🌱

DAO Weekly Meeting #29

Date
July 21, 2022
Timestamps

• 00:00 Intro/Agenda • 00:49 Halborn Intro • 04:20 Seraph Explanation • 13:52 How will Seraph provide 24/7 protection? • 16:17 Seraph Demo • 35:30 Questions From Publius • 52:32 Questions from listeners

Type
DAO Meeting

Recordings

Notes

Halborn

  • Leading cybersecurity firm. Been working with Beanstalk on audits.
  • Been looking to create proactive security solutions, rather than reactive (prevent hacks from occurring rather than responding after the fact)

Seraph

  • First of its kind blockchain notary to help protect web3 protocols.
  • Adds an enhanced set of protections as we transition back to fully on-chain governance.
  • Reduces the risk of rug pools, compromised keys, and governance attacks.
  • A security notary is an information security professional commissioned to serve as a third party witness to the signing of important on-chain actions.
  • When certain protected functions are called, it will require authorization from a security notary. If the transaction is in line with all of the defined parameters, Seraph will allow the transactions to be written to chain.
  • Runbooks are explicit binding instructions on how Seraph and Halborn will respond to each specific protected function call. If all the details are consistent with those runbooks, the transaction will be written to chain, otherwise it will be rejected.
  • Notaries are on call 24/7, 365 days a year to respond in near real time to any need to utilize protected functions. There are no less than 2 certified and trained incident responders on call at any given time.
  • Seraph is smart contract native and can integrate into Beanstalk’s code with just five lines of code and a few modifiers for each protected function.
  • Once it’s set up, you interact via the Seraph front end, so no need for code or command line.

Transcript

it's um we're actually going to ship that to the latter half of this week um Mod's going to chat with Hal Warren uh special guests for the first part of the meeting and then we'll we'll switch gears later on do you want to kick it off sure thing um hi guys so we have Heidelberg with us uh this week we're going to present a product called setoff instead of supposed to be or meant to be a third party auditor for on-chan uh commits um I guess let's take it let's let's have let's have a team take it through us I believe you have something to present to us Harbor hey good afternoon this is Joe Gallagher from Halburn and we do have a few slides and a presentation that we'd like to walk you through um Rob I don't know if you're on mute maybe um and you wanted to kick us off with some introductory remarks sure happy too uh everybody uh Rob from hellborn here um yeah so just a quick FYI on how born in general we're in the lead cyber security firm we've been working um you know on your on your most recent audit reports um that'll be done shortly uh what we've been up to is looking at the space looking to see what we can do to create uh products that are proactive and um you know protective in nature rather than reactive so a reactive solution for example would be an insurance platform where oh you get hacked and now they pay you back we have established a new product line which Joe is about to present uh in conjunction with our team um which is called serif seraphin in general as you're about to see is what we are calling a blockchain security notary solution um so with that uh Joe you can go right into it and and look so I guess before we even start too I'll also say this um we are super happy to be presenting this to you all today you all on this call today are the very first people to really be seeing this um we've been working on it in the background for the last six months and uh because this is a New Concept period um we understand that you know everyone on this call is going to be full of questions so we are here to do a comprehensive QA as uh you know Q and A as well AMA as you say um and uh yeah we'll take it from there awesome thanks thanks Rob hey mod quick Logistics question do do I have a share screen capability or the purpose of this discussion and am I missing it um I believe you should but let's um I'm open to guidance from anyone who can help me fumble through this otherwise um I will be talking through the slides that we provided a few days ago yeah let's do this what I will do is I'm going to drop in again the the slides and then you can just take us through them and you know we would open them and have them hello screen let me let me drop that here I I think on a stage maybe you can't uh so it has to be a different uh all right let me do this quickly all right so I I dropped the the slide deck on in the town hall chat and the password is long halborn which I'm going to also type okay I think you you can you can take a job awesome thanks mod um again uh like Rob mentioned we are super excited to be here today presenting to you Seraph the first of its kind blockchain security notary to help protect web 3 protocols um so I am on slide two of the deck that says after careful protocol security enhancements Beanstalk is replanting so um it's not a surprise to to anyone who's on this call and the the folks within your Dow in your community your security and governance will be under significant public scrutiny as you replant later this summer a new attack would be really critical crippling reputationally and and operationally for your team um so how can we prevent help you prevent that from happening and we think we can do that with our new capability called serif like I mentioned it's a first of its kind preventative security solution designed to protect web 3 protocols it adds an enhanced