[FINAL] Celo Ecosystem Security Services Program: Enhancing Ecosystem Security Through Subsidized Services

Authors: cLabs Security Team

Status: FINAL

Funding Request: 768,500 Celo ( $580,000 at 90 day average of celo:usd on 12/05/2024 = .675 )

Summary

The Security Team at cLabs proposes an initiative to subsidize the cost of security services for Celo ecosystem partners. This pro bono initiative will involve collaboration with leading security vendors to provide on-chain monitoring, automated security testing, brand protection, security architecture reviews, anti-money laundering (AML) compliance, and software supply chain security. We aim to leverage industry-leading practices and provide tools that empower partners to adopt and improve their security postures, reducing the risk of exploits that could impact the broader ecosystem.

The proposed funding for this initiative is 768,500 CELO ( $580,000 at 90 day average of celo:usd on 12/05/2024 = .675 ) to be distributed over a 1-year period, from January 2025 to December 2025.

Motivation

Let’s face reality: Web3 lost over $3.7 billion to hacks in 2022 alone. Every security incident in our ecosystem directly impacts CELO token value and destroys user trust that took years to build. These impacts ripple through every project building on Celo.

Traditional security reviews exceed $150,000 per project; forcing most teams building on Celo to choose between proper security and core development. This isn’t just about individual projects, it’s about protecting Celo’s entire ecosystem.

The urgency of this proposal is driven by three critical factors:

1. Attack sophistication is rapidly evolving with Technology. Bleeding-edge technology must be implemented with effective security testing.
2. Regulatory pressure is mounting, with authorities scrutinizing blockchain security more than ever. Security incidents attract unwanted regulatory attention, while proactive security measures demonstrate ecosystem maturity.
3. Security has become a key differentiator for ecosystem growth, as leading chains strengthen their security posture and projects choose platforms partly based on security support.

This initiative transforms security from a luxury into a standard feature of building on Celo and aims to:

• Make enterprise-grade security services accessible to Celo ecosystem projects
• Reduce the financial barrier to implementing robust security measures
• Protect user funds and maintain ecosystem trust
• Enable projects to focus resources on development while maintaining security

Specification

1. Program Structure

The program will operate on a first-come-first-served basis with additional rewards for projects that have already implemented security controls. Key components include:

Services Offered:

• Smart Contract & Wallet Security: Focusing on automated vulnerability scanning, smart contract security analysis, and wallet integration security. This foundational service helps projects secure their core smart contract infrastructure and user interaction points. The service includes gas optimization analysis and upgradability pattern security reviews.

• Brand Protection Services: Providing comprehensive brand security services to prevent spoofing attacks, phishing attempts, and reputation damage. This service helps maintain user trust and ecosystem integrity through continuous monitoring and protection of project digital assets.

• Attack Surface Monitoring: Implementing continuous scanning and monitoring of cloud infrastructure vulnerabilities, exposed API endpoints, and configuration issues. This service ensures projects maintain a secure operational environment.

• Secrets & Supply Chain Security: Monitoring for accidentally exposed API keys or service account credentials in public source code. Additionally, the service includes scanning for vulnerable dependencies in the software supply chain, ensuring secure development practices.

• Secure Deployment Workflows: Analyzing and securing deployment processes, focusing on preventing malicious, insecure, or inadequate automated workflows. This service helps projects maintain security throughout their development pipeline.

• Static Application Security Testing: Providing automated security scanning tools specifically designed for smart contract code, helping projects identify potential vulnerabilities early in the development cycle.

• Competitive Bug Bounty Programs: Supporting projects in establishing and maintaining bug bounty programs to incentivize responsible vulnerability disclosure and ecosystem security improvements.

• Security Program Reviews: Offering comprehensive security program assessments to ensure no critical assets remain at high risk, providing strategic guidance for security implementation.

