Hello Christopher and fellow Radiant members!
I appreciate - as I’m sure many of us do - security being brought to light in this moment of uncertainty being felt across many defi platforms. Beyond going into Aave protocol more holistic approach to creating multi-pronged safety measure coverage flywheels (see Safety Module discussions) and key partnerships that add value (in addition to coverage and security) to our community and the protocol, here are some exploratory considerations, questions, and comments that I could (or should) ignite discussion around this proposal.
Radiant does in fact need to take security very seriously. In my option ironclad security measures that are well thought out, transparent, and integrated to the benefit of all should hands down be the #1 priority. This brings us to doing due diligence and exploring options.
1. Cost-Benefit Analysis:
- How does the $30,000 upfront cost compare to our current security measures and their associated costs?
- Given the size of our treasury, does a $30,000 investment for potential recovery of stolen funds make financial sense?
2. Usage Limitation:
- The package includes only up to 100 hours of investigative work. What happens if we need more than that in the event of a complex hack? How much will additional hours cost?
3. Scope of Coverage:
- Does the coverage include only hacks and exploits, or other potential threats like phishing attacks, insider threats, and smart contract vulnerabilities?
4. Integration with Current Security Measures:
- How will Chainalysis’ services integrate with our current security measures, incident response plan, or any other third-party services we might be using?
5. Chainalysis’ Track Record:
- Out of the total incidents Chainalysis has responded to, how many resulted in successful recovery? What’s the average percentage of assets recovered?
6. Response Time Commitment:
- Is there a defined SLA (Service Level Agreement) regarding how quickly Chainalysis will begin their investigative work once they’re alerted?
7. Conflict of Interest:
- Given Chainalysis’ extensive network, are there any potential conflicts of interest we should be aware of, particularly if another client is implicated in a hack against us?
8. Transparency and Reporting:
- What level of transparency and reporting can we expect from Chainalysis during and after an investigation? How will sensitive information be handled?
9. Exclusivity and Priority:
- If multiple Chainalysis clients are hacked simultaneously, how will Chainalysis prioritize its responses? Do all clients get equal attention, or are there factors that could lead to prioritization?
10. Renewal and Updates:
- What’s the process for renewing after the initial 12 months? Are there price escalations? How frequently does Chainalysis update its techniques, tools, and knowledge to adapt to the ever-evolving landscape of crypto threats?
11. Legal Considerations:
- How does Chainalysis handle jurisdictional differences when working with Law Enforcement Agencies worldwide? Could there be any legal implications for our platform based on where we operate as well as coverage issues for members who operate in certain jurisdictions?
12. Deterrence:
- How will our association with Chainalysis be publicized to act as a deterrent? Is there data to support that having Chainalysis on retainer genuinely deters potential hackers?
13. Feedback from Other Clients:
- It could be valuable to directly speak with some existing clients of Chainalysis (like Axie Infinity or Morpho Labs) to understand their experience, satisfaction levels, and any challenges faced.
To all: it’s crucial to approach all decisions with both an open mind and a healthy dose of skepticism. It’s also crucial that you join the conversation! Making sure you have all the necessary information and understanding the full scope of what’s being offered can help each Radiant member make informed decisions. Thanks Christopher!