[Temperature Check] Implement Chainalysis Crypto Incident Response Plan for Aura Smart Contracts

Summary

This is a proposal to adopt Chainalysis Incident Response to protect Aura Finance in the event of a hack or exploit. After a hack commences, investigative response time is the most critical vector to asset recovery. Chainalysis Incident Response (CIR), the leading crypto asset recovery solution, is an important security measure to have in place to protect Aura in the event of a hack. It also serves as a strong deterrent to help minimize the risk of a hack in the first place.

We have over $500 million TVL, # 22 on DeFillama TVL. It’s fhoulish to think hackers have not considered targeting Aura.

Some content below curated after reviewing the Abracadabra & Morpho partnership with Chainalysis.

Customer Stories / Customer References:

• Blog post on the Axie Infinity Hack & Successful Asset Recovery : “$30 Million Seized: How the Crypto Community Is Making It Difficult for North Korean Hackers To Profit”
• Twitter Post from Morpho : “Morpho Labs has partnered up with Chainalysis to strengthen the Incident Response Plan for Morpho protocol!”

Main Objective

Context: Hackers are stealing more cryptocurrency from DeFi platforms than ever before. In last year’s “Crypto Crime Report,” Chainalysis detailed how DeFi protocols in 2021 became the primary target of crypto hackers. That trend intensified in 2022 and is expected to continue. By the numbers, 2022 was the biggest year ever for crypto hacking, with $3.8B stolen, primarily from DeFi protocols and by North Korea-linked attackers. DeFi protocols as victims accounted for 82.1% of all cryptocurrency stolen by hackers in 2022 — a total of $3.1 billion — up from 73.3% in 2021. As a result, it has become a top priority for DeFi projects to have protection in place above smart contract audits.

Motivation: Response time is one of the most important factors in successful asset recovery as a fast response significantly increases the opportunity to control and recover funds before they are gone (sent to a fiat off-ramp, moved to a sanctioned exchange, etc.) By procuring Chainalysis CIR, Aura would have Chainalysis’ world-class team of professional investigators, cybersecurity experts, and data engineers on standby in the event of a hack or exploit, ready to respond immediately and thus increasing the likelihood of recovering funds. To date, Chainalysis has aided in the recovery of over $11B in stolen funds through our own investigations and others we supported.

Further, Chainalysis’ reputation is known across the world. By implementing CIR and broadcasting your Chainalysis partnership like Morpho did in the tweet above, we are creating a strong deterrent. Hackers know that even if they do exploit the protocol, they won’t be able to easily profit from the stolen funds, thus diminishing their financial incentive to attack.

Proposal

Aura Finance should implement a multi-year CIR protection plan, which delivers a number of benefits to the community:

• A multi-year plan is a commitment to cybersecurity and consumer protections. It sends a strong message to the Aura Finance community and beyond and is well-aligned to Aura’s longer-term security objectives.

Benefit Recap

• Deter Hacks: The best outcome is you never get hacked. CIR helps deter hackers by letting them know a leading global crypto investigative team is on your side.
• Project your Community, Boost your Brand: By adopting CIR, we can show the community (and the broader DeFi community) that we are taking serious action when it comes to cybersecurity and consumer protections, thus improving your brand reputation and differentiating yourself in the market.
• Partner with the Best: With CIR, Aura can tap into Chainalysis’ expertise for complex blockchain analysis and investigations. The CIR team is ready to respond to cybersecurity breaches, ransomware attacks, recovery of stolen cryptocurrency, and perform other analyses involving blockchain data. The team consists of respected professional investigators, cybersecurity experts, and data engineers.
• Reaction Time: Having a proactive solution in place decreases the time to respond and increases the likelihood of asset freezing and recovery by the customer or law enforcement should the worst happen.
• Technical Skills: The ability to trace funds through various types of complex platforms is a crucial part of the CIR incident response and the ability of our customers to recover funds successfully. This applies to identified mixer platforms but also unidentified mixers and new bridging protocols between blockchains.
• Network: Chainalysis has a huge customer base and, with it, a sizable network with personal connections to almost all significant exchanges and services in the crypto space. Also, their strong relationship with Law Enforcement Agencies around the world makes them very efficient in engaging the relevant entities when needed.
• ROI: In over 80% of all cases where an incident has occurred, Chainalysis investigators have been able to give our customers valuable information that leads to recovery of more than what their CIR fee was. This demonstrates a great return on investment for CIR customers.