Budget Allocation:

Expenditure Breakdown ( amounts in USD )

• Smart Contract, Wallet, and WebApp Security Review 120,000

• Brand Protection 50,000

• Attack Surface Monitoring 45,000

• Secrets Management 45,000

• Supply Chain Security 45,000

• Secure Deployment Workflows 45,000

• Static/Dynamic Security Testing 40,000

• Competitive Bug Bounty Program 150,000

• Security Program Review 30,000

• Program Administration 10,000

• Total 580,000 USD

2. Timeline and Milestones

Phase 1: Program Setup (Q1 2025)

• Program infrastructure setup
• Security vendor onboarding
• Application process launch
• Community awareness campaign

Phase 2: Initial Partner Enrollment (Q1-Q2 2025)

• First batch of partner applications
• Initial security assessments
• Service implementation begins
• First monthly report publication

Phase 3: Full Program Operation (Q2-Q4 2025)

• Continuation of partner onboarding
• Service delivery and monitoring
• Monthly reporting and community updates
• Mid-program assessment and adjustments

Phase 4: Evaluation and Planning (Q4 2025)

• Program impact assessment
• Community feedback collection
• Sustainability planning
• Renewal proposal preparation

3. Implementation & Governance

Partner Selection Process:

• Open application process through Celo Forum (TBD)
• Clear eligibility criteria published
• Monthly batch processing of applications
• Bonus structure for existing security implementations

Fund Management:

• 2/3 Multisig structure:
  • cLabs Security Lead
  • cLabs Project Manager
  • Community elected signer
• Monthly budget reporting
• Quarterly audits

4. Success Metrics

Key Performance Indicators:

• Number of Partners Onboarded: Successfully onboard at least 10 partners within the first three months.
• Reduction in Vulnerabilities: Reduction in the number of vulnerabilities identified by scanning tools by 30% by the end of the project.
• Competitive Bug Bounty Participation: At least 20 bug bounty submissions, with 5 critical vulnerabilities addressed.
• Partner Satisfaction: Gather feedback from partners; aim for an average satisfaction score of 7/10 or higher.
• Security Maturity: Increase in overall security maturity scores from a scale of 1 to 5 for at least 70% of the participating projects, with a target of moving projects from an average score of 2 to an average score of 4 by the end of the program.

Reporting Structures:

Monthly Updates:

• Partners onboarded
• Services utilized
• Security metrics
• Budget utilization

Quarterly Reports:

• Comprehensive impact analysis
• Success stories
• Security trends
• Program adjustments

5. Payment Terms

Fund Distribution:

• Initial transfer: 384,250 Celo (Upon approval)
• Second transfer: 384,250 Celo (End of H1 2025, subject to milestone completion)

Multisig Address: 0x35ff861a0b6215CeC71EA282B0D32AfefA661795

Signers:

1. cLabs Security Lead: Benjamin Speckien
2. cLabs Project Manager: Nikolaos Frestis
3. cLabs Security Engineer: Patrick Putman

6. Long-term Sustainability

Year 1 (2025):

• Full subsidy model
• Program establishment
• Community engagement

Future Sustainability (2026+):

• Graduated co-payment model based on project maturity
• Community fund renewal based on demonstrated success
• Integration with broader Celo security initiatives

7. Team Structure

The program will be managed by a cLabs team including:

• 1 Head of Security
• 2 Security Engineers
• 1 Project Manager

8. Conclusion

This security services subsidy program represents a critical investment in the Celo ecosystem’s future. By making essential security services accessible to all projects, we can create a more secure and sustainable environment for continued growth and innovation.

The time to implement comprehensive security measures is now, before they become necessary rather than preventative. We have the opportunity to set new standards for ecosystem-wide security practices and support the sustainable growth of the Celo ecosystem.

TL;DR

cLabs Security Team is proposing a one-year program (2025) to subsidize security services for Celo ecosystem projects, requesting 768,500 CELO ($580,000 USD) in funding.