a set of protections as you transition back to full on-chain governance and we can substantially reduce the risk of rug pools compromised keys and governance attacks with this capability so why halborn why should you trust us with um this type of capability well we know your protocol we know your Dev team we know your philosophy your philosophy and we are vested in your continued success um Rob Rob doesn't uh want to brag but I just want to say we we just closed a 90 million dollar series a led by Summit Partners we are attracting the best and brightest Minds in crypto and digital asset security we're a team of 100 plus ethical white hat hackers um security and blockchain Engineering expertise in nearly every protocol um smart contract Audits and security advisory work for key layer ones including salon and Avalanche and we really help our our clients and customers secure their Stacks end to end with Cloud infrastructure security devops Advanced pen testing and way more so um you know that's a little bit about us and and and who we are so let's talk about serif um have a couple slides here to to talk you through at a high level what the capability is how it works and then my colleague Mar is actually gonna run a quick demo for you so at a very high level our technology protects your protocols most important or or most threatening smart contract functions so when those functions are called with serif it requires an authorization from a trusted blockchain security notary um we review the technical uh uh details of of the specific function call and if they are in line with all of the uh parameters that you have defined for us we will allow the transaction to be written to chain so let's dig into that a little bit more so folks here are probably familiar with uh what a notary is in real life blockchain security notary not all that different it's a information security professional commissioned to serve as an organization's third party witness to the signing of important on-chain actions so what does this mean for Beanstalk right as you replant a little bit later this summer and you've made these awesome enhancements to make your protocol even even more secure we've identified a number of different functions within your protocol that are at high risk right and these are the types of functions that would come under attack um in the future from from threat actors looking to attack your protocol so how can we deploy serif to specifically protect those functions here's how it would work uh your your Dow your leadership team would provide to us a set of instructions uh defined a list of parameters under which we would allow these smart com uh these smart contract functions to be written to chain um so when you needed to call one of these functions you would interact with it uh via the serif user interface and front-end dashboard at serif.co once that um transaction request has been made the transaction will hit the serif RPC immediately our uh serif notaries who are on call 24 hours a day seven days a week 365 days a year will be alerted um those notaries will look at all of the details uh technical Financial or otherwise that are associated with the function call and they will compare those details to the set of instructions that are provided to us by the Dow by the team um in the runbooks that we've established that are specific to each function um if we find that all of the details are consistent with those run books we will allow the uh transaction to be written to chain if there are any details that are inconsistent with the runbook we will reject the transaction and it will be reverted so I'm now on the slide that says what what is a Seraph run book um run books are really the most critical component of the serif capability that we built out like I mentioned they are explicit in binding instructions on how we serif and halborn will respond to each specific tariff protected function call um we have set up an escalated uh risk prioritization criteria um type 1 type 2 and type 3 function calls so type one think emergency withdrawals type 2 think a little bit lower risk but ownership changes and and contract upgrades type 3 lower risk more regular function calls thresholding changes a run book and our response to uh each uh each protected function call um is unique so when we are processing a transaction on your behalf serif notaries will look holistically at all of the details of a given function call and the associated run book um like I mentioned a little bit earlier our notaries are on call 24 7 365 able to respond in near real time to any need to utilize serif protected functions and just to sort of synthesize all this really what the takeaway is for the runbooks are they allow us to very easily identify fraud or other types of of advanced protocol attacks right and we can prevent them we can stop it from happening slide um six I think it should be in the deck but uh now on the you know serif serif is a smart contract native and we can integrate it into beanstalk's code with just a um five lines of code and a few modifiers for for each uh function you interact with serif via front-end dashboard no command line or code needed so once we've got that all set up and we've got serif activated and we're protecting your protocol uh I'll walk you through end to end the process of how this would work schematically right so you will go to the serif front-end UI you will sign a transaction and uh that transaction will create a unique permit with the serif smart contract immediately upon that happening are serif incident responders our notaries will get an alert and within that alert they will have all of the details technical Financial or otherwise within that