The Key to Security in DAOs | BanklessDAO Weekly Rollup
Catch Up With What Happened This Week in BanklessDAO
Dear Bankless Nation 🏴,
We continue to expand our community as we create pathways to a more open and accessible financial system. We have secured partnerships and explored innovative ways to promote financial sovereignty, with many more initiatives to come. Nonetheless, there will be times when it feels difficult, times when the editorial from last week’s Rollup is worth revisiting for its tips on finding a balance.
For this week’s editorial, Quilla interviewed BanklessDAO’s InfoSec Team Coordinator, BogDrakonov. The resulting article highlights how the team maintains cybersecurity measures within the bDAO ecosystem and provides guidance on information security matters for web3 and web2.
BanklessDAO is participating in the latest Gitcoin Grants Beta Round. Bankless Africa, Bankless Academy, Bankless Publishing, IMN, Newsletter project, and Governator are represented. Please consider supporting your favorite BanklessDAO project by donating.
Hurray!! It’s our favorite time of the year soon: BanklessDAO’s 2nd anniversary falls on May 4. The plan is to vibe and celebrate our first two years of building, growth, and esprit de corps with a Twitter Spaces to be held on Friday May 5 at 16:00 UTC . At this week’s Community Call, Icedcool and perchy unveiled the BanklessDAO Genesis NFT — an open edition NFT created to celebrate the genesis of the DAO and the people who built it. You can mint it at 0.015 ETH for one week only.
The Community Call roundtable discussion was an appreciation session, during which bDAO members gave thanks for the immense contributions made by their peers. Accolades were showered on teams and team members within the DAO. The spirit was indeed high, and it was an encouragement for us all to keep putting in our best effort as it doesn’t go unnoticed.
The final week of Season 7 is upon us. As always, thanks for sticking around, and let’s keep bDAO strong!
Contributors: Quilia, Chameleon, Jaux, Warrior, anointingthompson1.eth, Boluwatife, KingIBK, Paulito, Allyn Bryce, WinVerse, theconfusedcoin, siddhearta, Trewkat, HiroKennelly
This is an official newsletter of BanklessDAO. To unsubscribe, edit your settings.
✅ Action Items
🎉 Celebrate the DAO’s second birthday in Twitter Spaces on May 5 at 16.00 UTC.
📥 Donate in the Gitcoin Grants Beta Round to help bDAO projects.
🗳️ Vote in the Grants Committee election on Snapshot.
🏃♀️ Catch up: Review this week's Community Call notes or listen to the recording.
🏛 Governance
Snapshot Votes
🗳️ Grants Committee Election for S8 and S9
Elections for the five seats available on the Grants Committee for Season 8 are happening now. You can vote for one or more preferred candidates and the proportion of BANK for the weighted vote will adjust automatically.
⏳ bDIP-09: Level Update to Include tlBANK
This bDIP proposes to add language to the Constitution confirming that the DAO recognizes tlBANK as “a component of L1 membership, and a core primitive of bDAO”.
If ratified, the planned next step is to modify Collab.Land configuration for tlBANK to be verified as the Level 1 membership role in Discord.
Proposals in Discussion
🎱 Second Draft of the Season 8 Specification
As we approach the end of Season 7 and many of us look forward to the scheduled Gap Week (May 8-14), it’s a good time to review the draft specification for Season 8 so that any feedback can be addressed before it is moved to a Snapshot vote.
Key dates are:
Season 8: Mon, May 15 - Sun, August 27 (15 weeks)
Gap Week: Mon, August 28 - Sun, September 3 (1 week)
🙅🏽 BanklessDAO Incident Report: Governance Sybil Attack
Following the Sybil attack on the Forum by a member of the DAO there is need to gain consensus on the next steps to address this issue. For information about this case check the Forum post. Take a packed lunch.
The Key to Security in DAOs
Author: Quilia
Like any organization, DAOs are subject to cybersecurity threats that might jeopardize their integrity, security, and operation. This article highlights the relevance of cybersecurity in DAOs and, through an interview with BanklessDAO’s InfoSec Team Coordinator, BogDrakonov, provides further insight into how the team maintains cybersecurity measures inside our buzzing ecosystem.
BanklessDAO's InfoSec team are experts (blockchain engineers, coordinators, technical developers) who are responsible for maintaining the security of the DAO's digital assets and information, such as the Discord and Forum, by adopting best practices in cybersecurity, risk management, and information security. The team performs frequent security audits to identify vulnerabilities in the DAO's systems and infrastructures, creates security rules, monitors any malicious member activity within the DAO, and responds to security threats in real time. They are also planning to deliver education sessions — a major project to look out for in Season 8.
One of the most important components of cybersecurity in DAOs is ensuring the integrity of the blockchain network. Blockchain technology is immutable, which means that once data is stored on the blockchain, it cannot be changed or erased. Many DAOs implement smart contracts — self-executing agreements that operate on the blockchain — to manage token distribution, voting, or other transactions. Smart contracts are designed and maintained by developers, which means it’s always possible they may have flaws that malicious individuals can exploit. This necessitates extensive security assessments of the smart contracts used in DAOs to discover and repair any possible flaws before they are implemented.
