Hexagate is a Web3 security provider helping protocols, bridges, and chains to protect their smart contracts and users from theft caused by cyber exploits and Web3 threats. Hexagate offers a platform that detects threats in real time and prevents them from causing any impact.
Hexagate offers real-time monitoring solutions for all sorts of threats before they impact any digital assets and automated prevention tools for QuickSwap so developers can take on-chain action, when applicable.
This benefits Quickswap users by safeguarding their funds from potential exploits on any Quickswap contract and reduces the amount of funds lost in a possible incident.
Hexagate monitors malicious activity on-chain, including on any QuickSwap contracts (perps, pools, tokens, governance proposals, and so on).
Hexagate can partner with QuickSwap to provide the DEX with real-time alerts on exploits threatening Quickswap contracts or governance participants and run automated workflows to remediate issues in real-time when Hexagate fires an alert. That will, for instance, allow rapid communication and response to threats that come up and will allow users to react in real-time to exploits and automatically withdraw their positions.
Note that this proposal has been written by both the QuickSwap and Hexagate teams, where Hexagate is asking the QuickSwap community to decide on implementing/utilising their platform to provide both higher security and alerts for malicious threats to the QuickSwap DEX.
TL;DR:
- Hexagate is a Web3 security provider that helps protocols, bridges, and chains protect their smart contracts and users from theft caused by cyber exploits and Web3 threats
- Hexagate is asking the QuickSwap community to decide on the implementation of their advanced security solution on the DEX in order to provide alerts and detect security threats in advance, ultimately offering greater protection for the QuickSwap DEX and its users
- To begin, the governance discussion on the official QuickSwap Discord & Reddit will run until Sunday, September 24 at 8:00 AM UTC
- Once the Discord & Reddit discussions finish, a formal Snapshot vote will begin and run from Sunday, September 24 at 8:00 AM UTC until Thursday, September 28 at 8:00 AM UTC
- Once you’ve read this entire blog post, make sure to visit the official QuickSwap Discord server & Reddit discussion forum to share your perspective with your fellow community members
Background
Hexagate monitors blockchains in real-time, and by leveraging ML, security heuristics, and hybrid detection algorithms, it provides early detection of exploits. The Hexagate platform covers the detection of cyber and financial exploits on 1st and 3rd party code and mainnet deployments, governance and administration risks, suspicious fund movements, phishing, fraud, scams, and custom invariants.
Protocols, bridges, and chains that use Hexagate benefit from early and accurate detection of threats, remediation workflows, IR, and forensics.
The company already protects over $10B in TVL across multiple chains and is trusted by the biggest names in the industry - it managed to detect ahead-of-time exploits that targeted Euler, iearn, Hundred Finance, Conic, and more.
Hexagate is a VC-funded company backed by leading VCs, founded by serial entrepreneurs who previously built companies that were acquired by Jfrog and Claroty. Their team brings vast experience in the cybersecurity realm.
Hexagate also helps the entire ecosystem by helping others in a time of need, participating in post-mortem analysis, war rooms aimed at unveiling exploiters and recovering funds, and by conducting research activities on protocols - here are a few examples:
- Found and responsibly disclosed a vulnerability in the Polygon PoS (Proof of Stake) system that enables bypassing of the consensus
- Listed in the Ledger Hall of Fame for finding and reporting a bug in an old Ledger
- Helped 0vix protocol throughout their incident response right after getting exploited
- //medium.com/@ConicFinance/post-mortem-eth-and-crvusd-omnipool-exploits-c9c7fa213a3d" style="text-decoration: none;">Helped Conic Finance throughout their incident response right after getting exploited
- Helping Compound V2 and Compound V2 forks with a zero-day exploit to open markets safely
- Curve incident post-mortem right as it happened
- Euler hack post-mortem (also notified the team in real-time over Discord and helped in the war room)
- They are also part of the Seal911 team, helping others in the ecosystem in stressed times
Everyone is welcome to follow Hexagate on their official X (Twitter) account to see live updates and posts.
Detailed Proposal
Below is a summary of the proposal from Hexagate, outlining what they will offer QuickSwap:
- Hexagate will provide access for QuickSwap to its Web3 security platform and Web3 threat intelligence feed, including its on-chain investigation engine.