Considerations/Risks

There is a significant risk of not adopting a proactive asset recovery plan (that is, not having a plan in place before an attack). Waiting until after a hack occurs to partner with Chainalysis will create a significant delay in their ability to act, as it takes time to go through the approval and contracting process. As mentioned above, time is of the essence in a hack, and any delays reduce the chance of recovery.

Welcome to the forum, brother.

1. What is the cost of this service?

2. You mention that it would be ideal to have “protection in place.” Can you also provide some examples where Chainalysis was able to prevent a hack, or what type of protection services do you have in mind?

Thank you for the welcome.

It appears that the Abracadabra team paid $100k for multiple years of coverage.

I do not believe Chainalysis can prevent a hack from occurring.

I view this more as i) a way to deter exploiters ii) insurance that should an exploit happen we know we have a capable & well connected organization able to assist instantly.

do I understand it correctly that the $100k payment is only for a “priority” for chainalysis to act after a possible hack?

Perhaps I am misunderstanding your question Jeffrey?

But if I am understanding correctly - no, if we become a Chainalysis CIR customer, should funds be stolen from the protocol, Chainalysis will act. The $100k quote was for Abracadabra, I am uncertain how much a quote for us would/could deviate.

***Forgot to include this piece in the original post ***

Voting
For: Action taken if this proposal is accepted.
Against: Action taken if this proposal is rejected.

in principle it is a good idea, but the price tag needs justification as it is not even clear what the payment from Abracadabra counts for? Furthermore, don’t think it should be put up for vote if detailed information is lacking (such as price tag, service agreement, etc.)

Hey @Jeffrey,

Chris here from Chainalysis. I am the point of contact that the team at Abracadabra works with and can help answer your’s (or anyone else’s question) here.I would recommend setting up a call to discuss the CIR product more - we can dig into what is offered/the service agreement, the pricing, etc. The information provided to Abra was done so in a way to meet their governance proposal requirements and process, so what you’re seeing is just one part of that. I would certainly ensure that you and the Aura community have all of the information you need to make a confident and informed decision if you also want to consider adopting CIR.To briefly touch on a few key benefits and why we believe it’s very cost-effective;

1. In the instance of a hack, the most critical vector for success in tracing and potentially recovering funds is time. Without a proactive plan/contract in place, if a hack occurs, there is a significant delay before our investigative team can begin to conduct their due diligence and get to work. Having a proactive crypto incident response plan in place helps lessen the time it takes for our team to begin working, increasing the likelihood of successful asset freezing and recovery.
2. As @basedfhoul mentioned, proactive CIR acts as a deterrent and insurance policy for your platform. Having a proactive plan in place emphasizes that Aura has the best crypto investigative team in its corner, ready to react at a moment’s notice, lessening the financial incentive for a hack in the first place.
3. The price for a proactive contract is significantly less than the price of a reactive contract. Since more time will pass before our investigative team can begin their due diligence process, more resources will be needed on our side to trace to the point where the actor is holding their funds (this could be tracing through a mixer, jumping between bridges, and different chains, etc.) With a plan in place, our investigative team will be able to follow the flow of funds in real-time.

Thanks in advance, and please don’t hesitate to reach out with more questions! Hopefully, we can talk live soon.

hi all, oxjayc here, aura contributor

thanks for bringing up the proposal @basedfhoul

aura cares a lot about security and already have in place mechanisms e.g. IRPs

would love to get in touch @CArnone and setup a call. feel free to reach out in dm over tg at OxJayC

Hey @oxjayc, I just tried to send you a message on tg, but it won’t let me due to restrictions. My tg is @CryptosBestMustache

Chainalysis team made a new proposal here that superseded this