[DISCUSSION] Risk Management Tools Creating a Safer Web3 and Another Flywheel of Growth for BitDAO

The template below is provided to help you get started. Irrelevant or low-effort proposals will be removed.


Proposal Title: Risk Management Tools Creating a Safer Web3 and Another Flywheel of Growth for BitDAO

Authors: The SimpleDEFI Team

Date: November 7, 2022

BitDAO Proposal Draft

Proposal Title:

Risk Management Tools Creating a Safer Web3 and Another Flywheel of Growth for BitDAO

Authors: The SimpleDEFI Team

Date: November 7, 2022

Introduction

Security and risk management represent a significant opportunity for improvement in Web3. Tools focused on Operational Security (OpSec) and Cyber Security (CyberSec) can help increase trust, reduce, or even eliminate risk for projects and the entities that fund them. They can also help elevate Web3’s reputation in the minds of non-adopters, who perceive Web3 to be fraught with risks and uncertainty.

Backgound

Investors and community members have an expectation that projects are serious about risk management and security. And project teams have obliged by ensuring smart contracts are audited by independent firms. The contract audit is considered table stakes for an industry rife with exploits.

However, auditing the smart contract code only gets us part way. There are attack vectors and gaps within day to day operations that many projects overlook. A considerable percentage of ‘hacks’ in the blockchain space are not hacks at all. They are operational failures brought about by human error or lack of operational discipline.

Many projects have exposure to risk that they don’t even know about. Some of these risks are severe enough that they could literally destroy the project (impacting everyone involved including contributors, funders, investors and the team itself).

The reasons: many project teams have little or no operations expertise. Others don’t know what they don’t know. Operational Security (OpSec) and Cyber Security (CyberSec) are complex items, especially in today’s world. It would be unrealistic to expect teams to fully understand all OpSec and CyberSec risks, let alone know how to solve for them. They need unbiased help (and tools) to know where they stand relative to where they think are. They also need to know what options are available to improve their risk management practices and ensure the project and treasury are protected.

Proposal

We believe an affordable, easy to use solution can help project teams manage OpSec and CyberSec risks. It would demonstrate to their community and investors they are being proactive and transparent about managing these risks, just as they do by ensuring the code is audited via third party contract auditors.

The Product

We propose to build two complementary solutions:

SimpleGOVERNANCE: an operational audit solution for project teams to manage risks and security threats that smart contract audits do not cover.

SimpleYIELD: a rules-based engine combined with reporting tools (analytics, asset tracking, reconciliation, governance) that makes it easy for projects to implement yield strategies across any chain or DEX.

How they Work Together

SimpleGOVERNANCE helps manage OpSec and CyberSec risks associated with daily operations while SimpleYIELD provides risk management functionality for the treasury.

SimpleGOVERNANCE: How it Would Work

The solution uses a “self-assess & recommend” algorithm that outputs the following:

Initial score for each vulnerability across all 5 major NIST categories (we will use globally recognized NIST CyberSec framework and adapt it for Web3)

A roadmap with recommendations is automatically outputted, detailing in plain English what teams can do to eliminate or reduce risks and threats

Summarized and detailed views on an executive dashboard to help project teams view, prioritize and track progress to resolution

Finally, a reward system for continued score improvement

User Benefits

For project teams

Protects the project by reducing risks of internal and external threats not addressed by the smart contract audit

  • Builds trust and credibility with the community and investors by demonstrating prudence in operational risk management
  • Saves time, allowing project teams to focus on building their core products vs learning how to implement proper OpSec and CyberSec policies and procedures
  • Affordability; fees for the solution and recommendations made are stage and treasury appropriate. This allows for teams to access GOVERNANCE at any stage of their development
  • No surprises; project teams don’t know what they don’t know. GOVERNANCE provides the guidance needed to protect the project and treasury
  • Incentives: more details are provided in the Budget section of this proposal

Benefits for Investors and Funders

There is an important use case for GOVERNANCE beyond helping the project. Any financial contributor (BitDAO, other DAOS, L1s, L2s, Foundations) or investor (VCs, Funds) can benefit from SimpleGOVERNANCE:

