PoolTogether Proposal to partnership with Hexagate web3 cyber security

Abstract:

Hexagate is a web3 security provider helping protocols, bridges and chains to protect their smart contracts and users from theft caused by cyber exploits and web3 threats. Hexagate offers a platform that detects threats in real-time and prevents them from causing any impact.

Hexagate offers real-time monitoring solutions for all sorts of threats, before they impact any digital assets, and automated prevention tools for PoolTogether so devs can take on-chain action, when applicable.

This benefits PoolTogether devs and users by safeguarding their funds from potential exploits on any PoolTogether contract and reduces the amount of funds lost in a possible incident.

Background:

Hexagate monitors blockchains in real-time, and by leveraging ML, security heuristics and hybrid detection algorithms, it provides early detection of exploits. When bundled with Hexagate’s automated remediation workflows, the Hexagate platform provides full protection against all Web3 threats for smart contracts, tokens and EOAs. The Hexagate platform covers the detection of cyber and financial exploits on 1st and 3rd party code and mainnet deployments, governance and administration risks, suspicious fund movements, phishing, fraud, scams and custom invariants.

Protocols, bridges and chains that use Hexagate benefit from early and accurate detection of threats, remediation workflows, IR and forensics.

The company already protects over $10B in TVL across multiple chains, trusted by the biggest names in the industry, and managed to detect ahead-of-time exploits that targeted Euler, iearn, Hundred Finance, Conic and more.

Hexagate is a VC-funded company backed by leading VCs, founded by serial entrepreneurs that previously built companies that got acquired by Jfrog and Claroty. Our team brings vast experience in the cybersecurity realm.

Hexagate also helps the entire ecosystem by helping others in a time of need, participating in post-mortem analysis, war-rooms aimed at unveiling exploiters and recovering funds and by conducting research activities on protocols - here are a few examples:

• Found and responsibly disclosed a vulnerability in the Polygon Proof of Stake system that enables to bypass the consensus - Polygon Consensus Bypass Bugfix Review | by Immunefi | Immunefi | Medium

• Helping Compound V2 and Compound V2 forks with a zero day exploit to open markets safely - Hundred Finance Exploit and Compound v2 - Compound Community Forum

And many more, you are welcome to follow us on our Twitter and see.

Proposal - TL;DR

Hexagate monitors malicious activity on-chain, including on any PoolTogether contracts.

Hexagate can partner with PoolTogether, so that PoolTogether can get real-time alerts on threats threatening PoolTogether contracts or governance participants and run automated workflows to remediate issues in real-time, when Hexagate fires an alert. That will, for instance, allow rapid communication and response to threats that come up and will allow users to react in real-time to exploits and automatically withdraw their positions.

Detailed proposal for PoolTogether

1. Hexagate will provide access to a select personnel in PoolTogether for access to its web3 security platform and web3 threat intelligence feed, including our on-chain investigation engine.

2. Threats covered by the Hexagate platform:

3. Exploits on first or third-party code

1. Detect suspicious malicious contracts before they exploit a protocol
2. Detect novel 0-day exploits and unknown threats on protocols or its dependencies
3. Dependencies including: tokens, deployers, oracles, bridges, other protocols and so on
4. Detect token exploits - excessive minting or burning, abnormal transfers, centralization risks, missing access controls allowing arbitrary approvals or transfers, rug pulls
5. Detect oracle deviations and delays
6. Tracking abnormal transfers to detect private key compromises
7. Alert on token depeg – stablecoins, wrapped assets or bridged assets
8. Track fund movement post-incident and automatically tag malicious entities on-chain to taint stolen funds movement in real-time

2. Governance and Administration

1. Simulate and analyze any malicious governance proposal (or a malicious proposer) that goes on-chain (including when a governance proposal executes)
2. Analyze contract ownership or role changes for abnormal changes to malicious entities
3. Detect malicious implementation updates and changes to privileged configurations that result from a missing access controls, private key compromises or rug pulls
4. Detect centralization risks on governance token holders or phishing attempts on governance token holders
5. Monitor governance token transfers

3. Funds movement

1. Track illicit funding sources and track fund movement
2. Monitor and tag all malicious on-chain activity including fraud shops, mixers, USDT / USDC / OFAC blacklists, high risk exchanges and stolen funds.
3. Monitor abnormal transfers and/or fund movements from specific addresses (protocol treasury, whales, protocol participants, etc.)

4. Invariants and parameters

1. Monitor predefined invariants and params per the protocol specifications

5. Phishing, fraud and scams

1. Governance participants interacting with malicious contracts, phishing addresses, scam tokens and so on
2. Detecting malicious dapps impersonating PoolTogether

3. Hexagate provides generic webhooks, Slack/telegram/email/discord/pagerduty integrations for any types of alerts.
4. Hexagate enables user-generated custom monitors so a user can set up alerts on specific wallets, whales, specific events, specific contract calls, and so on, enabling users to customize their monitoring to fit their needs.
5. Phishing detection for governance participants - Hexagate surfaces any phishing attempt on PoolTogether governance participants.
6. Connection to our network of partners and collaborators in which we have an open channel to such as Chainalysis, Binance, on-chain sleuths and so on to be able to notify them in real time when an incident happens so they can tag the bad actors and prevent them from off-ramping on a big list of exchanges, uncover the attacker’s identity, help with crafting a post-mortem paper and analyze the blast radius of the incident.
7. Beacon chain monitoring

a. Hexagate monitors for beacon chain events such as slashing. The platform allows users to monitor and get notified in real time whenever a specific validator is slashed.