uh protected function call they'll evaluate it they will look holistically at all of the information they will have a Keen Eye for things that just don't don't quite fit um you know remove all funds to a tornado cash account um other types of things that are very indicative of fraud or nefarious activity they'll be on the alert for if the transactions are consistent with the play with the runbook that you have provided to us the notary will approve the transaction and it will be executed and written to chain if there are details if any of the details are inconsistent with the runbook that you provided to us we will reject the transaction it will revert and obviously depending on you know the specifics we would immediately contact the team and work with you to figure out what what's going on so I'll pause there and see if we have any um kind of questions from the audience um and then the next phase will be I'll hand it over to my colleague Mar and she's going to do a demo live but let me pause there and just see if we have uh any questions thank you Joe we have one question uh that's uh from the community and the question is how will halliburon provide 24 hours you know 305-6 days uh um system would it be automated or will someone someone be there would it be like mad stuffed absolutely so we have built out a team of trained and certified um individuals with blockchain cyber security and operations expertise so at any given time there are not less than two certified and trained serif incident responders on call who can immediately evaluate and respond to serif protected function calls okay so just just to clarify that or confirm that it will be humans who will yes I'm sorry that I'll be way more explicit yes two humans on call um evaluating and responding to protected function calls that's good thank you okay let's let's move uh to the other channel of the dial presentation Channel that's right above the town hall and and that will allow us to screen share so that we see the demo and then we can take further questions sounds sounds good with everyone sounds good we'll move over there thanks everyone thank you okay let's give it a minute to see not everyone has moved yet and also let's just confirm that or check that we're recording and this channel as well foreign are we recording here okay great all right we we can we can start then with the demo if you wanna if you want to screen share yeah just let me so right now you will be seeing yourself hi I'm Mark then everybody sees me we can see it or we can see your screen yeah so uh I'm Mark from Humber and I'm gonna do a live demo for you first thing that is what I have open I'm gonna show how you can integrate how it looks on the code and then I have prepared a demo using the emergency commit function we are gonna see how the attacker didn't he actually deployed upon drug and made all the operation there the only thing we have not implemented is the the all the swaps but we actually surpassed the requirements and um can do the emergency commit on on the Biba and we are gonna see how Seraph can actually prevent that then I'm gonna show you how to interact with setup with the front end and how you can deactivate it off because it was communicated to us that some of you were WS in case you didn't want to set up anymore it's no problem at all it can be deactivated and it works like a normal function so here we can see the governance facet contract I'm doing the great setup you only have to inherit it like you do with contract from open sibling and other repositories and then um not sure if you're because we're still seeing the the Discord screen let me sorry um I think one thing you can check is that when you when you're choosing which screen don't choose a window choose an actual screen [Music] and you see the the goals yes thank you so yeah I was saying that you can inherit it like you would like a erc20 contract or or any other open sampling contract and then on the function the only thing you need is this modifier which is we set up okay so I have prepared a demo we I'm gonna show here for the purpose of this demo the con this contract is payable so I'm gonna transfer some either and we are gonna see how it can be drained so here's the demo we're connecting to the provider and sending some letter to the contra yeah nope so we have already there on the Contra and then we are going to actually start preparing that we are gonna simulate a big proposal here it is this is this is the it was the same type of beep it was presented of that dot we also pass inductive requirement because it's supposed to be one day but we don't have one day to wait and now we are deploying the attack we are I'm Gonna Change to this window which is the interesting window it it this is only beef for the analyzer and here we can actually see what happened so the the incident responding which actually take the simulation of the transaction to see which which contract interact which function function it's called and how the state change just a moment they're more problem sorry now so we have the contract this is my my malicious contract this is a governance facet and this is set up we can actually the book what happens the here we see that we sell the total roots and the set rules to simulate the first long attack we can both and all the requirements on the vote function our pass and then there is the emergency commit which is the interesting function this is a track setup modifier and here we can for example say how the diamond is created here we can actually see and then the the value of for example this variable which is the the beep we can see that the period The Proposal which is my address the root it has a 80 over 100 and the