Key aspects:

1. Purpose: Make enterprise-grade security accessible to Celo projects by subsidizing services like smart contract security, brand protection, and attack monitoring
2. Motivation: Combat rising crypto hacks ($3.7B lost in 2022), high security review costs ($150K+), and increasing regulatory pressure
3. Budget: Major allocations include:

• Smart Contract & Wallet Security: 120,000 USD
• Brand Protection 50,000 USD
• Bug Bounty Program: 150,000 USD
• Various monitoring services: ~45,000 USD each

4. Structure:

• First-come-first-served basis
• 2/3 Multisig governance
• Monthly updates and quarterly reports
• Success targets include onboarding 10+ partners in first 3 months
• Initially fully subsidized, moving to co-payment model in 2026+

The goal is to transform security from a luxury into a standard feature for projects building on Celo.

Just a quick note @ben i have edited the Tittle of the proposal to avoid missing links after.

The [DRAFT] indicator in the initial part of the proposal is enough. Thanks for posting the proposal. Is good to see you posting.

Hey @ben sorry for checking this late, but I just noticed a discrepancy between the Funding request and the Payment terms, in the Funding Request you are requesting only Celo Tokens, but in the Payment Terms you mentioned also cUSD.

Maybe will be good to align both in terms of the same token, or if your budget include both tokens pls specify the amount of each one separated.

Looking forward for the updated proposal or also consider modify the Initial post.

Last remark

Maybe you can edit the initial lines of your proposal and mark as [FINAL] or also you can consider posting here as a new comment the [FINAL] proposal.

Hello, We’re going to wait until January to activate the proposal. We want the community to have enough time to review and give feedback.

Please let us know if you believe this subsidy would be helpful to your project or if you have any suggestions for improvement.

I want to start by saying that, on a personal level, I think this proposal is a solid step in the right direction and will likely bring real value to the ecosystem.

That said, as a Celo Guardian, it’s my responsibility to ensure the submission process is followed correctly and transparently.

One thing that stands out to me is the change in the funding request. In the initial Forum proposal, the request was presented as 385k USD, and this was specifically framed in CELO with its equivalent in USD. This amount was also the one shared during the Celo Governance Call, and it’s clearly documented in the recording of the session, which can be accessed here: Governance Call Recording. (Minute 15:30)

However, in the GitHub PR submitted on December 12th, the funding request increased significantly to 768,500 CELO = 580k USD. That’s a 50% jump from the original USD amount, and as far as I can see, there’s no explanation for this increase anywhere in the proposal.

Can you please clarify the reasoning behind this adjustment and why it wasn’t disclosed earlier in the process?

Additionally, when submitting a proposal for funds, it’s crucial to disclose all Multisign addresses involved and who is behind each address.

Furthermore, each individual associated with these addresses should confirm their wallet address in a comment from their Forum Account. This is a requirement from the Approvers, so let’s ensure we meet their standards for transparency.

This is too expensive. Celo Lab itself does not have any security staff?

My security lab can help you do all the proposed security matters with just 368,500 Celo, saving the cost of 400,000 Celo for the community.

Btw, please budget your proposal using USD instead of Celo.

Content seems good and important, but what’s the rationale for these resources not coming out of the multi-million dollar proposal awarded to cLabs already in 2024?

If that proposal wasn’t to fund cLab’s development activities for the near future, what was it for?

Not against this proposal in general, just querying rationale for this specific project to be separately funded versus any other work stream going on inside cLabs.

Hi @dao, Good Question. Yes, Celo Labs (cLabs) does have a security team. This program aims to provide security resources to the whole ecosystem, outside of cLabs. The cLabs Security Team aims to assist projects to implement security best practices and industry-leading security controls.

If you would like to suggest a security vendor, please reach out to me on discord, @benatclabs

Hi @Thylacine,

Thanks for your comment. This is the first proposal specifically for security. This proposal aims to provide services to partners developing on Celo. This includes a plethora of security controls, such as smart contract auditing, on-chain monitoring and alerting, and infrastructure hardening.

