Project Name

Inconfido

Project Category

Outreach

Proposal Earmark

New Outreach

Proposal Description

The Ocean protocol uses smart contracts to allow for each datatoken to be exchangeable over the Ethereum network. Some key areas of the Ocean protocol where security is of the upmost importance are:

• The Ocean Market, which relies heavily on secure encryption practices, and
• The Ocean Compute-to-Data, where user privacy is of upmost importance.

Any threat vectors introduced here, such as reentrancy, integer overflows/underflows, or insecure fallback functions, which are exploited could irreparably damage Ocean’s reputation and end-user confidence in the protocol.

Luckily, we have not yet seen any breaches or hacks of Ocean protocols, but the inherent use of smart contracts themselves means there will always be a risk of misconfiguration or insecure development practices. Security should not be a reactive thought once a breach has occured. It is an all too familar concept that Web2 has struggled with for years. We highly encourage proactive security, and security by design, as a preventative measure - not a reactive one.

Our objective here is to partner with builders on Ocean to understand common development practices and to:

1. Create a community of security knowledge and expertise in the Ocean ecosystem, holding regular discussions with developers and ‘white hat hackers’ to share insights, information, and experiences.
2. Provide security education and consulting about how to secure Ocean apps in the early design phases
3. Perform R&D on tooling that can support builders identifying risks in the development lifecycle

Please see our detailed pitch deck here for more information

Grant Deliverables

• Initiate social media plan for Twitter and Discord
• Increase engagement on Ocean Discord with community sessions to talk about existing smart contract attack vectors, known attacks on other protocols, and learnings
• Create a list of Twitter accounts that have good security expertise and reach out to discuss partnerships and sharing of information
• Engage with the wider public on Twitter to talk about various security topics and domains
• Write job specification for Content Engagement Manager
• Create skeleton templates for security infographics
• Perform R&D on top Ocean protocol development practices to understand existing processes and operations
• Define list of top 5 security threats to create blogs on that will be shared and presented to the Ocean builder community

Project Description

Our mission is simple: Invisible Security in Web3. Web3 will only become successful once we have lowered barriers to adoption, one of which is security. The ideas of privacy, identity, and security are being redefined, so there’s much to consider for users when interacting with Web3 technologies: protection of their private keys, malicious smart contracts, etc. Making security invisible to users will be one barrier we can lower to allow the onboarding of users to the Web3 space and to give them the confidence to explore and engage in a secure manner.

In the last 6-months alone, exploits, scams, and hacks have resulted in billions worth of losses across the Web3 ecosystem. Our mission is to empower end users with more informative and easily consumable security education and tools to proactively secure design and development of the future of Web3.

Final Product

Our ambition is to create three service offerings:

1. Security tooling - Starting with a smart contract verification product which we will build, we want to give confidence to the users that they are interacting with legitimate, verified, and trusted smart contracts on the Ethereum network. We will also be creating a revolutionary open source threat modelling product based on our framework to identify specific threats to Web3 architectures and applications built using the Ocean offerings.
2. Security consultancy - We’ll want to attract and work with clients who are building on Ocean helping them consider all aspects of both ‘traditional’ Web2 security alongside Web3 concepts. By applying our established risk management techniques we will go beyond a traditional security audit to deliver effective, risk based recommendations based on threats and possible impact to end users.
3. Security training and education - Unfortunately, the vast majority of threats still require human interaction to materialise. This is obvious with recent scams such as (enter example here). We want to create bespoke security awareness training and educational material that users and enterprises can use to better inform themselves of existing threats. We will use threat intelligence to inform our training curriculums, allowing users to stay ahead of threats and arming them with the skills necessary to spot potential attacks, and more importantly, how to safely remain engaged and active on the blockchain, and interacting with the Ocean ecosystem.

Value Add Criteria

Usage of Ocean:

• Security is a blocker to adoption. By educating builders how to create secure and resilient applications on Ocean, it will drive more users to this ecosystem who will have the confidence to adopt these applications into their daily activities.

Viability:

• We have a team of cybersecurity subject matter experts who have had over 30 years of collective experience in building security tooling and advising multi-billion dollar enterprises on reducing their cyber risk.
• Over the last 4 months alone, more than $1.6 billion has been stolen from users through hacks. We have absolute confidence that our products will reduce both the impact and likelihood of these attacks, ultimately enabling mainstream adoption.

Community Engagement:

• All three founders are active in the Web3 ecosystem, to varying levels of niche communities such as smart contract auditing, Web3 threat intel, real-time dollar cost averaging within crypto etc.
• The full team join the Ocean working groups, town halls and other voice events to engage with the wider community and keep up to date.
• Attended and presented both virtually and in-person at Web3 conferences and summits.
• The team are active on Twitter, supporting other similar companies and projects. Helping to raise awareness to other great minds within the space.
• Automating the latest Web3 security news into Discord for easier consumption for the community.
• Public Discord to be finalised and opened to the public, allowing anyone interested in Web3 security to join, learn, participate and network.

