BIP-46: Hypernative

Proposed: May 14, 2024

Status: Passed

Link: Snapshot

• Proposer
• Summary
• Links
• Context
• Problem
• Proposed Solution
• Rationale
• Contract Changes
• Beans Minted
• Effective

Proposer

Hypernative, Beanstalk Farms

Proposer Wallet: 0x9e0cb69ae6a5ad4eb870eb18d051efe642ed7db4

Summary

• Mint 30,000 Beans to retain Hypernative, a proactive threat prevention and real-time monitoring platform, to protect Beanstalk from exploits and augment Beanstalk Farms' security operations thru May 2025;
• Add the Hypernative contract as a module to the Beanstalk Community Multisig (BCM) on Safe, allowing Hypernative to programmatically remove functions from Beanstalk upon detecting an impending or in-progress attack.

Links

• BIP-46 GitHub PR
• Safe Transaction

Context

Hypernative actively detects and responds to zero-day cyber attacks, financial risks, on-chain anomalies to safeguard digital assets, protocols, and web3 applications from significant threats and losses. Hypernative works with some of the leading organizations in crypto such as Balancer, Polygon, Starknet, Zetachain, Linea (Consensys), Circle, Galaxy, OlympusDAO, Chainalysis and many others.

Hypernative is an active participant in many crypto security organizations and committees geared towards helping projects and the industry as a whole create new security solutions and standards, such as the SEAL 911 initiative by the Security Alliance.

The Hypernative team is well experienced in crypto and cyber security with tens of years of combined experience from companies like Microsoft, IBM, Google, VMware, CyberArk, ChainReaction, Orbs, Intel, and others.

Here are few mentions of Hypernative from protocols that were helped (some of which became customers):

• Radiant Capital
• Telcoin
• DEUS
• Hundred Finance
• BonqDAO
• MahaDAO
• Palmswap
• Jaypeggerz
• Valantis Labs
• XaveFinance
• Euler Finance

And a few public use case stories from customers:

• Liquid Collective
• Linea
• Chainalysis
• Idle DAO
• ZetaChain
• Polygon
• 3A DAO
• Starknet
• zkLend
• Karpatkey
• Quantstamp

Problem

Security is paramount to Beanstalk's success. A critical component of a robust security stack that is not yet in place for Beanstalk is a real-time production monitoring solution.

It is challenging to keep track of various new security risks and exposures. Having a dedicated team and a real-time platform to detect and mitigate these risks for the Beanstalk community is high value.

It is impractical for the BCM to manually remove vulnerable functions from Beanstalk in a matter of minutes, which is often the amount of time between malicious contracts being deployed and exploits being executed.

Proposed Solution

Hire Hypernative, and in doing so, add a Safe module to the BCM that grants Hypernative the ability to remove non-diamond functions from Beanstalk upon the detection of:

• High confidence pre-exploit detections; and
• High confidence exploit-in-progress detections.

In particular, Hypernative does not have the ability to remove the diamondCut, facetAddress, facetAddresses, facetFunctionSelectors and facets functions. The module contract that implements this functionality is non-upgradable (address here).

Vulnerabilities that have the potential for theft of funds stem from incorrectly implemented functions that change state within Beanstalk. When Hypernative's platform detects an impending or in-progress attack, Beanstalk can be protected by simply removing all functions (in this case, all non-diamond functions in order to preserve upgradability), albeit at the cost of minor downtime to the system. Over the last year, Hypernative has detected 99.5% of all on-chain attacks and in 98% of cases detected them 2 or more minutes before the first transaction of the attack.

The BCM continues to be the owner of and the sole address capable of adding and updating functions on Beanstalk. Instances where Hypernative removes all non-diamond functions will be considered EBIPs, i.e., they will be documented as such and follow the DAO-approved procedures outlined in Emergency Response Procedures.

In addition, Hypernative also offers a security and Solidity expert that is available to provide expertise and assistance regarding security incidents, bug/vulnerability disclosures, etc. and over the last several months they have worked with Beanstalk Farms on integrating the automated response system into Beanstalk. The Hypernative platform also provides real-time detection and alerts to the community regarding anomalies and risks in governance proposals, oracles, participants, phishing and/or scamming campaigns affecting Beanstalk and its participants.