  • By protecting the investment in the project; without SimpleGOVERNANCE, financial contributors are assuming project teams are being diligent about risk management. It is risky in and of itself to assume this, as project teams are focused on building core product more than anything. Funding could be conditional on SimpleGOVERNANCE being implemented and committing the project team to minimum risk scores to access future funding allocations.
  • Portfolio tracking and benchmarking; SimpleGOVERNANCE will include functionality for funders to monitor the performance of projects in their portfolio or ecosystem. This will allow for tracking the project’s current state, how its progressing to improve the risk score, and benchmarking against other projects. The benchmarking functionality can also help with information sharing, allowing funders to see which projects are progressing quickly, and why, and being able to pass this information to others
  • Protecting their reputation; this is very applicable to VCs, who would not want the reputational risk of funding projects that wind up being destroyed due to external risks and threats that were not proactively mitigated by the project team.

SimpleYIELD: How it Would Work

This would be a solution that sits on top of DEXs (it does not compete with them). The architecture would make it simple to execute yield strategies across DeFi, with the added benefits of a rules based engine that automates search, execution and liquidation functions.

It would include reporting functionality to monitor strategies, treasury performance and reconciliation for decision making. For example, reporting tools would capture all relevant information relating to a strategy, and show evidence that the treasury had been allocated per the DAO’s governance vote or a project’s policy decision.

Budget

We propose a token swap combined with an incentive program. The incentive program will be a first of its kind, tied to improvement in risk management practices.

It will incent projects to improve their GOVERNANCE score after the initial self-assessment is completed. Improved scores increase the resilience of the project. This in turn improves the resilience of Web3 and demonstrates we are being proactive about managing risk and protecting treasuries.

Token Swap Details:

$1.8 Million in stable in exchange for 44 million EASY Tokens. The

EASY tokens would vest monthly for 4 months after TGE, including a 1 month cliff.

Incentive Program Framework

There will be an incentive program for each of SimpleGOVERNANCE and SimpleYIELD.

SimpleGOVERNANCE would be co-funded by BitDAO and SimpleDEFI. It would be designed to encourage projects to improve their GOVERNANCE Score over time.

BitDAO Incentive Contribution: we propose a grant of $2.5 million (in BIT equivalent or stable). The amount would provide an incentive for projects to increase their score and receive incentives up to 100% of their first-year subscription for implementing the service.

Fees for SimpleGOVERNANCE will range from $10,000 to $30,000 per year for most projects. The grant request is based on allocating funding for up 100 projects to receive an incentive equal to their first year costs.

SimpleDEFI incentive contribution: we will provide vouchers to projects representing a discount on the supporting services needed to improve the project’s GOVERNANCE score in each NIST category. The vouchers would offer a 25% fee reduction.

By incentivizing the first 100 projects, we achieve a number of benefits:

  • Reduce risks and threats not covered by the smart contract audit for participating project teams
  • Save them time so they can focus on building
  • Build a sizeable data set of projects and risk scores that allow us to benchmark performances, share results and findings to the wider Web3 community
  • Collect verifiable data in terms of success of the project, proper behaviour, and progression of the project as it moves through its growth stages. This data could be used for other purposes including insurance (qualifying for coverage and/or reduced fees) and product improvements (the more data, the better we can refine the product as Web3 evolves), insurance(insurance, continous improvement on parameter outputs that we can build on for future projects.
  • Future phases could lead to a significant data science initiative that provides for automated and trustless governance to be enforced through smart contracts based on the data collected from existing participants.

SimpleYIELD Incentives; fully funded by SimpleDEFI

We would offer 100% rebate on fees for the first 90 days and a 25% rebate for the next 9 months. This would apply to the first 25 projects that implemented SimpleYIELD. Rebates would be issued in EASY tokens.

A Note on the Budget

We have already made a lot of progress on both solutions, which is why the funding request to build and market is quite small relative to other proposals submitted to BitDAO.

For SimpleGOVERNANCE, we have secured an exclusive global master license agreement with Cybersecurity Compliance Corporation (CCC) to leverage their framework. The funding is needed to adapt this framework for Web3. Terms are favourable. The agreement has no up front costs and is completely success based. CCC receives a fixed portion of the annual subscription revenues generated from SimpleGOVERNANCE.

