owners getting more pushy and aggressive in marketing the airdrop? These steps are just skimming the surface but we hope to have more information on doing due diligence on NFT projects in the future.
The $650K MetaMask + iCloud Phishing Heist
On April 14th an owner of several high-profile NFTs, including Mutant Ape Yacht Club and 100K in APE, reported having their wallet drained. This occurred after they had disclosed their multifactor authentication (MFA) code to an unknown caller, claiming to be representing Apple and having the called ID “Apple Inc.”.
Allegedly the attacker already had the email/username and password of the reporter's Apple ID account, but needed the MFA code to completely log in. After attempting to log into Apple services as the reporter, the attacker was able to convince the reporter to disclose the MFA code that allowed the attacker to fully access the Apple ID account.
With this access the attacker could retrieve data from the reporter's iCloud storage, where unfortunately MetaMask for iOS kept a backup of the reporter's MetaMask vault, which includes your seed/recovery phrase. This backup is encrypted with the password created when first setting up the vault. It is believed that the password in this case was not strong enough to prevent the attacker from decrypting the backup and accessing the MetaMask vault.
Pay special attention to your “Crown Jewel” online accounts that could lead to subsequent attacks on your other accounts and assets. In this case an Apple account is definitely a Crown Jewel. As would a Google account, an email account that can be used to recover/authenticate other online accounts, or a chat account that can be used to target other users. Use very long, unique passwords for these accounts and consider using different email addresses or complicated usernames so that they are not easy to guess.
Some iOS mobile wallets will store a backup of your wallet in your iCloud Drive/Storage if not explicitly disabled. In MetaMask for iOS' case this isn't made sufficiently clear in the app that iCloud backups are being used. Some other wallets will let you enable or disable backups in their UI, while the rest have to be done through the Settings app, as explained by MetaMask after this event.
Phone numbers and caller IDs can be spoofed. Some countries have guard rails to make this more difficult, but this is not the case for U.S. phone numbers. Assume that called IDs are just as representative of the true identity of the caller as a random username on Discord. Beware of any callers with caller IDs that try to appeal to a sense of authority or familiarity: Apple Inc., IRS, CIA, etc.
Never disclose MFA codes to anyone. There are very few times where divulging a MFA code is required and these are situations where you initiated the request through an official channel — not someone calling or emailing you out of the blue and demanding your MFA code to unlock or investigate your account.
Keep as few assets in a hot wallet as possible. In this situation much of the damage could have been mitigated if most of the NFTs and tokens were stored with a hardware wallet, as MetaMask would not have access to the seed/recovery phrase.
Not a Scam: Vote on InfoSec Team's Season 4 Proposal
Season 4 is upon us and the InfoSec Team is eager to start more initiatives to protect BanklessDAO members and our wider community. We’ve added a bot to help with moderation and removing spammers and bots, in addition to various ways we contributed to security education content since the beginning of the year.
Now we want to double-down on those efforts to make sure our Discord server, its members, and our community stay safe and prepared for the dangers that you’ve just read here and see in the news.
Based on the Grants Committee Spec and the Grants Committee Vacancy Forum post, this Snapshot vote is to elect an applicant to fill the Grants Committee seat recently vacated by Grendel. The Snapshot is live so please vote!
This proposal introduces a specification for BanklessDAO’s Season 4. The specification covers the dates for Season 4, new funding initiatives, guild reporting requirements, and GSE activities. If this proposal passes Snapshot, the specs outlined will fall into place. You can read the full specification here.
Proposals in Discussion
The Project Management Working Group proposes to found a Project Management Guild (PM Guild) within BanklessDAO. The mission of the Guild will be to become the Mecca of Web3 project management by providing project management education, talent, and thought leadership.
This proposal seeks funding to create an educational website focused on creative use-cases of blockchain for fellow students at Ryerson University’s Creative School. The website’s MVP is completed (for desktop only) and published. This funding will cover the work that has been done so far, as well as the steps that still need completing to further our mission of educating people about Web3.
✅ Action Items
📖 Action: Research Guild AMA tomorrow with Beanstalk and mint your FC Red Glove
🙏 Thanks to Our Sponsor
CitaDAO is a decentralized finance (DeFi) platform, allowing real estate to be tokenized on chain. The ERC-20 tokens will be composable with other DeFi applications and primitives that operate within the Ethereum protocol, creating an ecosystem for real estate in the DeFi ecosystem.
👉 Follow us on Twitter
👉 Join us on Discord