timestamp okay that's good to know and yes yeah and then the resting part is this one okay at here it see that it has code and it executes the data so we are able to see this is my my attacker contract I'm gonna drain all the funds but uh before that we can actually see that here the balance is this we can actually take it here also but when the when we pass this instruction we see that it changes so it's draining all the balance from the contract we don't want that so for this first try I'm gonna reject the transaction and we are gonna see how it will react if everyone is okay with them can I add one or two uh points before you go on yeah sure so the The View screen that Mar was just sharing with the tenderly simulations is exactly the view that our notaries our incident responders will have as they're evaluating any uh serif protected function call that that comes to our desk right so the evaluation looking specifically at the technical details of the call and how that would execute and manifest itself on chain if we approve the transaction that's exactly what she just walked through assassin we are going to tap here I I actually knew where I have to go but we are going to check all the stock price and check that it complies with the runbook that uh there is no a state change like a adrenal of balance or a governance attack and those kind of things in this case I just go quickly because if I actually show the this entire statutory it will take a while but we are we are taking everything before that so I'm gonna react this one and then I'm gonna accept one interacting with the with the front end just to show you and to show that effectively here it's reverse and then it will drain all the funds so I'm rejecting and I'm sending so one thing I'll say really quick about this while we uh let it append um when we do this approval and rejection this is uh being sent into the the in our a private RPC mempool to be able to simulate and look at what the results of these uh the executions are you know in this particular one and it's written completely transparent to the chain this isn't this isn't like a multi-sig that were you know co-signing with anybody it's it's purely independent contract of serif that's doing the rejection approval and writing it directly to chain uh transparently so think of it as a a prevention system exactly with so we are actually not able to to drain all the ether now we are gonna do it again with the front end so I'm gonna prepare if you don't match the the student this and now I'm gonna just do everything except for the Emergency commit that we are gonna do on on the front end just to show you how to interact with with Sarah from the front end and the really awesome part about the Sarah front end and and the way we've designed it is that it's very transparent so members of The Bean Community can see which specific functions are protected by serif and you know we we see this um the benefits in in two ways one the community knows that it's protected and two there's a deterrence factor for any type of malicious threat actor who says hey you know I don't want to deal with all this Sarah protection I'm just gonna go find another protocol to hack because I don't want to deal with it so um you know that that's the way we've designed and thought about the front end and the user interface sadly and you can see we support a different range of of networks right now we have the the test net ones what once we deploy will have the maintenance and it's very simple you can connect and disconnect your wallet now I'm connected with panda mask and now we have the B by this five that's what we are gonna provide we are actually setting the the vote and and the beans like the attacker did and once we finish voting we can do the emergency commit now we have bone and now we can just introduce here everybody click submit s sometimes takes a little while to load but it's normal now man as you see the telegram we are actually on go like like Joe said 24 7. every hour and we have like different uh alerting channels so we have all the information in a great London way if we go to the to the admin we are gonna see the transaction pending for approval remember that now we have to answer because we have when zero point six zero two right and we are going to approve and send the transaction now they're going here let's wait a little bit for it to be actually immune okay no [Music] let's see yeah we can actually see info about the transaction also and we can check if it's already mine you see now it's a success so we are gonna check again now you have zero either so the transaction the malicious attack actually went through and now I know a lot of you have a I were worried in case Seraph is not for you and what will happen if in a future you want to deactivate it so I'm gonna show exactly how we do that we have here the contract address and the function selector and just we will change the protection to false and we can actually launch the first test and we will see how it goes to the one point I want to make here is as Mars showing this portion of the demo is in talking to you know Publius and some of the other members of the Dow team earlier this summer you know we understand the the concern and the focus on censorship resistance and decentralization so uh we took that feedback and said hey how can we how can we meet that need and you know have a capability that you know we can uh turn off serif or um you know allow allow transactions without serif to go through and so we took that we took that to heart and and really thought about how we could design a secure architecture that would allow that to happen that's what Mars showing right now exactly so we we have