Benefits: its allows us to build a solution for Web3 based on a proven framework already implemented in traditional sectors, without any cost risks.

With respect to SimpleYIELD, we have already built the architecture that enables multi-chain, multi-DEX yield farming. This code is complete, useable today and is audited by two firms. The funds would be used to develop the rules based engine and reporting functionality.

*This is a suggested framework to achieve the objective of increased adoption of SimpleGOVERNANCE as an OpSec/CyberSec standard. We believe an incentivised solution can achieve this, with the potential for rapid deployment.

We welcome discussion on the incentive mechanics as we believe this approach can be a massive catalyst for improved security and protection for projects and their treasuries.

How will your proposal, if activated, benefit BitDAO?

There are numerous benefits for BitDAO if this is activated.

Innovation Leadership

The launch of SimpleGOVERNANCE, supported by BitDAO, presents the entire Web3 community with an innovative solution that can elevate Web3’s profile to non-adopters.

The proposed approach is innovative. BitDAO and SimpleDEFI would be the first to implement an incentive program focused on risk and treasury management in Web3. This would demonstrate BitDAO’s capabilities, forward thinking mindset and ongoing leadership in Web3.

Market Leadership & Treasury Growth

The proposed incentive program in and of itself creates a growth fly wheel that. With BitDAO providing the catalyst for adoption, it has the potential to make SimpleGOVERNANCE the Web3 standard for OpSec & CyberSec risk management. If successful, it would have significant impact on the BitDAO treasury through the addition of the EASY token.

It Enables Multiple Fly Wheels of Growth

For example, BitDAO could consider the implementation of SimpleGOVERNANCE through existing partnerships by expanding the proposed (or finalized incentive program) further. With each partnership, another flywheel of growth is created.

A Well Timed Build for BIT Network: Infrastructure, BIT Token Utility, Protection for Smaller Projects

SimpleYIELD and SimpleGOVERNANCE align with stated goals identified in the BIT Network Proposal.

First, more utility for the BIT token by providing incentives for improved OpSec and CyberSec practices for applications on the BIT Network. The BitDAO could demonstrate leadership in Web3 by mandating implementation of risk management solutions and/or making their implementation conditional on funding and grant approvals.

And second, both solutions help smaller projects who do not have the resources or knowledge to manage risk. By attracting a larger volume of smaller proposals. As this is one of BitDAO’s goals for the network, having solutions available to smaller teams to manage risk provides benefits.

Team

The SimpleDEFI team has the relevant expertise to build these solutions (see credentials below, and more details at www.simpledefi.io/simpledefi_team.

The entire development team has been together for close to 25 years. Everyone on the team has relevant expertise in Fintech, CyberSecurity, Blockchain, Risk Management, and Business Operations.

And we have already made progress on both products. For SimpleYIELD, the search, enter, swap, liquidate functionality is live, with multi-chain and multi-DEX activated with 2 to 3 months. The rules based engine and reporting is what the funding would be used for.

For GOVERNANCE, we have a non-functional prototype.

A list of relevant credentials is also provided below:

ITSM/ITIL Certification

PMI Project Manager Professional PMP

Certified Information Systems Professional CISSP

Certified Information Security Manager CISM

Certified Information Systems Auditor CISA

Certified in Risk and Information Systems Control CRISC

Microsoft Certifications: MCTS, MCIPT, MCDBA, MCSE, MCPD, MCAS, MCSD, Microsoft Certified Architect

Cisco Certifications: Cisco Certified Architect, CCNP, CCDP, CCSP, CCNP Security, CCNP, CCNP Voice, CCNP Wireless

RedHat Certified Engineer

SUN Certifications: Database Administrator, SQL Expert, Linux Expert

Linux Certified Professional Systems Security Certified Practitioner

ITSM/ITIL Certification

How Long Will it Take to Complete your Proposed Changes

SimpleGOVERNANCE would be live in 3 – 4 months.

SimpleYIELD rules engine and reporting functions would be live in 5 - 6 months.

Who is Involved?

The SimpleDEFI Team: builders of the solution.

Smart Contract Audit Firms: as affiliate partners. We are in discussions with a number of them to refer projects to us. Both solutions are complementary to their smart contract audit services, creating a complementary synergy for both parties with high growth potential for mass adoption of our tools.

