AIP-9 - Boring Security

Category: Core - Ecosystem Fund Allocation

Author: Feld4014 & Boring Security - www.boringsecurity.com

ABSTRACT

This document outlines the Boring Security Mission statement and alignment with the greater BAYC and NFT community. In order to grow the pie, we must first secure the crust, and protect the gooey insides from malicious actors.

MOTIVATION

The Boring Security DAO has tracked over $50mm worth of hacked/scammed NFTs in the space and has attributed it largely to lack of awareness and education on the NFT communities’ part. There have been no large-scale vendor neutral efforts in the space to educate, inform, and provide timely updates such that the community can make better informed risk decisions with their capital and NFTs.

RATIONALE

With BAYC holders being the largest target for hackers/scammers, the DAO will face unique challenges over the coming months and years as it pertains to Security. Bringing a whole slew of new users into DeFi primitives, they will face even more challenges in ensuring the safety of their coins, NFTs, and digital assets more broadly. As the ecosystem evolves and web3 integrations become more prevalent, getting a BAYC holder to sign a potentially malicious transaction will be the holy grail of exploits, and one that should concern this DAO greatly.

Boring Security: A Security Utility for the NFT community and beyond

Overall Cost:

We are requesting 6969 apecoin to help facilitate our first 3-6 months of operations. This fund will be used to compensate volunteers and contributors towards DAO efforts using coordinape. The Coordinape Circle “Boring Security” that will govern DAO compensation and our ‘deliverables’ channel in Discord will be auditable by all members of the Bored. The allocations of apecoin will be voted on by contributors (a small list of core contributors are listed above).

Details and Timeline

Below is our mission statement, timelines, and more information about our project.

Mission

Be the recognized trusted leader for all things Security in the NFT space

| Trust | Integrity | Community | Vendor Neutral | Democratized |

2022 OKRs:

  • Summary:
    • Achieve a meaningful number members to join the Boring Security community
    • Funding to support Boring Security objectives long-term
  • Milestones
    • Year on Year Measurable reduction in NFT space hacks
    • Security Educational Courses w/ POAP
    • Become one of the largest communities in the NFT space.
    • Active monitoring, reviews, and tooling for the space.

Roadmap and Milestones

Phase 1

  • Summary: During phase 1 the team will be designing and developing Educational Courses geared toward changing risky behavior in the NFT Space, eg. Blind Signing, risky approvals, etc. The team will also accumulate and collect the necessary wallet, event, asset, approval data to analyze and ruthlessly prioritize our roadmap.

  • Milestones: Courseware, POAPs, and establish DAO structure.

    • Create NFT security Educational courseware targeting High Risk individuals based on behavioral analysis.
    • Promote courseware via social awareness and engagement with key NFT communities.
    • Incentivize courseware through POAP and collaborations with NFT projects (giveaways, whitelist)
    • Establish the optimal team and organizational structure to achieve the goals of a long-lasting public utility

Phase 2

  • Summary: In order to be successful in a Security project it is essential to make data driven decisions that enable us to understand the likelihood and severity of attacks.
  • Milestones: Curate Content, Go public, Smart Contract Review, More volunteers
    • Response team deployment
    • Paced Launch of the project (Open Socials, Discord, Advertising Material)
    • Metrics developed to track % of ‘key projects’ that recommend newcomers to utilize Boring Security

Phase 3

  • Summary: Operational Success - Growth
  • Milestones: Partnerships, Growth, Tools, Trust
    • Full-time active monitoring of the space, threats, and scams
    • Develop scope beyond courseware. Establish mechanisms for proactive and reactive airdrop / smart contract reviews for user safety.
    • Develop tools, dashboards, technical primitives to protect the community
    • Partnerships with large projects, potential companies or other DAOs to help spread awareness and bring NFTs safely to the masses.
24 Likes

Very well thought out, great ideas. I suspect the team is qualified to give this a try.

One question: is this an investment or a donation?

5 Likes

I think we need to fund this. The team is qualified and we desperately need a central hub that we can point new people to as a place to learn security best practices.

7 Likes

Would love to bump this to get a little bit more conversation around it :slight_smile:

Anything you think is missing? Does this mission seem sensible? Are the funds requested reasonable?

All the best!

-Feld

3 Likes

Is there a way we can incorporate the Ape Foundation into this in a central way? Even if it’s just that Boring Security becomes a wing of the Ape Foundation. How can we incorporate Ape Coin, Ape foundation IP and DAO community feedback into the processes here. If we can do that, this has serious potential.