BanklessDAO's InfoSec team lead and a web3 security consultant, BogDrakonov, was asked in a text interview about whether DAOs’ self-executing computer programs are fail-proof. He highlights the ever-present risks of balancing between human input and code:
I think that ultimately DAOs rely on humans executing the actions approved via services like snapshot.org, so as long as a DAO's administration respects the votes of the people then the current system is fine. However since most decisions and actions are not something that can be executed entirely in code (i.e. you can't code a smart contract to determine what announcements go out on a podcast) then ultimately we end up with a sophisticated voting system. I do think that the voting portion of the DAO model is pretty good and can be done fairly based on the smart contract design and the token distribution, however, any system that ultimately boils down to some leader following the will of the people will always suffer the same risks.
A key part of the BanklessDAO community’s cybersecurity is protecting the multisig wallets that manage the organization's treasury and assets. To avoid unwanted access and theft, the private keys that give access to these wallets must be kept safe. To safeguard private keys from cyber attacks, the team encourages multisig participants to hold private keys in secure offline storage such as a hardware wallet and to maintain a vigilant approach to all transactions, whether they be DAO related or of a personal nature.
Verified Level 1 Members (those who hold 35k BANK governance tokens) of BanklessDAO are typically provided full access to all Discord channels and the opportunity to self-nominate for positions such as a Grants Committee member. This does not exclude non-verified members from participating in discussion and decision-making processes, but the team manages various bots that are quick to identify shilling or potentially deceptive behaviors.
BogDrakonov noted that:
Discord settings require anyone with a role that has moderation permissions to have 2FA enabled. Some of our moderation is done via a bot named Wick, so it's possible a role that is permitted to use Wick is not a moderator according to Discord settings. That's unlikely though due to our current configuration. Wick also has an "anti-nuke" system to revert changes of a moderator behaving abnormally. Privacy-enhanced blockchains are definitely a good thing to consider as long as DAO members can still verify the data themselves.
The InfoSec team also, for security reasons, restricts non-verified members' access to particular channels or topics that are deemed sensitive or exclusive to verified members only. The DAO promotes open and collaborative decision-making processes while simultaneously emphasizing the security of its operations by taking a cautious approach to information management.
The InfoSec Coordinator explained that:
In terms of BanklessDAO only a small number of people are doxxed to the admins. Typically [that’s] anyone who has access to manage our most critical web2 infrastructure (such as the registration of the bankless.community domain, or the Google Workspace accounts a handful of DAO members have). We aim to avoid mandating any doxxing, however some people choose not to be anonymous, and others do not put much effort into it [anonymity] beyond just picking an alias and running with it casually. As for the decision making process, DAOs are for everyone. All members, doxxed and anon, have the right to participate in DAO governance via voting booth in polling systems, and via snapshot with their DAO's token. Even in government, we vote anonymously in order to protect the integrity of the vote. A DAO should encourage anonymous voting.
This community's Forum platform was recently hit by a Sybil attack that was swiftly detected by the InfoSec team. Further investigation revealed that the culprit has been an active and long-standing member of the DAO, holding important roles within the organization.
Following the discovery of unusual behavior on the Forum, an incident report team was established to investigate the matter. The InfoSec team discovered multiple fake comments and 'no' votes on various proposals from supposedly new Forum users who shared similar email addresses, voting patterns, and IP addresses. It was quickly evident even to the casual observer that these were not legitimate accounts, but it’s thanks to the InfoSec Team that the proof is available.
Thanks to the InfoSec team's vigilance, the issue was quickly addressed, with all necessary backups and safety measures put in place to prevent the attack from escalating. However, these events have highlighted the vulnerability of essential tools used by the DAO, such as Coordinape and the Discourse Forum. While previous incursions were only surface-level disruptions, this latest attempt aimed to undermine the DAO's governance system and challenge the security of its voting model.
Mitigations will happen, and right now vigilance will keep an eye on anyone attempting this again — BogDrakonov
In an address to a question regarding users retaining greater amounts of the DAO’s token, which may cause voting in the system to be asymmetrical, BogDrakonov said;
That's true. One of the big economic issues of DAOs that I've seen (of which I am not an expert) is that the incentive to sell the token you are paid means you have to choose to sell your voting power to make money (or pay taxes on those earnings) or you hoard your voting power and never make money. DAOs should find a way to provide both a stable coin for payment and a voting token for voting, however DAOs without a revenue stream will have a difficult time doing this. Tokenomics of the DAO would be the defence measure here. Fair distribution of the immediate release, and making sure that one user isn't collecting too much. It’ll be pretty obvious if a DAO starts off on the wrong foot with this.
Education and awareness are also necessary for guaranteeing DAO cybersecurity. DAO members should understand best practices for creating secure passwords, spotting phishing attempts, and protecting their private keys and wallets. The InfoSec team's Discord channel called infosec-knowledge-drop plays an important role in fostering a culture of security awareness and best practices throughout the DAO, and questions are always welcome in infosec-general. The team strives to educate DAO members on the most recent security threats, vulnerabilities, and attack vectors that they may face in the ecosystem, and actions to mitigate them.
