[AIP-37] Adopt Chainalysis’ Proactive Incident Response


Christopher A. (@CryptosBestMustache on TG) and Liz N. (@lizzie.nell on TG)


This is a proposal to adopt Chainalysis’ Proactive Incident Response (“Proactive CIR”) to protect Aura in the event of a hack or exploit.


Hackers are stealing more cryptocurrency from DeFi platforms than ever before. DeFi protocols as victims accounted for 82% of all stolen crypto in 2022 — a total of $3.1 billion — and we’re seeing this trend continue in 2023. As such, securing incident response coverage has become a top priority and Chainalysis is the leading crypto asset recovery solution. To date, Chainalysis has aided in the recovery of over $11B in stolen funds through our own investigations and others we supported. I’ve linked some customer references and supporting data below, if you want to read further.*

Proactive CIR is a rapid-response retainer service. In procuring it, Aura would have Chainalysis’ world-class, global team of professional investigators and cybersecurity experts on standby 24/7 in the event of a hack or exploit, ready to respond immediately. Key benefits include:

  • Deter Hacks. The best outcome is you never get hacked. CIR helps deter hackers by letting them know a leading global crypto investigative team is on your side.
  • Reaction Time. Investigative response time is the most critical vector to asset recovery. Having a proactive solution in place decreases the time to respond and increases the likelihood of success.
  • Guaranteed Support. Contracting with Chainalysis after a hack occurs is considerably more expensive, slower, and we cannot guarantee the team will have the bandwidth to take on the case. Purchasing Proactive CIR solves these problems - plus you benefit from being in the Chainalysis network via education, threat intel, and more.
  • Technical Skills. The ability to trace funds through various types of complex platforms is a crucial part of the CIR offering. This applies to identified mixer platforms but also unidentified mixers and new bridging protocols between blockchains.
  • Network. Chainalysis has a huge customer base and, with it, a sizable network with personal connections to almost all significant exchanges and services in the crypto space. Also, our strong relationship with Law Enforcement Agencies around the world makes us very efficient in engaging the relevant authorities when needed.

Customer References and Supporting Data

  • Blog post on the Axie Infinity Hack & Successful Asset Recovery: “With the help of law enforcement and leading organizations in the cryptocurrency industry, more than $30 million worth of cryptocurrency stolen by North Korean-linked hackers has been seized.”
  • Twitter Post from Morpho: “Morpho Labs has partnered up with Chainalysis to strengthen the Incident Response Plan for Morpho protocol!”
  • More below - please see Replies/Comments


Procuring Proactive CIR costs up to $30,000 for 12 months of coverage (paid upfront). This includes up to 100 hours of investigative work and support for any hacks or incidents that occur in the covered 12 month period. Approval of this AIP shall begin the onboarding process for CIR, and transfer of payment for 12 months of coverage.


This vote will be a single-choice vote. You may vote “For” or “Against” this proposal, or choose to abstain from the vote. By voting “For” this proposal, you are voting in favor of adopting CIR.


Additional Customer References and Supporting Data - P1

  • Twitter Post from Algorand: “We have engaged Chainalysis to help trace compromised wallet transfers and freeze funds if they are deposited in an exchange that integrates with and acts upon Chainalysis data.”
  • Abracadabra governance proposal: “Can’t go wrong with more security!! Awesome RFC”
1 Like

Additional Customer References and Supporting Data - P2


Additional Customer References and Supporting Data - P3


I support this proposal.

After deep diving in Chainalysis CIR and customer references/feedbacks, I think this going to improve the security bar for Aura protocol.

Indeed, having a guaranteed and prompt support on-the-line during emergency can help a lot on mitigating impacts.


Welcome to the forum–looking forward to working w/ you!


Ehy, gm.

Wanted to ask a few questions on your services:

  • do you provide monitoring and alerting services for key infrastructures in this deal? I am on the righful assumption that Aura already has that in place, but having them integrated in the security services is for sure not only good for redundancy, but also more efficient. Please, obviously answer this without disclosing any sensitive information
  • do you guarantee prompt communication with the Aura team? In a corporate world, I would ask for a communication framework and escalation procedures, which probably does not apply here too much, but still, idea is that you are able to promptly communicate, with haste and in a clear way, what is going on with the affected parties.
  • do you, in case of a cyber incident, also support Aura protocol on the communication side of things? One of the biggest problem when there is an “hack”, is the reputational damage, which can be partially mitigated with proper communication, which require tho knowing what you are doing of course and have a lot of previous experience not only in managing the incident, but also managing how you give info to stakeholders. Do you have this expertise in your team?


1 Like

Good morning jojo - great questions!

  • Currently, we do not provide continuous monitoring and alerting services as part of Proactive CIR, though we can recommend you to partners of ours that offer these services if this is of interest as a complimentary security measure.
  • Yes we do! We have SLAs to guarantee response time in the event of a hack - the official time for Chainalysis to begin working post-hack is no more than 8 hours but in the (unfortunately) dozens of incidents I’ve worked on, our team is typically engaged and working within minutes. We have a large, global team of investigators so we provide 24/7 coverage. Typically, post-hack, we’ll set up a TG “war room” to manage all ongoing communication, but we can accommodate whatever works best for the Aura team.
  • Yes we do! We’ll help with both sensitive, non-public communications (liaising with law enforcement agencies, exchanges, etc.) as well as external communications, so you can send a strong message of confidence to the community that Chainalysis is on the case and provide fast, informative updates to minimize any reputational damage or further fall-out from the incident. I completely agree with your assessment here- how protocols respond to a hack is critically important and being able to send a fast, strong message that you’re on top of the situation, working with the leading investigative team in the industry, and already making process is highly impactful. On a related note, we can also work with your marketing/comms team upfront to broadcast the Aura-Chainalysis partnership through cross-promotion on social media, which serves as a strong deterrent to any would be hacker - kind of like the ADT sticker in the window. They know our reputation and it removes the financial incentive from a potential hack or exploit.

Happy to dig deeper if helpful or follow-up if you have any additional q’s! Thank you!


I whole heartedly support this. With the TVL and reputation Aura has, this is common sense.

No sense in scrambling if shit were to ever hit the fan. Thank you for for pushing this forward Jay, and thank you to the Chain team for the work you’ve done on this so far.


Thank you for the answers! I am reading what i would want read, in the language i would want to read, from someone used to incident response. All good on my side, and good proposal.



1 Like