Who watches the watchers?
Disclaimer: this post went live on Dec 6, 2022. The most up-to-date information regarding Moonstream security operations will be contained in this notion document.
Web3 security is broken. The space is dominated by consultants who work with you for a handful of weeks, mostly restrict their attention to your smart contracts, and bear no downside for undiscovered vulnerabilities.
At Moonstream, we understand three things:
Web3 applications are more than just smart contracts
Web3 applications involve smart contracts, web infrastructure, frontends, and live operations. The security of a web3 application is only as good as the minimal security of each of those components. Securing only the smart contracts is not enough. The Ronin chain hack is a clear demonstration of this.
Real-world software is constantly evolving
Good engineering teams frequently ship improvements to their software. Even if that software includes smart contracts. This makes the current model of engagement with web3 security firms intellectually inefficient and exorbitantly expensive.
You cannot entrust the security of your platform to someone with no skin in the game
Those of us building novel web3 applications in 2022 are betting our reputations and our livelihoods on the technology we create. It is absurd for us to entrust its security to people who stand to lose nothing if it gets hacked. Incentives matter. Especially in security.
This leads us to two decisions:
Moonstream will build its own security team
Our platform hosts entire economies. We especially cannot afford to outsource our security. The buck stops with us. We will be building our own internal security team and make sure that their interests are the interests of our organization.
Moonstream will offer security services to our customers and our partners
We have observed that our customers and partners are as poorly served by web3 security firms as we are. If you are a Moonstream customer or partner, it is already in our interests that you not get hacked. We are open to increasing our mutual alignment by offering you security services as an extension of our partnership.
Our security services are structured as a long-term agreement with a fixed fee and with bonuses for all exploits we find.
We are looking to provide deep security services to a small number of projects that we work closely with. This kind of depth can only come from a long-term relationship with a security team that really understands your technology and how it is used.
Conversely, we are not particularly looking to scale this line of business. Our aim is to protect our closest partners from existential security threats.
We have already provided much more value to our partners than any other web3 security team. If you are interested in Moonstream Security services, you know where to find us.