Web3 Insurance Protocols: awareness and product augmentation. We would approach insurance protocols to educate them on these tools. We believe there are synergies and alignment with insurers that look for evidence of projects being proactive in managing risks. The project team’s efforts can impact the cost of their insurance. It could even determine if the insurer will even consider the project for coverage.

What are the Milestones?

SimpleGOVERNANCE Milestones

Licensing agreement with CCC leveraging existing framework: Completed

Fee and incentive model: Completed, pending approvals

Adapt NIST CFF Standard 108 for Web3: Begins once funded

Smart contract to publish project scores on chain:ithin 90 days of funding

Completion and Testing: Within 90 days of funding

Go Live: Within 30 days of testing

SimpleYIELD Milestones

Contract Audits: Completed

www.certik.com/projects/simpledefi

www.asfalia.xyz/project/simpledefi

Yield farm entry, switch, liquidate functionality: Completed

Swap functionality: Completed

Chain/DEX agnostic (UniSwap v2 compatible DEXs) : Completed

Build Rules Based Engine & Reporting Functionality: Begins once funded

Completion and Testing: Within 150 days of funding

Go Live: Within 180 days of funding

Immediate action items if proposal is accepted

  • Onboarding session (optional, at the discretion of the BitDAO community)
  • Complete the swap and allocation of funds for the incentive program
  • Announce the initiative
  • Begin the work

Additional comments:

We believe these tools can help projects reduce risks. They will have the tools and support needed to do so, at affordable costs, with less time spent on operations, leaving more time to focus on building core products.

The proposal structure is also of benefit to BitDAO. Enables tools that can be leveraged to reduce risks in project directly funded by BitDAO. Plus, the generation of fly wheels to spur growth within the BitDAO ecosystem and for the BitDAO treasury.

Feedback on our proposal would be appreciated. We are confident that our proposal brings value, but also recognize there might be some really good suggestions from the BitDAO community that would improve if further. Thank you in advance for this opportunity, look forward to further discussions.

3 Likes

Hey! Welcome to BitDAO. I read the proposal and I have some doubts.

  1. If I understand correctly, you intend to create a new standard of operational (process management) and technical (software) security in the industry. But you are also making use of tokennomics ($simple), I think this is very risky for a security project because in the view of a mainstream person if your token suffers economic or governance attacks, you (organization) suffer attacks and your product certificates are attacked in the sense of trust. So, do you really need a token?

  2. This brings me to another question, you propose $1.8 million in stable in exchange for 44 million $EASY tokens. This is approximately 10% of the total supply. Do you want BitDAO as a minority partner? If you can explain the allocation of resources.

  3. To introduce new security standards in the industry, you need customers who lead niches like CEX, DEX, Wallets, infrastructure providers, etc. Do you already have something along these lines?

  4. What do you guys think about the collective crypto creations that are emerging recently that are introducing new standards and best practices, would that be some competition? how do you see it?

Cheers

2 Likes

Hi Don, I am jumping into a meeting in a couple of mins, will submit replies within a couple of hours.

1 Like

Question 1
We are not proposing a new standard. We are building a product that incorporates widely accepted NiST and financially oriented OSFI frameworks. The product will be designed to adapt to new industry standards as Web3 matures. This addresses imminent needs in the industry today, while ensuring the solution can evolve.

For example, the first version would incorporate NiST (for general operational guidance) and OSFI (for specific financial guidance). Both standards are globally recognized and accepted. We would adapt them for Web3.

In terms of risk as it relates to security and the token, we actually feel our proposed approach reduces risk, versus creating it. Here’s why:

SimpleGOVERNANCE architecture is dynamic and agnostic to standards. The tools, functionality and expertise is the value driver that will be delivered to project teams. The standards we incorporate are interchangeable within the tool. Therefore, we are not building something that will not evolve with the needs of the Web3 community.

We are not limited to one sector either. It is applicable across all Web3 verticals (DEXs, DAOs, NFT Projects, Metaverse, DeFi, etc.). Therefore, if different industry standards are adopted for each vertical (as an example), we are able to adapt the tool to suit the needs of that vertical without massive code rewrites. This approach provides us with very large addressable market and makes it easier for projects to work with us knowing the solution is adaptable.