the probability of um of deactivating it and right now I'm using the Sera third PC so we are gonna actually see here in the in our sorry in order I mean uh panel we are gonna see that the transaction has no sort of interaction but if you want I can do another one without the set of RPC and they are not gonna even show here for example with an infra provider like you will normally not so now it's the it's deploying data and it's mine we are gonna see here that we have no no transaction that interact with setup and that the adapt was actually went through and what this is showing because this solution is its smart contract native you know this isn't um a centralized Solution that's the living you know externally it's on chain within the contract this is a way to you know allow it to pass through if if we need to uh you know bypass the protection in the future for for some reason but you know because it's it's smart contract native and we're not sharing keys or co-signing with you all um this is a you know it's a it's a backup solution in case there's anything here so uh it's it's a way for everybody to feel comfortable but should it be integrated you know you can think of of halborn and serif as part of the Dao you know where another member here that's going to approve it but worthy a set of eyes as as Auditors to make sure that from a technical standpoint everything is working as the Dow expects and to to to dive into that a little bit more so uh this feature is very neat and I think just to restate it the concept is since the the commit and the emergency commit functions for example are highly likely to include Seraph it becomes impossible to upgrade the contract to remove Seraph without the approval from sirat and so the question then becomes how to make it such that uh it to to make it such that Beanstalk is truly permissionless and sensitive to persistent that you guys can on your end turn off the functionality to effectively facilitate Beanstalk to continue uh independent of Seraph and so the question is can you maybe try to uh highlight for the Dao and I I agree we we all agree that it's unlikely that that happens anytime in the near future but under what type of scenarios you guys can see that happening and then more more particularly what would the procedure look like internally on your guy's end to make sure sure that uh you know the halborn isn't standing in the way of the will of the Beanstalk dial let's call it yes so Sarah each each function inside of the contract that serif is protecting is individually protected um in the beginning Mar showed a modifier that says with serif that modifier it's not a the entire contract is now covered with serif and and you know it needs to be all of it it's one function so you know we can have just emergency commit and that's it any other votes or doubt proposals anything that's not uh you know decided to have that that modifier um will completely be uh you know out of the scope of of serif coverage uh so that's that's one thing to consider there and the the bypass for that you know if there was um you know Dow proposal to be integrated with this just like what we're showing now uh you know if there is you know by the governance and the doubt to say that Sarah should not be covered then that proposal would be implemented and we would then turn on the the bypass to allow it to act as normal without any serious protection whatsoever yeah I was just trying to show that if you don't use this they set up your PC transaction are not even attract to us so it actually works like a normal con contract um yeah one way to look at this too to think of Publius is uh you know with serif integrated on a function yeah it's almost like a dynamic ad hoc per execution security audit you know so rather than having to make sure the audit is right and then put it on chain and now every time a transaction on a high priority or sensitive function is executed um you know we simulate and look to review to make sure it's in an audit that to make sure it's correct um so so that's one way to look at it too is a preventative Solution on chain and can you imagine a scenario that halborn would be unwilling to execute the will of the being stalked out that we are completely objective yeah we would be part of part of your Dao on this and that's what that run book Joe explained um in the beginning so the Run book uh when we choose to the functions that are covered there we will have very explicit instructions that are objective on exactly what is uh should be or should not be uh executed and are those run books public or uh like how does that work will the Dow be any member be able to or anyone member of the public be able to view the Run books on the Seraph interface or are those private this is uh the Run books are are managed uh by the serif operations team so the 24x7 uh team that is doing the instance which are also set up with escalations higher priority functions require you know extra eye so there's no internal uh internal mistakes or you know approvals that shouldn't have been there and you know those run books also can be provided on in a private you know Beanstalk Discord Channel or something too so you know it's known on what is a pass or fail execution and and you guys what do you do you recommend that the Run books are remain private that they should be accessible to anyone that wants to see them like what are what are the thoughts no this is your decision from a security standpoint um if you have a run book uh that shows like this is the you know the criteria that allows and accept you know that can be used as information by an attacker to try to almost like social engineer their way through it uh and it depends on the