Proposed: December 31, 2022
Status: Failed
Link: Snapshot
Halborn, Inc. and the Beanstalk Seraph Committee
Halborn is a team of 100+ award-winning ethical blockchain hackers who focus on securing their clients’ full stack end-to-end. Trusted by Solana, Near, BAYC, Ava Labs and many more. Halborn has completed various security audits of Beanstalk and continues to audit BIPs as they are developed.
Seraph is a non-custodial blockchain security notary (BSN). A BSN is a cybersecurity professional who serves an organization (centralized or decentralized) as a third party witness to the signing of important on-chain actions. A BSN’s main purpose is to deter fraud and prevent attacks.
Proposer Wallet: 0xf1a621fe077e4e9ac2c0cefd9b69551db9c3f657
Security is paramount to Beanstalk's success. Beanstalk is a complex DeFi protocol that can be vulnerable to different attacks that are not always caused by code flaws or detected during audits. The loss associated with DeFi protocol exploits gets bigger day by day. The Beanstalk DAO should seek to avoid another hack as best as possible.
Under the current Beanstalk governance structure, only a single multisig (the BCM) needs to be compromised in order to corrupt Beanstalk. Implementing Seraph with no other upgrades to Beanstalk governance would make Beanstalk less resistant to censorship.
Beanstalk governance, the BCM Process, the BIC Process, the Immunefi Bug Bounty Program and the Beanstalk DAO Disclosures can all be updated to reflect the current state of Beanstalk and its ecosystem, and in particular the implementation of Seraph.
A governance structure with a separate multisig that can remove Seraph can mitigate this concern and (combined with Seraph) increase the security and censorship-resistance of Beanstalk. We propose implementing Seraph into Beanstalk as an extra line of defense against hacks or other destructive actions to Beanstalk, and incorporate other complementary changes to Beanstalk governance.
We propose paying 10,000 USDC per month for Seraph for 6 months from the Beanstalk Farms budget.
The Seraph platform can protect up to 25 of the highest risk smart contract functions embedded in Beanstalk. The Seraph code modifier protects 7 of the highest risk owner functions in Beanstalk:
diamondCut
whitelistToken
dewhitelistToken
unpause
transferOwnership
createFundraiser
addUnripeToken
Seraph provides 24/7/365 services to review, analyze, and permit or reject any calls to these functions according to the appropriate Runbook(s).
Seraph notaries are required to process any function calls according to the specific notary Runbooks of rules and procedures.
Each of the 7 Seraph-protected functions has a unique Runbook which establishes the rules and procedures for Seraph notaries to process transactions that call the functions and the priority and risk of each function. The Runbooks for each protected function shall remain confidential between Halborn and the BSC.
The details about transactions that call protected functions and whether they have been reviewed, approved or rejected by the Seraph notary are publicly viewable via the Seraph Dashboard.
We propose forming the BSC—an anonymous group of six reputable community members and Beanstalk core contributors. The BSC members were selected by Publius.
The Beanstalk Seraph Committee Multisig (BSCM) is the only wallet that can remove Seraph from Beanstalk. The BSC members are the only signers on the BSCM. The BSCM is a 4-of-6 multisig deployed using Safe.
The BSCM cannot call any of the owner functions of Beanstalk—only the BCM can. Publius attests that there is a minority of overlap between the signers on the BSCM and BCM.
Seraph notaries have created the Runbooks in collaboration with the BSC to implement and activate the Seraph protections as effectively and safely as possible. The BSC has approved initial Runbooks for all protected functions.
The BSC can work with Halborn to update Runbooks at any time, but must sign a transaction verifying the new Runbooks for the change to be valid.
Seraph may be deactivated at any time via BIP. However, in instances where Halborn is unwilling to commit a passed BIP that removes Seraph, or where Seraph must be removed for the security or censorship resistance of Beanstalk, the BSC is responsible for doing so.
On the Seraph contract, the BSCM can call the removeSeraph
function that initiates a 24 hour timelock. After the timelock elapses, the BSCM can call the executeRemoval
function that removes Seraph from Beanstalk.
BSCM Signers shall follow the best practices outlined below. It is of paramount importance that Beanstalk limits key man risk by implementing best practices with respect to multisig key custody. Signers are expected to:
In addition to the above expectations, Signers shall follow the BCM’s wallet security best practices:
In the event that one or more Signers are compromised, unresponsive or attempting to violate the processes outlined in the Responsibilities section (or a Signer voluntarily chooses to be removed from the BSCM), the BCSM will rotate them out of the wallet and replace them with another Signer. Emergency changes to the m-of-n configuration of the BSCM that are made to protect Beanstalk do not require a BIP.
Off-chain governance introduces significant risks related to security and censorship. The BSCM is designed to mitigate as many of those risks as possible by distributing the multisig keys across reputable community members and Beanstalk core contributors, and collectively implementing and adhering to BSCM best practices.
The most significant risk associated with off-chain governance is the potential corruption of the BSCM (and BCM). In order to minimize the chances of this, the Signers are anonymous. The anonymous Signers have been selected by Publius. Signers are anonymous to each other as well, apart from Publius.
