In September 2023, the dragon community voted in favor of a governance proposal to implement Hexagate’s Web3 security platform. Hexagate provided QuickSwap with real-time alerts on exploits threatening smart contracts or governance participants and ran automated workflows to mitigate issues in real-time when their platform fires an alert. 

The duration for the agreement terms has now expired, which is why this new proposal is being put forward to renew Hexagate’s 12-month engagement with Quickswap.

This agreement with Hexagate will keep providing continuous real-time monitoring and proactive threat prevention to enhance the resiliency and security of the QuickSwap DEX and augment the DAO’s security operations while minimising the risk of hacks and exploits, loss of funds and prevent catastrophic loss to create long-term sustainable growth.

Note that this proposal has been written by both the QuickSwap and Hexagate teams, where the request is to approve a $30K budget expenditure, paid in USDC for 1 year, approved and released by the DAO contributors.

Next Steps:

• To begin, the governance discussion on the official QuickSwap Discord & Reddit will run until Sunday, November 24 at 6:00 AM UTC
• Once the Discord & Reddit discussions finish, a formal Snapshot vote will begin and run until Thursday, November 28 at 6:00 AM UTC
• Once you’ve read this entire blog post, make sure to visit the official QuickSwap Discord server & Reddit discussion forum to share your perspective with your fellow community members

About Hexagate

Hexagate Website: https://www.hexagate.com/

Hexagate Twitter: https://twitter.com/hexagate

Hexagate monitors blockchains in real-time, and by leveraging ML models, security heuristics, hybrid detection algorithms and invariant monitoring engine, it provides early detection and proactive protection against exploits, abnormal behavior, operational faults and other Web3 threats. The Hexagate platform covers the detection of cyber and financial exploits on 1st and 3rd party code on mainnet deployments, governance and administration risks, suspicious fund movements, phishing, fraud, scams, and custom invariants.

Protocols, chains, asset managers and VASPs that use Hexagate benefit from early and accurate detection of threats, mitigation workflows, IR, and forensics.

Hexagate protects assets exceeding $50 billion in Total Value Locked (TVL) across multiple chains. They’ve earned the trust of prominent names in the industry, including Coinbase, Consensys, BGD Labs, EigenLayer, Securitize (Blackrock’s BUIDL), Uniswap, Aerodrome, Linea, Immutable X, Cronos, Kiln, Polygon, Avalanche, Usual Money, Lombard, Scroll, GMX, Renzo, Swell, ExtraFi, and many others.

The Hexagate platform was built following extensive data and ML research, was back-tested from the genesis block, and managed to detect all hacks in real-time in the past 18 months, where 98% of times it provided an alert more than 2 minutes (sometimes even days) ahead of the hack.

To date, the Hexagate platform saved almost $2 billion in actual hacks that targeted its customer base.

Hexagate also elevates security for the entire Web3 ecosystem by helping others in a time of need, participating in post-mortem analysis, war rooms aimed at unveiling exploiters and recovering funds, and by conducting research activities on protocols - here are a few examples:

Notable mentions and latest success stories:

• Hexagate partners with Coinbase to enable developers to create more secure on-chain apps and protocols on Base
• Hexagate partnered with Algebra to offer proactive real-time security monitoring for DEXes running on Algebra AMM, ensuring a safer trading environment for users.
• Found and responsibly disclosed a vulnerability in the Polygon PoS bridge that enables bypassing the consensus of Polygon
• Assisting Compound V2 and Compound V2 forks with a zero-day exploit to open markets safely - Hexagate’s recommendation became the industry standard for opening new markets for Compound V2 forks

And much more.

Hexagate offers real-time monitoring solutions for all sorts of threats before they impact any digital assets and automated prevention tools for projects such as QuickSwap so developers can take on-chain mitigation actions, when applicable.

This benefits Quickswap users by safeguarding their funds from potential exploits on any Quickswap contract and reduces the amount of funds lost in a possible incident.

Hexagate monitors malicious activity on-chain, including on any QuickSwap contracts (perps, pools, tokens, governance proposals, and so on).