sensitivity of the function you know run books are you know they're each one is different depending on which function is protected so if you have a run book um you know that has very specific details or specific balances let's say an emergency withdrawal is every Sunday at this time there's going to be only 100 uh beans allowed to be withdrawn so we know that that's exactly what should happen at that time if it's any less anymore any different time it's going to be rejected um something that may be a bit more intricate you know the different users or something like this proposals maybe they could use that information to fake a proposal that's you know looks and try to trick the dial or you know trick um you know approvers into it so it's a case-by-case basis you know we're here as we work through runbook creation to decide what you what you would like to do um we're just here to make sure only expected transactions get ever executed on those on those very sensitive functions so does that make any sense any other questions about that one too yeah the runbook is uh what's done each time and we can always add uh add extra detail to that you know through the Dow and when we make decisions on which functions should be covered foodlius in the same way that notaries are on call 24 7 365 to respond to uh protected function calls they're also on call to change aspects of the Run book right so let's say some new criteria comes up and the Dow expresses a desire to change some parameter of our own book we can also update that in in near real time as well so it's a living breathing uh set of instructions uh that we follow and it's very much dictated To Us by the Dao by the community foreign so another question that I see popping up is uh around one of two scenarios one is the instance that halborn uh shuts down or goes out of business which uh in light of your guys recent series a it seems less likely in the short term big congrats on that front uh but B uh what if the you know a government sent you guys a cease and desist that said you know Beanstalk is uh you know illegal in some capacity and your work with Beanstalk is therefore illegal and you guys are unable to perform any actions associated with beanstalker the Beanstalk down going forward can you just walk us through how uh siraf is currently set up you know in that situation and how we could ensure that Beanstalk going forward is not inhibited by that yeah sure I can answer that one um so uh one of the uh scenarios that Mara went through the the second one on setting up the bypass so this is something if if there was any type of situation where we would not be able to prove we would never be you know blocking this uh we would just you know kind of say okay we're done and turn it off to false and turn it back into a transparent proxy by adding that is protected function to false so she has shown that that's an admin where the switch is turned off and it's a complete uh transparent bypass for that we don't have keys or access to your contracts at all there's nothing that we could do to you know modify change or withdraw or stop something that's there this is um you know it's a completely separate contract uh only that imported modifier uh on that function calls is there and we have only access to the approve and reject there's no this isn't like a gnosis multi-sig where we're you know we have to find something together with you um in fact this can cover uh gnosis multi-cigs as a as a layer of additional security so this is uh you know this is what we would do and I I give the comparison off into something like cloudflare you know cloudflare it sits in front of every website uh and they're they're monitoring and making sure that valid transactions are there ddoses don't happen uh you know cloudflare is not there to stop good things from happening for it they're there to add a layer of protection foreign will still have to turn the switch off yes because if uh you know if there's a hack from the inside you don't want the hackers to turn the switch off okay it's a notary yeah it's like the um objective like an independent uh witness for the transaction signing can you help us understand why what halbern come turn the switch off if you know our government asked them not to turn that switch off the government well I mean the governments would tell us to turn it on or off as if we turn it off for them because of a mandate it's not going to impact you guys you uh you would be known about that too and you would see that transaction uh occur as well um but this is we're an objective independent you know third party we're not there to prevent or turn it off it's you know we consider as part of the Dow for this and we would just choose not to participate inside of the you know the organization any longer understood but just but just to be clear let's say you know it's not it's not like a seasonal desist it's like you know enforced physically then no one no one can turn it off and this means that you know uh um Sarah would always be a blocker uh for for the doubt is that correct yeah how born you know we we wouldn't be a blockchain security company if we were you know to do that type of activities here yeah we're uh yeah we're just like you guys we're here to prevent this stuff and you're not we're not a private company and not a government agency I understood but just just to be clear it's still that the switch still has to be turned off by halborn the Dow has no you know ability to turn it off themselves yes yeah this is protected is by the notaries you know so that it's like giving the you know the keys to the safe to the per the bank robbers so it has to be uh you know the notaries would only turn off the functions