Hello @0xGoldo,

Thanks for all the comments!

Our goal is to improve the developer experience by increasing security in the Celo Ecosystem. We’ve adjusted the suggested security controls based on evolving threats and resource availability. Because of this, the budget has changed. I understand the concern. Any surplus will go back to the community.

We have standardized on cUSD and finalized the allocations as follows:

• Smart Contract, Wallet, and WebApp Security Review 120,000
• Brand Protection 50,000
• Attack Surface Monitoring 45,000
• Sequencer Level Attack Monitoring and Prevention 25,000
• Secrets Management 45,000
• Supply Chain Security 20,000
• Secure Deployment Workflows 20,000
• Static/Dynamic Security Testing 40,000
• Competitive Bug Bounty Program 60,000
• Security Program Review 15,000
• Program Administration 10,000
• Total 450,000 cUSD

Key changes are:

• Addition of Sequencer Level Attack Monitoring and Prevention - On chain Security Controls
• Reduction of Supply Chain Security - Leverage more open source/free tooling
• Reduction in Secure Deployment Workflows - Reduced allocation from 4 to 2 projects
• Reduction in Competitive Bug Bounty Program - Reduced size of Reward Pools
• Security Program Review - Reduced number of vCISO hours available

Also, I’m happy to announce we came up with a new name for the program, Celo SHIELD - Subsidized Help for Improving Ecosystem-Level Defense. This will help when we’re referring to the program.

Furthermore, Each individual associated with the multisig and their wallet address is listed here:

SHIELD Multisig Address - 0x35ff861a0b6215CeC71EA282B0D32AfefA661795
Benjamin Speckien - 0x48739572951F5bdb2CAC71BfF1Fc0747266C816e
Nikolaos Frestis - 0x2835cd3C9e5aD93C10eBFAcEc943fE1006B1F57a
Stefan Ioja - 0x32Af2978880CD100d6Afa1104e8d01554bFe5bD4

Hi all, just wanted to confirm this is my address.

Hey everyone! To confirm this is my address. Many thanks!

Thanks, I think I misread the pro bono part in the original post.

So the funds will be used to pay for third-party security services, for qualifying Celo projects, at no or discounted expense? Is my understanding correct?

This is a correct and an accurate summary.

FINAL - Celo SHIELD - Subsidized Help for Improving Ecosystem-Level Defense

Proposal Key Aspects

• Receiver Entity: Celo Governance / Celo Public Goods
• Status: FINAL
• Title: Celo SHIELD - Subsidized Help for Improving Ecosystem-Level Defense
• Author(s):
  • Benjamin Speckien (@ben)
  • Nikos Frestis (@gloec)
  • Stefan Ioja (@si-csec)
• Type of Request: Funding
• Funding Request: 450,000 cUSD

Summary

Celo SHIELD Overview

The Security Team at cLabs proposes an initiative to subsidize the cost of security services to Celo ecosystem partners. This pro bono initiative will involve collaboration with leading security vendors to provide on-chain monitoring, automated security testing, brand protection, security architecture reviews, anti-money laundering (AML) compliance, and software supply chain security. We aim to leverage industry-leading practices and provide tools that empower partners to adopt and improve their security postures, reducing the risk of exploits that could impact the broader ecosystem.

The funds will be used to pay for third-party security services, for qualifying Celo projects, at no or discounted expense.

The proposed funding for this initiative is 450,000 cUSD to be distributed over a 1-year period, from January 2025 to December 2025.

Motivation

Web3 lost over $2 billion to hacks in 2024 alone. Every security incident in our ecosystem directly impacts CELO value and erodes user trust. This has a ripple-effect through every project building on Celo.

Traditional security reviews exceed $150,000 per project, forcing most teams building on Celo to choose between proper security and core development. This isn’t just about individual projects, it’s about protecting Celo’s entire ecosystem.

