I love seeing the sankey diagram, I wish more projects would do this!
One thing that stood out here was that nearly 10% of all funds went to Secrets Management! I don’t want to micro-manage anyone else’s grant here, but that feels insanely high. On AWS for example they charge pennies per secret, and you can bundle nearly an unlimited of key value pairs in each secret. I don’t know what service is being used here, but this feels like it could be tighter.
I’m guessing there is some huge volume of automated tests going each with their own set of secrets, but still looked really high to me!
Thanks for your feedback. I love discussion on these topics. I totally understand why Secrets Management may seem like an outlier but there is a reason for this. Looking at the Rekt Leaderboard, You can see that some of the biggest hacks, Ronin, ByBit etc, were not due to smart contract or web3 vulnerabilities but due to an attacker getting a key to the web2 infrastructure. Secrets management and implementing Just-In-Time secrets across cloud infrastructure and disparate systems, using Hashicorp Vault or similar solutions, can have a dramatic impact on the security posture of an organization. We have planned for a nice subsidy because of this.
But, while rolling out SHIELD, we haven’t found partners at an organizational maturity level to implement these enterprise-level security controls. Many times, for smaller organizations, there are cost effective ways to keep secrets secured, as you mentioned. We don’t expect to utilize the entire budget allocation for Secrets Management and expect to return it to the community. On the flipside, if there is a high-TVL partner that hasn’t implemented Just-In-Time secrets, we would be happy to fund it and make sure assets on Celo are secure as possible.
Interesting, are you able to share the setup here (understand if there’s a security-by-obscurity principle here also). I’d be interested to see if I could implement something similar for my operations.