that are protected not the whole contract is it possible to have a function that takes off the keys and this is the only one that is bypassed by setup but but not others is this something that can be done or or not yeah that could that that could you know anything is possible if it's a if it's a function in a contract it could be you know covered with serif so you know this multi-sig example uh a a good example of that one is you know let's say you have two of three signers that you're using right now and you know the the down and Beanstalk is worried about you know somebody changing that from you know two of four signers uh so this could be a protection for add add admin signer you know in the gnosis function to make sure that it's not a majority attack you know within within gnosis itself to kind of vote people out of uh out of the multi-sig so anything that's has to do with a a function can be can be covered with this and it can also be turned off um if it's decided to you know make it not protected any longer populist can you maybe take us through the scenario of having a function that only what only does is remove you know the set of Rights um and and have that you know be controlled uh by multisig what's the benefit or or what are the risks from that well the the first comment would be that you don't you probably don't want anyone to be able to call the function to remove Sarah because otherwise it kind of removes the whole benefit of having serif in the first place if the you know there's some sort of ability to remove it by a malicious actor now if instead of that uh there's a unique function that uh is permissioned and can only be called by a specific address or a couple of addresses and those addresses are uh controlled by community-run multi-sigs that is uh that's an a clear option to avoid the potential that halborn has the is the gatekeeper and refuses to get out of the way of allowing the Dow to execute its will but on the other hand that does allow for a different another social engineering Vector through which the Surat functionality can be compromised so everything needs to be evaluated you know I it in comparison to the other options and I think the multi-sig that has control over the Seraph functionality is it's an interesting additional layer here and you know uh First Reactions that don't don't see any obvious problem with it yeah I agree you know that when it comes to Security in general not just with with with Beanstalk or Dao there's uh it's it's the risk appetite like what is a lower risk and what is the what is the higher probability of happening you know is the is the risk higher to have no prevention and you know go back to how it was before um or is the higher risk that you know halborn who who is you know partners with you doing auditing and helping to protect is going to align with a government to shut you guys down that's uh so a smart contract hack or you know government mandate to a private company so that's that's really what do you think is the is riskier okay where the setup hosted um is there a possibility for downtime you know for for whatever reason so serif um all of the the functions you guys see this is all on chain um that front end uh maybe Mar if you want to share your screen again um you'll be able to show as a user maybe you're not a signer use you're a Community member and you want to see um if a function is protected with serif you'll be able to um you know go to this and this emergency commit function um you'll be able to go to the Beanstalk demo it links right the back end of this is the blockchain that's the contract addresses for it and if you go into the contract address you'll see the functions here uh you you know these are all on etherscan and you can verify it on the code so this this all lives on chain the part that is um off chain and where that is hosted is our the RPC it's pretty much the RPC just like in fira you know halborn runs our own our own version of inferior just to simulate the transactions before it gets written to chain as a intermediate proxy so up top on your metamask um or maybe you can show this uh this is that this is you know what we mean by that that proxy uh like writing to inferior or writing to a test net you'll see where it says serif V2 Dev so this is how only for contracts uh functions that are protected um it'll this goes to the um the RPC serif endpoint that's it just like it does for polygon or or rinkabye for any of them this is uh there's there's now one for serif flashbots has one as well um so these are you know it's a mempool yeah so that's the uh that's the component here understood thank you um going through some of the questions one part of I'm not sure I understood your question so maybe if you can rephrase it um we can address that otherwise there's another question on who who's paying for that that would come out from the Beanstalk Farms budget so being so Farms will be paying Halliburton for for the set-off services oh yes so as far as pricing goes um you know we so Beanstalk is currently a client of ours and we're rolling this out just to our clients at this time um so the actual pricing is based on a SAS model it's a monthly fee um because you are currently clients of ours what normally is going to be charged at 25 between 25 and 50 000 a month is being offered to the Beanstalk community at 10 000 a month so this is purely you know you're paying for our service with this um so that's the that's the explicit price per month it's ten thousand dollars thank you thank you for uh for that um how are the Auditors I guess less question from my side how how are the Auditors um like chosen within with them I didn't mean chosen itself is it anyone who has