The funds here do seem slightly excessive

@Feld I think this is a great proposal, the funding doesn’t seem to be enough for where I think you can take this, however, I don’t see why you can’t request subsequent funding based on traction and metrics. I am happy that currently there is no other intention other than get started.

I don’t think the OKRs are defined enough, for instance:

  • what does a meaningful number of members mean?
  • What are Boring Security long-term objectives and why is that an OKR?
  • How would you measurable YoY reduction in NFT space hacks, and what are you defining a hack as? Is it only social engineering hacks? Are poorly stored keys a hack or incompetence (maybe that word is too harsh)?
  • Security Education Courses - there are a ton of these programs, why are yours different?
  • Become one of the largest communities in the NFT space (in one year, with ~85K) – seems like an unreasonable expectation
  • Active monitoring, reviews and tooling - I’m not sure what this means from a Project Management perspective, what are you actually building, how many people are collaborating?

Sorry for picking the OKRs / Milestones a little bit. Ultimately, I suspect you will learn, redefine and adapt as you get into the project. I am supportive of this project, I would vote to fund it in it’s current form, and I would be excited to see subsequent proposals come in for future funding (although, I suspect in the future, we would like to see some sort of revenue models and ideas on some distribution back to the DAO).

3 Likes

Coordinape distribution of 6969 $APE - love it.

Two questions:

  1. Is this intended to be a one-time requisition from the DAO or will it be recurring? If it is recurring how often and how many requisitions can be expected? As a one-off definitely sounds feasible and managed (killer team too).

  2. In terms of transparency, would BorSec/BS be working out of a channel/set of channels in discord/server? Or would they be providing monthly updates to the DAO? Having a couple of different check ins in that six month period may help source skills from the DAO and keep the lines of communication between team and DAO fluid cough when first community call cough

All this work is incredibly important as another BAYC holder was hit:

27 likes- how many more do we need to move to Snapshot?

3 Likes

Hey ser, just to answer your questions quickly:

  1. This would be a one time request, but we would, upon showing how far we’ve come as a project, and what the funds have accomplished, might come back for more.

  2. We have Boring Security - a discord already with a couple hundred people. But yes, I would love to be part of DAO community calls where they check-in on initiatives that they have funded. That would be super cool!

6 Likes

Just for clarification, the funds requested are less than $80k. I don’t think thats asking for a lot considering we’ll be staffing this with a handful of volunteers.

Also, we are looking for funding from Opensea as well, but haven’t heard back from them yet either!

4 Likes

I admittingly misread the initial amount as much larger and 80k actually does sound pretty reasonable. I think perhaps we should use USD amounts and if a proposal passes then take the equivalent from the DAO treasury so the price of the suggested proposal is not in constant flux and their is clear transparency for everyone and perhaps outside investors.

That being said what can we do to incorporate Ape foundation into this, even if it just says Powered By Ape Foundation with our official IP stamped next to it. This would legitimize Bored Security as official so saying the Ape Coin Dao and help to grow both communities.

1 Like

I would love that honestly. I think that is something I’d want to speak to the Bored/Board members about.

It might be interesting for me to go back to the drawing board and pitch a cosponsor for this AIP. Wondering if that would help progress things to a possible vote.

Also thanks for your response Papa!

3 Likes

Thanks for the much needed AIP [I will send couple of comments on the subject that I made earlier]

1 Like

AIP [S&F PPP] - An improvement proposal aiming at providing highly must-to-have management infrastructures such as policies, processes, procedures, and platforms to APES DAOs such as information security and fraud management systems.

1 Like

I was very close to losing 0.3 ETH because of this!

I just reviewed current AIPs and @BoredApeYC Twitter! We are basically flexing while not even a tweet was published to help our community of believers!!!

I was wondering about my first AIP to be submitted! I guess it will be a security incident & frauds policies, processes, and procedures along with a new website and Twitter account for status reporting solely!

1 Like

This topic was automatically closed after 7 days. New replies are no longer allowed.

Thank you @Feld for your ideas and the ApeCoin DAO community for the thoughtful discussions. A moderator will get in touch with the author to draft the AIP in the appropriate template. Once the AIP is drafted and meets all the DAO-approved guidelines, the proposal will be posted on Snapshot for live official voting at: Snapshot

Follow this Topic as further updates will be posted here in the comments. @Feld please see your messages for the next steps.

5 Likes