Proposal

Below is a summary of the proposal from Hexagate, outlining what they will offer to QuickSwap:

1. Hexagate will provide access for Quickswap to its Web3 security platform and Web3 threat intelligence feed, including its on-chain investigation engine
2. Threats covered by the Hexagate platform:
   1. Detect suspicious malicious contracts before they exploit a protocol
   2. Detect novel 0-day exploits and unknown threats on protocols or its dependencies
   3. Dependencies include tokens, deployers, oracles, bridges, other protocols, etc.
   4. Detect token exploits - excessive minting or burning, abnormal transfers, centralization risks, missing access controls allowing arbitrary approvals or transfers, rug pulls
   5. Detect oracle deviations and delays
   6. Tracking abnormal transfers to detect private key compromises
   7. Alert on token depeg – stablecoins, wrapped assets, or bridged assets
   8. Track fund movement post-incident and automatically tag malicious entities on-chain to taint stolen funds movement in real-time
   1. Simulate and analyze any malicious governance proposal (or a malicious proposer) that goes on-chain (including when a governance proposal executes)
   2. Analyze contract ownership or role changes for abnormal changes to malicious entities
   3. Detect malicious implementation updates and changes to privileged configurations that result from missing access controls, private key compromises or rug pulls
   4. Detect centralization risks on governance token holders or phishing attempts on governance token holders
   5. Monitor governance token transfers
   1. Track illicit funding sources and track fund movement
   2. Monitor and tag all malicious on-chain activity including fraud shops, mixers, USDT / USDC / OFAC blacklists, high-risk exchanges, and stolen funds.
   3. Monitor abnormal transfers and/or fund movements from specific addresses (protocol treasury, whales, protocol participants, etc.)
   1. Declare and implement code invariants using descriptive language.
   2. Monitor code invariants and params in mainnet and testnet, to make sure they are not broken.
   3. Leverage pre-defined rules and custom monitors covering balance changes, contract events, function calls, sample functions, token holder centralization, slashing events and more
   1. Governance participants interacting with malicious contracts, phishing addresses, scam tokens, etc.
   2. Detecting malicious dApps impersonating Quickswap
   1. Exploits on first or third-party code
   2. Governance and Administration
   3. Funds movement
   4. Invariants and parameters 
   5. Phishing, fraud, and scams
3. Hexagate provides generic webhooks,Slack/Telegram/Email/Discord/pagerduty/OpsGenie integrations for any type of alerts
4. Hexagate enables user-generated custom monitors so a user can set up alerts on specific wallets, whales, specific events, specific contract calls, and so on, enabling users to customize their monitoring to fit their needs
5. Hexagate will work directly with protocols in the ecosystem to configure and set up security monitoring and prevention flows. Every team can also create custom monitoring with Hexagate no-code templates for any additional operational performance event monitoring.
6. Hexagate provides a unique invariants monitoring engine that allows for invariants to be declared using proprietary DSL and can be monitored both on Testnet and Mainnet.
7. Phishing detection for governance participants - Hexagate surfaces any phishing attempt on QuickSwap governance participants
8. Connection to their network of partners and collaborators in which they have an open channel to such as Chainalysis, Binance, on-chain sleuths, and more to be able to notify them in real-time when an incident happens so they can tag the bad actors and prevent them from off-ramping on a big list of exchanges, uncover the attacker’s identity, help with crafting a post-mortem paper, and analyze the blast radius of the incident

*Please note that if the community votes in favor of this proposal (voting a majority "Yes"), it will allow for QuickSwap to use Hexagate's services on any future chains the DEX is deployed on (for the same price).

Budget

Hexagate is asking the QuickSwap community to fund $30K/year in USDC from the DAO treasury for maintenance plus professional service & support listed above, and the QuickSwap Foundation will engage with Hexagate on a commercial agreement for a yearly license of the platform. 

The rationale is that the community is receiving support and maintenance while the QuickSwap Foundation is in charge of operating the system, as security is top of mind.

Join the Discussion

As always, QuickSwap community members are encouraged to participate in and contribute to QuickSwap governance discussions and proposals across all of QuickSwap’s online forums, especially on Discord & Reddit. As a Dragon, you are a valued community member and your opinion matters – but you have to participate in community voting procedures to make it count.

Critical decisions guiding QuickSwap’s strategic development will always be determined by way of decentralized governance. QuickSwap’s future is in your hands, so make your voice heard!