Under this structure, it’s important to acknowledge the risk of anonymous key holders conspiring to attack Beanstalk. Because only Publius knows the identities of the anonymous Signers, Publius would be the main attack vector—if this malicious actor were to compromise Publius before conspiring to attack Beanstalk, they could be reasonably sure that their identity would never be revealed.
In order to mitigate this attack vector, the BSCM will institute the following process whenever the m-of-n configuration of the BSCM is changed:
The BSC Process can be read here.
We propose the following list of changes to Beanstalk governance:
The updated Beanstalk governance process can be read in the new Proposals documentation here.
We propose the following list of changes to the BCM Process:
addUnripeToken
and addFertilizerOwner
functions to the list of owner functions for completion;diamondCut
have a Contract Changes section that at minimum lists the facets and Init contract addresses that diamondCut
calls; anddiamondCut
have a Beans Minted section that described the number of Beans minted by the execution of the diamondCut
; The updated BCM Process can be read here. The guides for uploading verified message signatures to Arweave can be read here.
The following is a list of proposed changes to the BIC Process:
The updated BIC Process can be read here.
The following is a list of proposed changes to the Immuenfi Bug Bounty Program:
The updated Immunefi Bug Bounty Program can be read here.
The following is a list of proposed changes to the Beanstalk DAO Disclosures:
Add the following disclosure about Seraph:
MOST OWNER FUNCTIONS OF THE BEANSTALK CONTRACT ARE PROTECTED BY SERAPH, A BLOCKCHAIN SECURITY NOTARY SERVICE, IMPLEMENTED BY HALBORN, INC. THERE IS NO GUARANTEE THE RUNBOOKS FOR SERAPH PROTECTED FUNCTIONS ARE FOLLOWED OR THAT THE RUNBOOKS HELP PROTECT BEANSTALK. THERE IS NO GUARANTEE THAT SERAPH PROTECTIONS ARE ONLY REMOVED WHEN APPROPRIATE.
The Beanstalk DAO implemented Seraph into Beanstalk, a blockchain security notary service offered by Halborn, Inc. Every function protected by Seraph requires a Runbook. Runbooks are the set of rules and procedures for Seraph to process transactions that call protected functions.
Seraph notaries created and maintain the Runbooks in collaboration with the Beanstalk Seraph Committee (BSC) to activate and implement the Seraph protections as effectively and safely as possible. The BSC's other responsibility is serving as signers on the multisig that is the only wallet that can remove Seraph protection from Beanstalk. The BSC members are anonymous and were selected by Publius. This process was approved via governance.
Seraph introduces significant risks related to security and censorship. There is no guarantee that:
Add the following disclosure about the Beanstalk Subgraph:
THE APP.BEAN.MONEY FRONTEND DEPENDS ON THE BEANSTALK SUBGRAPH FOR DISPLAYING VARIOUS ON-CHAIN DATA. THERE IS NO GUARANTEE THAT SUBGRAPH DATA IS ACCURATE.
The Beanstalk UI hosted at app.bean.money depends on the Beanstalk Subgraph for displaying data, particularly on the Market and Analytics pages. The Beanstalk Subgraph is primarily developed and deployed by Beanstalk Farms.
By default the Beanstalk UI uses a version of the subgraph hosted by Beanstalk Farms, which can be censored. The subgraph that the Beanstalk UI uses can be adjusted in the settings.
Add a note about the Beanstalk SDK being unaudited in Disclosure #19; and
The updated Beanstalk DAO Disclosures can be read here.
Technical analysis of attacks on DeFi protocols over the last 12 months indicate that both the volume and loss-value of attacks on protocols are increasing substantially.
With Seraph, Beanstalk can deter additional attacks on the protocol and disincentivize attackers by making it more difficult and costly to conduct an attack. The fee for Seraph is substantially lower than the projected operational and reputational costs associated with an additional attack. By activating Seraph, Beanstalk assets and contracts are protected such that complex attacks may be prevented before they can be executed on-chain.
As Beanstalk returns to on-chain governance, the Beanstalk DAO and BSC can continue to work with Seraph as an extra layer of defense.
Implementing Seraph with no other upgrades to Beanstalk governance would make Beanstalk less resistant to censorship. By implementing Seraph and alongside the formation of the BSC, both the BCM and the BSCM must be compromised in order to corrupt Beanstalk, without compromising censorship resistance before on-chain governance is able to be reimplemented.
Runbooks for each protected function remain confidential between Halborn and the BSC in order to mitigate potential manipulation of Beanstalk by malicious actors.
BSCM Signers are anonymous to minimize the potential corruption of the BSCM from an outside party.
The other proposed changes to Beanstalk governance (such as the introduction of Voting Stalk, the requirement to meet the proposer Stalk threshold at the end of the Voting Period, etc.) all complement or supplement the introduction of Seraph.
The proposed changes to the BCM Process significantly increase the quality of documentation for and the permissionlessness of the BIP and BOP proposal processes. The BCM Process must be updated to reflect the Beanstalk governance changes proposed in this BIP.