8. Professional service and support:

a. Helping out with bug bounty programs submissions, security reviews and triaging incidents in real-time by assigning a security researcher from our end to help out right on time. In the initial proposal we’ll allocate 15 hours of security research activity to help on that front, and expand that as needed.
b. Preparation and training for managing a war room, assigning roles and responsibilities and helping out with crafting security frameworks and incident response procedures - based on our expertise gained from being active in many such incident response events.

9. Onboarding:

a. During onboarding a Hexagate security engineer with a PoolTogether stakeholder will map all the contracts, tokens, bridges, oracles, governance structure that are related and even remotely affecting PoolTogether contracts and on-chain assets to be able to have a broad coverage of all possible threats. Access to the platform will be granted to the select personnel on the PoolTogether team to use the platform to configure monitors, alert notification channels and run triaging and investigations for any on-chain activity. These will be provided right after signing.

Hey Mike,
thanks for engaging with the PoolTogether community!

The service you provide looks valuable. Your proposal doesn’t mention any costs. I reckon you don’t offer all of this for free. What’s the price for this?

Sure Tjark thanks for your response.

Here is the Budget:

For the first year, and under the Hexagate emerging protocol promotion program (under USD20M TVL), Hexagate asks for $20,500 in USDC paid upfront for the first year to license the Hexagate platform for real-time threat monitoring & prevention, onboarding, maintenance and professional service and support listed above.

Hiya Mike,

Thanks for sharing Hexagate’s proposal with the PoolTogether Community Your commitment to enhancing web3 security is commendable, and the detailed plan you provided is impressive!

Before we move forward, I have several questions that will help the community evaluate the proposal in the context of our specific needs and operations:

1. What would be the expected integration timeline and the required resources from our end to implement Hexagate’s services effectively?

2. Is there flexibility in the partnership structure, such as a trial period, to evaluate the efficacy of the service in real-world scenarios within the PoolTogether ecosystem?

3. Can you provide a breakdown of the costs involved, including any initial setup fees, recurring costs, and costs for additional services beyond the initial proposal?

Looking forward to your responses and discussing the proposal further!

Best,

Darby, Growth Lead for PoolTogether

Why not have this be open? The protocol is immutable, so there’s really nothing to “react to” given an exploit at the core level, but frontend operators, vault deployers, etc. may want to see this info in real-time. This could be particularly useful for vault deployers to have their underlying yield sources and potential undercollaterization scenarios monitored.

1. It takes a few minutes to onboard all Pooltogether addresses to Hexagate and get real-time notifications to Slack, Telegram, PagerDuty general-purpose webhook and other mediums of notifications.
   Following that we’ll work with your team so that we can take automated or semi-automated before any of the Pooltogether contracts are exploited.
   It depends on Pooltogether on what type of strategy we want to take once we detect a new threat. We have plenty of possible strategies that we can take.
   We can also monitor for phishing and scams on the governance participants of Pooltogether to be notified of such cases.
   We also have customized monitors to allow you to customize things like large transfers (you can specify how much) on any amount of addresses, balance changes, specific function calls/events (monitor any configuration changes), slashing events on specific validators and more.

2. Sure! We detected all previous hacks and exploits in a very high fidelity and false positive rate and we have a threat feed so you can see within seconds how many alerts we generated for any of the Pooltogether contracts.
   We can definitely grant an evaluation period to evaluate and see the power of the platform.

3. As mentioned up this is a full package under our emerging protocol package that includes all the services-
   a. Hexagate platform yearly license - monitoring all threats stated…
   b. Professional service and support package, including 15 hours of professional services given by a security researcher.
   c. Onboarding package.

We’d love to jump on a call if you’d like to discuss the offering.

Basically the alerts can be then relayed to users once acknowledged by the security personnel on PoolTogether’s side and Hexagate incident response team. As mentioned, we can integrate to various of platforms such as Telegram, Slack, General-purpose Webhooks, Pagerduty and more so that can totally be visible to users. The thing is that we should not open access to the system to anyone as this allows to monitor over anything in the blockchain, change the monitors, but the admins of the platform.

Hey Mike,

Thank you for the detailed response, I highly appreciate it!

At present, PoolTogether’s security needs are well-managed, but we’re open to exploring platforms that offer broader community access – it could benefit a decentralized setup like PoolTogether’s where multiple parties could monitor their parts of the protocol independently (as Ncookie mentioned). In addition, having an open platform aligns closely with the PoolTogether ethos.

I’ll keep Hexagate in mind as the protocol continues to evolve and should its needs align more closely with your offerings, I’d love to revisit this conversation.

Thanks again for your time

Best,

Darby