access I don't like uh in Harvard can approve uh um you know the transactions or is it a select people will have that Authority yeah absolutely so yeah it's a select individuals that are trained um the way hubborn is organized internally um we have over 100 security engineers and they are very specifically trained in you know blue team as notaries instant responders versus you know pen testers you know Auditors uh and on evm and solidity so the ones that we'll be signing this are specifically uh trained to know the platform they are the ones on call and there's three priorities so the sensitivity of the functions if there's a critical you know withdrawal the entire Vault type treasury function that's not you know we we do our own risk mitigation to make sure that's not done by you know one person who uh has a hangover from the night before or something and just hits yes because they're tired now we make sure that there's checks and balances get second eyes and approvals we have escalations the 24-hour on call we use you know systems that are very stable and used by you know large Enterprises like pagerduty slack Integrations telegrams there's backups so all of the all of the operations is set up in here by trained individuals that are managed by security operations team so so just to confirm our understanding would it would they have like special keys and only those people with those keys are the ones that are allowed to approve the transaction or is it like you know a PC and whoever is sitting behind it yeah so it's not yet the the approvers of the transaction we actually we have triple Factor uh access to that so the dashboard that we're showing of the approval rejection is accessed only through a internal VPN system uh and then that once you have the VPN system it's oauth of you know two-factor authentication from the halborn domain and then you have to have the correct roles uh assigned within that oauth authentication and the password of course for it too so I'm actually wrong it's four Factor authentication to get to the dashboard foreign maybe I'm asking other questions about the same thing so at the end of this factor of authentications is to eventually get access to the dashboard uh can it can can the dashboard itself be compromised so you know instead of having those you know authentications the server itself or or the dashboard itself just gets compromised yeah the only the only compromise of you know how that would happen would be from within halborn and you know how we're herself our engineers and we've been around for three years and we do uh we do full background checks um we have uh monitoring uh inside of our systems that we do for all activities and there's no single individual that can uh could do something on their own the there is no key that we have access to you know like a private key that somebody could steal to sign something um and so the the risk is is extremely low um the only thing that they would do is you know reject or approve transactions uh you know against the will but that's something that critical transactions have multiple uh levels of approval and escalations for okay thank you um I think we are at the end of the Town Hall uh questions as well if anyone has a question that hasn't been addressed or if you had a question that I missed please please feel free to drop it now foreign team will be hanging out in the Discord um you know look like as as I said at the very beginning of this meeting um this is kind of the first of its kind and we're presenting this to the Beanstalk Community as really you know as Cutting Edge as it gets um you know you're the first people to learn about this frankly this concept um and you know we're here to answer all the questions you know get all the feedback but this is something that we've personally been battle testing for the last um six months internally and so yeah we're just excited to be able to present this today it's it's a long time in the making so in general really wanted to thank everyone yeah yeah we want to thank you guys too I mean Beanstalk you guys trust us with with your auditing and code you know we look at all of the logic and the smart contracts before you know you they're developed and put on the main net and most tools now after something goes on mainnet the only thing that you have is you know reactive tools you you can respond to it after it's happened or you see it happen on the transactions why you know why it's serif is first of the kind and Cutting Edge as Rob says is you know this is the first uh you know decentralized non-custodial prevention so this isn't about you know responding after the after it's already happened this is you know stopping it before it even happens thank you guys we appreciate your time um on coming here and accommodating all of our questions uh we think setup is is a pretty interesting uh product um you know the team would be discussing it uh seriously thank you very much for for taking the time again thank you okay hey thanks everybody cheers thank you guys this was really cool and a first of its kind down meeting so uh very fun awesome man Rory Pioneers for Everything's Awesome no I had a great time thanks Peter this well if everyone's got time uh my Let's uh maybe we'll still do a really quick 15 minute update uh on on what we're tackling uh throughout the battle if that makes sense I I unfortunately have another called J dubs same same here so uh perhaps uh uh you know now as we approach replant maybe we need to re-extend these uh meetings but uh I think that'll probably be it for today okay that sounds great yeah we'll just leave updates uh in in the town hall chat or something across the top so thank you guys thanks everyone