The urgency of this proposal is driven by three critical factors:

1. Attack sophistication is rapidly evolving. Next-generation Financial Technology must be implemented with effective security testing.
2. Regulatory pressure is constantly changing with authorities scrutinizing blockchain security more than ever. Security incidents attract unwanted regulatory attention, while proactive security measures demonstrate ecosystem maturity.
3. Security has become a key differentiator for ecosystem growth, as leading chains strengthen their security posture and projects choose platforms partly based on security support.

This initiative transforms security from a luxury into a standard feature of building on Celo and aims to:

• Foster development on Celo by allowing projects to focus resources on development while maintaining security
• Make enterprise-level security services accessible to Celo ecosystem projects
• Reduce the financial barrier to implementing robust security measures
• Provide specialized Web3 security awareness training
• Protect user funds and maintain ecosystem trust

Specification

Program Structure

The program will operate on a first-come-first-served basis with additional rewards for projects that have already implemented security controls. Key components include:

Services Offered:

• Smart Contract & Wallet Security: Focusing on automated vulnerability scanning, smart contract security analysis, and wallet integration security. This foundational service helps projects secure their core smart contract infrastructure and user interaction points. The service includes gas optimization analysis and upgradability pattern security reviews.
• Brand Protection Services: Providing comprehensive brand security services to prevent spoofing attacks, phishing attempts, and reputation damage. This service helps maintain user trust and ecosystem integrity through continuous monitoring and protection of project digital assets.
• Attack Surface Monitoring: Implementing continuous scanning and monitoring of cloud infrastructure vulnerabilities, exposed API endpoints, and configuration issues. This service ensures projects maintain a secure operational environment.
• Sequencer Level Attack Monitoring and Prevention: On-chain security controls to alert on or block malicious actions.
• Secrets & Supply Chain Security: Monitoring for accidentally exposed API keys or service account credentials in public source code. Additionally, the service includes scanning for vulnerable dependencies in the software supply chain, ensuring secure development practices.
• Secure Deployment Workflows: Analyzing and securing deployment processes, focusing on preventing malicious, insecure, or inadequate automated workflows. This service helps projects maintain security throughout their development pipeline.
• Static Application Security Testing: Providing automated security scanning tools specifically designed for smart contract code, helping projects identify potential vulnerabilities early in the development cycle.
• Competitive Bug Bounty Programs: Supporting projects in establishing and maintaining bug bounty programs to incentivize responsible vulnerability disclosure and ecosystem security improvements.
• Security Program Reviews: Offering comprehensive security program assessments to ensure no critical assets remain at high risk, providing strategic guidance for security implementation.

Expenditure Breakdown ( amounts in cUSD )

• Smart Contract, Wallet, and WebApp Security Review 120,000
• Brand Protection 50,000
• Attack Surface Monitoring 45,000
• Sequencer Level Attack Monitoring and Prevention 25,000
• Secrets Management 45,000
• Supply Chain Security 20,000
• Secure Deployment Workflows 20,000
• Static/Dynamic Security Testing 40,000
• Competitive Bug Bounty Program 60,000
• Security Program Review 15,000
• Program Administration 10,000
• Total 450,000 cUSD

Timeline and Milestones

Phase 1: Program Setup (Q1 2025)

• Program infrastructure setup
• Security vendor onboarding
• Application process launch
• Community awareness campaign

Phase 2: Initial Partner Enrollment (Q1-Q2 2025)

• First batch of partner applications
• Initial security assessments
• Service implementation begins
• First monthly report publication

Phase 3: Full Program Operation (Q2-Q4 2025)

• Continuation of partner onboarding
• Service delivery and monitoring
• Monthly reporting and community updates
• Mid-program assessment and adjustments

Phase 4: Evaluation and Planning (Q4 2025)