- Threats covered by the Hexagate platform:
- Exploits on first or third-party code
- Detect suspicious malicious contracts before they exploit a protocol
- Detect novel 0-day exploits and unknown threats on protocols or its dependencies
- Dependencies include tokens, deployers, oracles, bridges, other protocols, etc.
- Detect token exploits - excessive minting or burning, abnormal transfers, centralisation risks, missing access controls allowing arbitrary approvals or transfers, rug pulls
- Detect oracle deviations and delays
- Tracking abnormal transfers to detect private key compromises
- Alert on token depeg – stablecoins, wrapped assets, or bridged assets
- Track fund movement post-incident and automatically tag malicious entities on-chain to taint stolen funds movement in real-time
- Governance and Administration
- Simulate and analyse any malicious governance proposal (or a malicious proposer) that goes on-chain (including when a governance proposal executes)
- Analyse contract ownership or role changes for abnormal changes to malicious entities
- Detect malicious implementation updates and changes to privileged configurations that result from missing access controls, private key compromises or rug pulls
- Detect centralisation risks on governance token holders or phishing attempts on governance token holders
- Monitor governance token transfers
- Funds movement
- Track illicit funding sources and track fund movement
- Monitor and tag all malicious on-chain activity including fraud shops, mixers, USDT / USDC / OFAC blacklists, high-risk exchanges, and stolen funds.
- Monitor abnormal transfers and/or fund movements from specific addresses (protocol treasury, whales, protocol participants, etc.)
- Invariants and parameters
- Monitor predefined invariants and params per the protocol specifications
- Phishing, fraud, and scams
- Governance participants interacting with malicious contracts, phishing addresses, scam tokens, etc.
- Detecting malicious dApps impersonating Quickswap
- Exploits on first or third-party code
- Hexagate provides generic webhooks, Slack/telegram/email/discord/pagerduty integrations for any type of alerts
- Hexagate enables user-generated custom monitors so a user can set up alerts on specific wallets, whales, specific events, specific contract calls, and so on, enabling users to customize their monitoring to fit their needs
- Phishing detection for governance participants - Hexagate surfaces any phishing attempt on QuickSwap governance participants
- Connection to our network of partners and collaborators in which they have an open channel to such as Chainalysis, Binance, on-chain sleuths, and more to be able to notify them in real-time when an incident happens so they can tag the bad actors and prevent them from off-ramping on a big list of exchanges, uncover the attacker’s identity, help with crafting a post-mortem paper, and analyze the blast radius of the incident
- Professional service and support:
- Standard support time - Sunday to Thursday 10:00 AM - 7:00 PM GMT+3
- Helping out with bug bounty program submissions, security reviews, and triaging incidents in real-time by assigning a security researcher from our end to help out in time. In the initial proposal, Hexagate will allocate 15 hours of security research activity to help on that front and expand as needed
- Preparation and training for managing a war room, assigning roles and responsibilities, and helping with crafting security frameworks and incident response procedures - based on Hexagate’s expertise gained from being active in many such incident response events
- Onboarding:
- During onboarding, a Hexagate security engineer with a QuickSwap team member will map all the contracts, tokens, bridges, oracles, and governance structures that are related and even remotely affecting QuickSwap contracts and on-chain assets to be able to have a broad coverage of all possible threats. Access to the platform will be granted to the select QuickSwap Foundation or Devs to use the platform to configure monitors, alert notification channels, and run triaging and investigations for any on-chain activity - these will be provided right after signing
- Tailor remediation procedures for QuickSwap
Budget
Hexagate is asking the QuickSwap community to fund $25k/year in USDC from the DAO treasury for onboarding, maintenance, and professional service & support listed above, and the QuickSwap Foundation will engage with Hexagate on a commercial agreement for a yearly license of the platform.
The rationale is that the community is receiving support and maintenance while the QuickSwap Foundation is in charge of operating the system, as security is top of mind.
Join the Discussion
As always, QuickSwap community members are encouraged to participate in and contribute to QuickSwap governance discussions and proposals across all of QuickSwap’s online forums, especially on Discord & Reddit. As a Dragon, you are a valued community member and your opinion matters – but you have to participate in community voting procedures to make it count.
As always, critical decisions guiding QuickSwap’s strategic development will always be determined by way of decentralized governance. QuickSwap’s future is in your hands, so make your voice heard!