As we ease into the web3 era, it is of utmost importance to be vigilant about the risks associated with new technology and relatively low regulatory controls. DAOs must prioritize cybersecurity measures to preserve the integrity of the blockchain network, secure their digital assets, control access and permissions, and quickly identify and respond to cybersecurity issues.
To check out the InfoSec team and learn more about keeping your assets safe on and off chain, join the team here.
👀 In Case You Missed It
📺 Weekly Rollup Recap With Allyn Bryce
Allyn’s fun and fast recap of last week’s Rollup is a wonderful reminder that to thrive in web3, we must prioritize our mental health, and that includes having a laugh whenever we can. Watch until the end for the blooper 😄.
You can find all the previous episodes on the BanklessDAO YouTube Channel.
🗳️ Gitcoin Grants Beta Round
The Gitcoin Grants Beta Round is live, and BanklessDAO has several projects participating in the Web3 Community and Education round: Bankless Africa, Bankless Academy, IMN, Bankless Publishing and the Newsletters. You can also find the Governator project in the Web3 Open Source Software Round. Your support is appreciated; remember every donation helps to grow the overall amount received!
🎯 DAO Next Season Goals Survey
The Governance Department is running the DAO Next Season Goals Survey, and aims to collect valuable opinions and insights from our community to help shape and prioritize the objectives for the upcoming season. Your input is essential for our continued success and growth as a DAO.
⛴️ BanklessDAO Content
🌍 Bankless Africa Podcasts
✍️ Bankless Publishing
🗞 The Rug Newsletter
🗓 Set A Reminder
🎉 Happy Birthday BanklessDAO!
We need speakers for BanklessDAO's 2nd Birthday Celebration which will happen on Twitter Spaces Friday May 5, 2023 16.00 UTC. On this special day we will be looking to highlight BanklessDAO Projects and Birthday Gifts (songs, art, poems) to the DAO.
If you would like to be a speaker on behalf of a project or have a gift for BanklessDAO, please drop a message in BanklessDAO's 2nd Birthday thread (in Marketing Department) or reach out to our Event Coordinator Tundeeey Turner before May 1, 2023 at 23:59 UTC to be added to the agenda.
🗳️ How To Governator
Governator aims to streamline the voting process for DAO members. With Governator, users can create shielded, role- or token-gated polls in Discord or vote with on-chain balances in a single click. The tool tallies, calculates, and announces the outcome for everyone transparently which helps to build trust within the community.
Join the Education Department on Tuesday, May 2 at 13:45 UTC in the watercooler voice channel.
👏 How To Coordinape
Coordinape is a platform that enables peers in the DAO to reward each other for their contributions. Join the Education Department on Wednesday, May 3 at 13:45 UTC in the watercooler voice channel to learn the basics of Coordinape. To set a reminder, RSVP to the event.
Check the async learning resource here.
💰 How To ThriveCoin
ThriveCoin exists to help web3 communities recognize and increase contributions, reward those contributions with crypto, and auto-validate them with receipt on-chain. Learn more about ThriveCoin with the Education Department on Thursday, May 4 at 13:45 UTC in the watercooler voice channel. To set a reminder, RSVP to the event.
♾️ Fortephy Demo
Fortephy is an AI-enabled smart contract auditor — think Grammarly for blockchain developers — which identifies and remediates security vulnerabilities in smart contracts.
To learn more about Fortephy, join this demo in the Amphitheater on Wednesday, May 3 at 18:30 UTC.
🎁 Native Demo
Native is a network of programmable, project-owned decentralized exchanges. Native is crypto’s invisible DEX layer, whereby each DEX is owned by an individual project and embedded into that project’s UI, with access to liquidity across the entire network.
To learn more about Native, join this demo in the Amphitheater on Wednesday, May 3 at 19:15 UTC.
🍔 Grab It While It’s Hot
🎉 BanklessDAO Genesis NFT
Surprise! Thirty percent of the funds from this sale will go to the BanklessDAO treasury, and the rest will go to the artist, perchy.
Description: This commemorative NFT represents the genesis of BanklessDAO.
The chippi depicted in this piece represent those people who were here in the very early days, to celebrate their hard work and dedication over the last two years.
Cost: 0.015 ETH
Open Edition — open now, until May 5, 2023.
🧑🏽🎨 d’Art Drops
These weekly art drops are done in collaboration with up-and-coming NFT artists, for the Bankless community, presented by Decentralized Arts.
Title: Rugstradamus Lithograph (2/4)
Artist: The Rug
Description: In this second lithograph of the inimitable personage known as Rugstradamus, we hear the echos of a Rockefellerian decree; anachronistic no doubt, coming many centuries prior. The use of .jpg before the invention of the internet is particularly fascinating to scholars interpreting his work.
Cost: 0.02 ETH
Editions: 100
🚙 Phi Goes Bankless
PhiLand, a web3 social world built on top of ENS domains, just launched new quests for BanklessDAO members. Check this tweet to find out if you are eligible to undertake this quest!
🤣 Meme of the Week
We’ve got this, bDAO (xo).