• Program impact assessment

• Community feedback collection

• Sustainability planning

• Renewal proposal preparation

• Implementation & Governance *

Partner Selection Process

• Open application process through Celo Forum (TBD)
• Clear eligibility criteria published
• Monthly batch processing of applications
• Bonus structure for existing security implementations

Fund Management

• 2/3 Multisig structure:
  • cLabs Security Lead
  • cLabs Project Manager
  • cLabs Security Engineering
• Monthly budget reporting
• Quarterly audits

Metrics and KPIs

Key Performance Indicators:

• Number of Partners Onboarded: Successfully onboard at least 10 partners within the first three months.
• Reduction in Vulnerabilities: Reduction in the number of vulnerabilities identified by scanning tools by 30% by the end of the project.
• Competitive Bug Bounty Participation: At least 20 bug bounty submissions, with 5 critical vulnerabilities addressed.
• Partner Satisfaction: Gather feedback from partners; aim for an average satisfaction score of 7/10 or higher.
• Security Maturity: Increase in overall security maturity scores from a scale of 1 to 5 for at least 70% of the participating projects, with a target of moving projects from an average score of 2 to an average score of 4 by the end of the program.

Reporting Structures:

Monthly Updates:

• Partners onboarded
• Services utilized
• Security metrics
• Budget utilization

Quarterly Reports:

• Comprehensive impact analysis
• Success stories
• Security trends
• Program adjustments

Current Status

This is a new initiative.

Payment Terms

Fund Distribution:

• Initial transfer: 225,000 cUSD (Upon approval)
• Second transfer: 225,000 cUSD (End of H1 2025, subject to milestone completion)

Multisig Address: 0x35ff861a0b6215CeC71EA282B0D32AfefA661795

Signers:

1. cLabs Security Lead: Benjamin Speckien (@ben) 0x48739572951F5bdb2CAC71BfF1Fc0747266C816e
2. cLabs Project Manager: Nikolaos Frestis (@gloec) 0x2835cd3C9e5aD93C10eBFAcEc943fE1006B1F57a
3. cLabs Security Engineer: Sefan Ioja (@si-csec) 0x32Af2978880CD100d6Afa1104e8d01554bFe5bD4

Team

Benjamin Speckien, acting currently as Head of Security for cLabs, has over 20 years experience in Security/IT. He has worked across the Celo Ecosystem with over 40 partners, implementing security controls and designing solutions. Benjamin holds a Master of Science in Cybersecurity and is CISSP certified.

Nikolaos Frestis has an extensive background in Information Security Project Management across the pharmaceutical and crypto-banking sectors. He maintains close relationships with security vendors in Web3 and has interviewed many people developing on Celo. Nikos currently acts as Project Manager for the cLabs Security Team.

Stefan Ioja is a Security Engineer at cLabs. He implements and maintains industry-leading security solutions, is well versed in the threat landscape of Web3, and is an expert in Incident Response. Stefan is skilled with maturing security posture, efficiently.

Additional Support/Resources

Feedback from the community is appreciated but not required.

Thanks @ben for updating the proposal, at my end this proposal is fullfilling all the requeriments and also was presented during the Governance Call #54 so from my end is ready to move into the voting phase.

Remember Current Celo Governance Overview & Procedures

To proceed to the submission and voting phase at least two Celo Governance Guardians must post explicitly that the proposal fulfills the requirements to be able to move into the Voting Stage in the proposal thread on the Celo Forum.

Reminder: Please ask all Multisign Members to confirm their addresses by posting a comment using their personal Forum accounts. This step is essential to prevent impersonation and ensure that Approvers can verify the proposal meets the requirements.

CC: Governance Working Group (@annaalexa @Wade @0xGoldo)

From my perspective, this proposal meets all the necessary requirements and was also presented during Governance Call #54. As such, I believe it is ready to proceed to the voting phase.

Additionally, I acknowledge the previous feedback from the other multisig members as valid, and I confirm that the proposal now satisfies all the criteria needed to move forward to the voting stage.