Introducing Nascent Security
Security
14.11.23
Security
14.11.23
The fundamental promise of cryptocurrency is an open financial system - accessible to all and governed strictly by code, cryptography, and incentives. This promise is likely why many of you reading this are still here through thick and thin.
An unfortunate consequence of the immutability that enables this new system is the dramatically increased impact of hacks and exploits. Despite commendable efforts from the community and vast improvements, let’s be blunt: the frequency and severity of security incidents are several orders of magnitude too high for DeFi’s promise to be actualized.
There was nearly $4,000,000,000 lost as a result of hacks in 2022; around 82% of that was stolen from DeFi protocols (source). This doesn’t include any FTX or Terra activity, either. For perspective, that’s the entire market cap of UNI, stolen from users every single year. Security is the lynchpin that holds this grand vision together, and yet it's also the weakest link in our current ecosystem.
This is not a problem that can be delegated to the fringes of our community, to be handled by a small subset of white-hat hackers and auditors. This is a problem that demands open solutions, strategic foresight, and heavy investment.
We’re well aware of this at Nascent. We’ve done our share of writing about security, and built open tooling like the Simple Security Toolkit and Pyrometer for all to use. We firmly believe that maximizing both returns and impact requires the ability to invest more than just capital.
With this in mind, we’re thrilled to formally announce the creation of Nascent Security.
Currently a team of three dedicated security researchers, @nascentsecurity’s raison d’être is simple:
- Thesis: Long term, the #1 barrier to wider DeFi adoption is security
- Goal: Reduce the severity and frequency of security incidents by at least two orders of magnitude
We’ll be focusing our security efforts on four key areas:
- Building open source tooling and templates
- Creating content encouraging security principles and best practices
- Participating openly in community security activities
- Pushing our portfolio companies to become security leaders in their own right
The team is currently comprised of three security researchers: @popu1ar, @plotchy, and @igor.
—
As our team’s first official contribution, today we’re releasing our Incident Response Playbook in coordination with the Security Alliance, the group behind the SEAL911 initiative. This playbook is geared towards protocols and will be the first of many helpful installations in the SEAL Crisis Handbook.
This guide/template addresses an area that we’ve observed to be sorely lacking in web3 security: managing the logistical elements of incidents in the heat of the moment.
- “Who should have access to the war room?”
- “Where are the attacker addresses/transactions?”
- “How should communications with users be handled?”
- “We don’t have the security expertise in-house to handle this attack! Who can we contact?”
As we unveil this first Incident Response Playbook, we're driven by a shared commitment to bolstering online security. We believe that the community can benefit immensely from future Security Alliance guides that delve into critical areas such as wallet compromises and phishing.
The best results, though, often emerge from collaborative efforts. That's why we extend an open invitation to individuals and organizations who share our passion for cybersecurity to reach out and explore collaborative opportunities.
Together with the wider security alliance, we can transform these ideas into comprehensive resources that empower everyone to navigate the digital landscape safely and confidently. Your expertise, insights, and ideas are invaluable in this endeavor, and we look forward to exploring the possibilities together.
For today: we welcome feedback on the guide and highly encourage protocols to have an incident response plan in place specific to their project PRIOR to using this template.
Refer to the Simple Security Toolkit as a starting place, and review Yearn’s documentation as a strong example.
—
If we're serious about transforming DeFi from a hacker's paradise into a fortress of financial innovation, then security isn't just a feature; it's the very foundation upon which we build.
Follow our updates, contribute your insights, and let's transform crypto security together. If you’re working on an exciting project, we're all ears.