For reference, the following is a comprehensive list of features that Hypernative offers to customers:

A. Protocol Security

1. Security Framework and Response Procedure Review
2. Set standard operational procedure (response & contact points) on the category of events and time-sensitivity for any security or operational case;
3. Understand and create pre-incident measures to mitigate risk and react in time (pause contracts, limit/cap protocol, blacklist addresses, move funds to a safe/vault for emergency, etc.);
4. Understand and create post-incident measures; and

5. Automatically notify Chainalysis to label attacker wallets and track stolen funds.

6. Protocol Security Alerts

7. Leverage Hypernative zero-day detection modules to detect threats and alerts in real-time on security incidents related to or directed at Beanstalk contracts.

8. Preventive Workflows

9. Work with the Beanstalk Farms to connect critical security alerts from Hypernative platform into preventive actions agreed upon based on the security framework review; and

10. Provide consultancy and verification of the entire end-to-end real-time security process and connected alerts.

11. Incident Response

12. Identify root cause(s) and suggest remedies/repairs and communication.

B. Oracles, Bridges, and related Tokens

1. Oracle Reliability
2. Detect deviations between two updates of an oracle;
3. Detect deviations between two updates on two different chains;
4. Detect deviations between on-chain and off-chain prices; and

5. Detect a lack of updates and staleness.

6. Bridge Security Monitoring

7. Provide security alerts related to bridge security incidents and risks.

8. Related Token Monitoring

9. Monitor tokens dependent on or related to Beanstalk for anomalies, market economic conditions, security, holdings concentration, and supply changes (mints/burns).

C. Phishing and Scamming Detection

1. On-chain detection
2. Detect phishing campaigns targeted at Beanstalk participants and provide alerts to warn the community.

D. Participants Monitoring

1. Monitor suspicious users
2. Monitor large transfers or movements of funds from participants in the protocol; and

3. Monitor suspicious or illicit activity or illicit funds holdings for protocol participants.

4. Monitor blacklisted addresses

5. Monitor addresses from OFAC lists or that were part of a hack/exploit/fraud.

E. Protocol Operations Monitoring

1. Monitor protocol treasury and wallets
2. Monitor large transfers or movements of funds from protocol treasury;
3. Monitor protocol multi-sig wallets for anomalies and suspicious transactions; and

4. Pre-transaction API that can simulate a transaction outcome before applying it on-chain.

5. Monitor protocol-defined parameters/invariants

6. Monitor specific invariants, functions, and events as specified by Beanstalk.

We propose to add the following disclosure to the Beanstalk DAO Disclosures:

MOST BEANSTALK FUNCTIONS CAN BE ARBITRARILY REMOVED BY HYPERNATIVE, A PROACTIVE THREAT PREVENTION AND REAL-TIME MONITORING PLATFORM. THERE IS NO GUARANTEE THAT FUNCTIONS ARE ONLY REMOVED WHEN APPROPRIATE.

The Beanstalk DAO implemented Hypernative into Beanstalk, a proactive threat prevention and real-time monitoring platform. Hypernative has the ability to remove any Beanstalk function unrelated to the Ethereum Diamond and upgradability of Beanstalk.

Hypernative introduces significant risks related to security and censorship. There is no guarantee that:

• Hypernative only removes functions during high confidence pre-exploit and exploit-in-progress detections;
• The BCM will remove Hypernative protections when necessary for the security or censorship resistance of Beanstalk; or that
• The BCM does not remove Hypernative protections when it is not beneficial to Beanstalk.

Rationale

Security is paramount to the success of Beanstalk. Hypernative has a strong track record and is the best in the industry at helping DAOs and protocols respond to exploit attempts in real-time.

By limiting the privileges of the Hypernative module to removing non-diamond functions, the only additional risk introduced is the potential for brief downtime (and in the event of downtime due to Hypernative malfunctioning, the BCM can remove Hypernative from Beanstalk at any time).

Paying the annual subscription of 30,000 Beans to Hypernative has the potential to significantly improve the security of Beanstalk, which currently custodies >$14M of non-Bean value.

Contract Changes

There are no upgrades to the Beanstalk contract in this BIP.

The Safe module proposed to be added to the BCM Safe multisig is deployed at 0x59c78c1c2b4b03b4530d5f46f02362e4a03efe4d. This module contract is owned by the EOA at 0xd7E13e49e467637D75C43D917d98d69049a19bFF, which is custodied by Hypernative.

Beans Minted

The init function on the InitMint contract at 0x077495925c17230E5e8951443d547ECdbB4925Bb is called.

We propose a total of 30,000 Beans are minted to the Beanstalk Farms Multisig address upon the execution of this BIP. Beanstalk Farms will coordinate the payment to Hypernative.

Effective

Immediately upon commitment.