The proposed changes to the Immunefi Bug Bounty Program further refine what bug reports are considered valid and how the BIC determines practicable economic damage, which improves the bug reporting experience for Immunefi whitehats. The proposed changes to the BIC Process significantly increase the quality of documentation for the BIC operating processes and gives the BIC more flexibility in updating the Immunefi Bug Bounty Program. The formation of the BICM allows the number of remaining Beans approved by the DAO to be minted for bug bounties to be queryable on-chain.
The proposed changes to the Beanstalk DAO Disclosures reflect the implementation of Seraph and the current state of Beanstalk development tooling.
The Δ symbol indicates that there is a proposed change in functionality.
The following DiamondCutFacet
is being removed from Beanstalk:
The following DiamondCutFacet
is being added to Beanstalk:
DiamondCut
Function ChangesName | Selector | Action | Type | Δ |
---|---|---|---|---|
diamondCut |
0x1f931c1c |
Replace | Call | ✓ |
DiamondCut
Event ChangesNone.
The following WhitelistFacet
is being removed from Beanstalk:
The following WhitelistFacet
is being added to Beanstalk:
WhitelistFacet
Function ChangesName | Selector | Action | Type | Δ |
---|---|---|---|---|
dewhitelistToken |
0x86b40a1b |
Replace | Call | ✓ |
whitelistToken |
0xd8a6aafe |
Replace | Call | ✓ |
WhitelistFacet
Event ChangesNone.
The following PauseFacet
is being removed from Beanstalk:
The following PauseFacet
is being added to Beanstalk:
PauseFacet
Function ChangesName | Selector | Action | Type | Δ |
---|---|---|---|---|
unpause |
0x3f4ba83a |
Replace | Call | ✓ |
pause |
0x8456cb59 |
Replace | Call |
PauseFacet
Event ChangesNone.
The following OwnershipFacet
is being removed from Beanstalk:
The following OwnershipFacet
is being added to Beanstalk:
OwnershipFacet
Function ChangesName | Selector | Action | Type | Δ |
---|---|---|---|---|
transferOwnership |
0xf2fde38b |
Replace | Call | ✓ |
claimOwnership |
0x4e71e0c8 |
Replace | Call | |
owner |
0x8da5cb5b |
Replace | View | |
ownerCandidate |
0x5f504a82 |
Replace | View | |
seraph |
0x6929145b |
Add | View | ✓ |
OwnershipFacet
Event ChangesNone.
The following FundraiserFacet
is being removed from Beanstalk:
The following FundraiserFacet
is being added to Beanstalk:
FundraiserFacet
Function ChangesName | Selector | Action | Type | Δ |
---|---|---|---|---|
createFundraiser |
0x4b4e8d9a |
Replace | Call | ✓ |
fund |
0x43c5198e |
Replace | Call | |
fundingToken |
0xc869c1eb |
Replace | View | |
fundraiser |
0xce133450 |
Replace | View | |
numberOfFundraisers |
0x6299a9af |
Replace | View | |
remainingFunding |
0x0d1a844c |
Replace | View | |
totalFunding |
0x6ee66ddf |
Replace | View |
FundraiserFacet
Event ChangesNone.
The following FertilizerFacet
is being removed from Beanstalk:
The following FertilizerFacet
is being added to Beanstalk:
FertilizerFacet
Function ChangesName | Selector | Action | Type | Δ |
---|---|---|---|---|
addFertilizerOwner |
0x8cd31ca0 |
Replace | Call | ✓ |
claimFertilized |
0x83e08888 |
Replace | Call | |
mintFertilizer |
0x0bfca7e3 |
Replace | Call | |
payFertilizer |
0xd47aee59 |
Replace | Call | |
balanceOfBatchFertilizer |
0x304ec65d |
Replace | View | |
balanceOfFertilized |
0xb6f42085 |
Replace | View | |
balanceOfFertilizer |
0x1799b3b2 |
Replace | View | |
balanceOfUnfertilized |
0x1edb6be1 |
Replace | View | |
beansPerFertilizer |
0x9bb4e35a |
Replace | View | |
getActiveFertilizer |
0xdc6ba285 |
Replace | View | |
getCurrentHumidity |
0x39448802 |
Replace | View | |
getEndBpf |
0xc85951a1 |
Replace | View | |
getFertilizer |
0x9c45a1d5 |
Replace | View | |
getFertilizers |
0x34af5416 |
Replace | View | |
getFirst |
0x1e223143 |
Replace | View | |
getHumidity |
0x29130a66 |
Replace | View | |
getLast |
0x4d622831 |
Replace | View | |
getNext |
0xf4a057e2 |
Replace | View | |
isFertilizing |
0x6ae1c014 |
Replace | View | |
remainingRecapitalization |
0x4a16607c |
Replace | View | |
totalFertilizedBeans |
0x4f9a9678 |
Replace | View | |
totalFertilizerBeans |
0xf9c4ebde |
Replace | View | |
totalUnfertilizedBeans |
0xa3ef48c9 |
Replace | View |
FundraiserFacet
Event ChangesNone.
None.
Effective immediately upon commit.