In terms of the token, our EASY token is a utility token that provides a number of uses within SimpleDEFI’s ecosystem. It is used to pay for services (such as SimpleGOVERNANCE), offers reduced fees (for both SimpleGOVERNANCE and SimpleYIELD), and will provide partner incentives that help drive ecosystem growth. For token stakers such as BitDAO, there is a revenue sharing mechanism whereby 7.5% of all platform revenues are distributed. We have three partnerships papered for SimpleYIELD and a number of interested parties for SimpleGOVERNANCE.

The attacks you mentioned are already mitigated. This is because we already have traction and are building more than one tool in the ecosystem. This derisks the attacks by reducing reliance on one specific solution. Secondly, because the tools being built are complementary, we in theory provide a lot of value to projects that is not available today.

Finally, the proposed incentive of offering BIT tokens is a much-needed solution in Web3 for small to medium sized projects struggling at this time. We all want a safer Web3 with better procedures to manage project and treasury risk. But some projects are really struggling in 2022.

The one risk we mitigate is reducing the concentration of success to only a few large projects with big treasuries versus continuing to support smaller projects that have been caught in the 2022 down draft to no fault of their own. Big projects will just continue to get bigger making it extremely challenging for smaller projects to ever get off the ground.

If we don’t provide affordable tools with support, we will create the same wealth disparity in Web3 that we all were not pleased with in Web2.

We can avoid this together. The combination of the BIT incentive and SimpleGOVERNANCE pricing model does just that. Our pricing model ensures it is accessible to any sized project, whereas that is not always the case for OpSec and CyberSec solutions tend to be extremely expensive and cost prohibitive to small to medium sized projects.

Question 2
Yes we do. We felt it was right to provide EASY tokens in return for the funding versus asking for a straight up grant. This would drive another flywheel of growth for the BitDAO treasury, both in terms of holding the token (through project growth) and proportional percentage of revenue share by staking the token (7.5% of revenues will be shared with stakers).
Here is the breakdown of the budget:

SimpleGOVERNANCE build out: $685,000
SimpleYIELD build out: $575,000
Content, Education, Marketing, Biz/Dev: $540,000

Question 3
You ask an excellent question. Our answer has multiple relevant components.

Per our response to question one, we are not proposing new standards, we are incorporating existing, widely recognized standards and adapting for Web3.

Regarding customers that are leaders in each vertical, that is not our focus. Those projects (Binance, UniSwap, etc) have large budgets and hire large CyberSec firms that charge well over $100,000 (if not into the millions) for their consulting and security services.

Over 90% of the projects in Web3 are not big enough (team or treasury) to afford these services.

Our proposal is aimed at those projects that do not have the funding or resources. This solution provides an easy to use tool that helps them understand their current state, where the vulnerabilities lie in the project and guidance on how those risks can be mitigated. We will help projects engage in ‘stage appropriate’ activities based on their size and stage of growth. As me mentioned in question one, the fees are also stage appropriate in that all projects can have access to the SimpleGOVERNANCE solution without needed a massive budget.

We are in early discussions with contract audit firms, launchpads and KYC firms where SimpleGOVERNANCE specifically is a nice complement to their solutions. So yes, in terms of a path forward on business development, we see a lot of interest and an unmet need with firms that want to resell and/or integrate SimpleGOVERNANCE and SimpleYIELD. For SimpleYIELD specifically, we have 3 papered agreements with KeepKey (one of the largest hardware wallet providers in Web3), Vidulum (a multi-asset desktop Web3 wallet), Klabrate (an eco-friendly Metaverse project that will integrate DeFi into their ecosystem).

Finally, it is the larger players that will help shape the standards. We fill an important role in that we will be able to adapt those standards for small to medium sized projects with an affordable, easy to use solution that helps them demonstrate they too are being proactive with protecting their project and treasury.

If we do not build tools for this cohort, we will leave them vulnerable. And at this stage, we have a lot of work to do to earn trust from non-adopters who have seen nothing but project failures and more reasons to not trust developments in Web3. Our tools are one step in the right direction to build trust and transparency for any sized project.

Question 4
Can you elaborate on what you mean by collective crypto creations?