Adding Value to the Ocean community / ecosystem:

• Security is a key pillar of Web3. Our aim is to make Web3 more secure for users and builders alike. Secure Web3 will enable increased mainstream adoption and a thriving ecosystem.
• Security education is lacking within the space. Our focus on education will drive attention towards Ocean which will be viewed as a pioneer in making the Web3 ecosystem safer for users.

Core Team

Jared Henderson, Co-Founder

linkedin.com/in/7ared

twitter.com/jared_inconfido

An experienced cyber security professional with nearly a decade of experience. Most recently, Jared threat modelled and advised on security for a well-established Web3 company, further helping the go to market.

Jared has a strong interest in business transformation and security principles. With deep understanding in secure design, threat management, and automation.

Youssef Hassoun, Co-Founder

linkedin.com/in/yhassoun

twitter.com/youss_inconfido

A security professional with 7+ years of experience in technical advisory. Youssef has supported global players within the financial services industry with improving their cyber security capabilities.

Youssef has a special interest in security architecture design, threat modelling and vulnerability management with keen awareness of the Web3 space.

Danny Cortegaca, Co-Founder

linkedin.com/in/danielcortegaca

twitter.com/danny_inconfido

With decade of experience in cyber security across New York and London, Danny has deep expertise in threat modelling methodologies and helping Fortune 100 companies in securing their critical assets both on premise and in the cloud.

Danny has a special interest in business development as well deep understanding of threats, risks, and end user security awareness.

Funding Requested
3000

Minimum Funding Requested
1000

Wallet Address
0x1e1109d0b5C33FaCB60e6214FCc9D1198BAe9c5A

Hi,

Thank you for applying for R-17!

Your proposal has been registered into the system and everything looks great!

We have attempted to make your first grant easy to earn (you are registered in the New Entrant Earmark) I would also recommend one (or all) of the following to increase support:

1. Saying hi to the community in #ocean-dao and sharing your proposal.
2. Saying hi to members of the #project-guiding WG and sharing your proposal.
3. Meet with the Guides assigned to you by the #project-guiding WG.
4. Attend a Town Hall or Project-Guiding WG meeting to talk about your project and proposal.

All the best!

-Your PGWG Guide

Hi,

Thank you for applying for R-17

Your proposal has been registered into the system and everything looks great!

We have attempted to make your first grant easy to earn (you are registered in the New Entrant Earmark) I would also recommend one (or all) of the following to increase support:

1. Saying hi to the community in #ocean-dao and sharing your proposal.
2. Saying hi to members of the #project-guiding WG and sharing your proposal.
3. Meet with the Guides assigned to you by the #project-guiding WG.
4. Attend a Town Hall or Project-Guiding WG meeting to talk about your project and proposal.

All the best!

-Timothy C | OCEAN PGWG

Hello! Thanks very much for the submission. The proposal currently mentions Ocean just once in its several pages worth of proposal.

This proposal seems to be requesting funds for selling existing products & services: (1) “Our smart contract verification product”, (2) “our consultancy”, and (3) “security training”. If you’re an existing business with existing products & services, please describe why you’re seeking a grant.

Second, what are some issues you see specific to the Ocean ecosystem, wrt the functionality of Ocean products and how the Ocean ecosystem is shaped? From that, please describe how your proposal augments the status quo in the Ocean ecosystem, including status quo approach used for smart contract verification etc.

Thank you!

Hi Trent,

Thanks for your comments, really apreciate the feedback. We’ve made a number of changes to both our project and proposal descriptions, making it more actionable and specific to the Ocean ecosystem. We hope that it makes our ambitions clearer.

Please note, we aren’t an established company with functional products or services (yet!). We are in the very early stages of building what we want to ultimately become.

We hope that helps and we look forward to hearing more from you soon.

Best Regards,
Danny - Inconfido.

Hi,

Thanks for the response. Tbh your proposal still looks super generic. Saying “Ocean” a couple times doesn’t make it Ocean-specific. And I am not seeing any real indication of your knowledge of past scams that Ocean community-based has seen, existing Ocean security practices, etc.

OceanDAO is not meant to fund generic Web3 startups. There are other avenues for that. Please show how you will do something well tuned to Ocean specifically.

Thanks!

Hi Trent,

We’ve made significant changes to the proposal overview now to better reflect our ambitions specific to the Ocean community. Hopefully that helps to better understand exactly how we aim to bring value to Ocean.

Best Regards,
Danny - Inconfido

Hi Inconfido team!
The idea of web3 security is super important and naturally at the forefront of most minds. I do echo the sentiments before me, wondering how you plan to mitigate risk to Ocean in particular.
From what I have seen since the inception of this amazing program, OceanDAO, successful projects have be conceived after participants spent considerable time in the ecosystem, as it is vast and can be complex.
My recommendation is to visit as many community sessions as possible, come over and chat with the Ambassadors (or join!), and reach out to the many projects that are currently working off the Ocean stack. I think then you might get a better idea of if and where there may be risk, and what a solid game plan might look like for a stronger & specified proposal.

Awesome ideas!