Product & Architecture

The Problem:

In 2022 alone, over $2.8 billion USD was lost due to smart contract exploits. Alarmingly, 92% of the exploited contracts had been audited. While this trend is continuing in 2023,  large-scale losses due to private key and access control leakage-based exploits. In many cases, these exploits are happening even when organizations are leveraging 3rd party custodians and/or MPC or multi-sig wallets. In short, while security audits and traditional security measures are important, it is clear they must not be the only line of defense when it comes to on-chain asset security. The solution to these issues lives in real-time threat detection and response.

The Solution:

The Cyvers Security Operations Centre (SOC) is a proactive security platform that provides real-time detection and automated mitigation against exploits. The platform is built on top of proprietary machine learning and AI models to predict, alert and mitigate asset loss related risks with an accuracy of 95%. In practice, Cyvers SOC consumes all activity broadcasted to the network in real-time through Cyvers' operated nodes and/or data providers. This allows our platform to monitor, classify, and risk score each interaction and to detect any malicious or illicit activity in real-time - in many cases, prior to . Our models have been trained on thousands of confirmed attacks across (across what) leading to a our impressive detection rate and an industry leading false positive rate. Within the platform there are 3 products, all of which use the same underlying technology and provide value to different groups across the Stellar/Soroban network. Each tool can be accessed through API and UI and can be integrated during development or post-deployment. 

VigiLens - Native cross-chain threat intelligence platform to identify security vulnerabilities across entire networks. 

• Product - Cross-chain threat intelligence platform designed to provide a robust, real-time data feed of all security related malicious and illicit activity detected across Stellar and Soroban. 
• How - VigiLens consumes all on-chain activity in real-time and feeds this data through proprietary machine learning and AI models to provide predictive alerts to mitigate security vulnerabilities. Accessible via API or UI, users have the capability to filter for different threat criteria to ensure they’re only notified and actioning alerts that are relevant to them. In addition, you can create custom workflows and triggers to ensure that any required response is automated and initiated immediately and appropriately.
• Audience - This tool has a very broad use case. The Stellar Foundation could leverage this data feed to better understand illicit network activity, exploit trends and use it as a source of potential areas of improvement for future upgrades on both Stellar and Soroban. Traders, hedge funds and lending protocols could leverage VigiLens as a data source to inform positions and risk exposure. Insurance companies can use it to de-risk clients building in or holding assets on Stellar/Soroban, affecting the availability and cost of insurance for ecosystem players. Given Stellar’s interest in use cases like CBDCs, cross-border payments and tokenization of RWA, public sector agencies could use VigiLens to ensure financial compliance and ensure public asset safety. These are a few of many other use cases.

Address Shield - Real-time security monitoring and incident response for wallet addresses and smart contracts.

• Product - Customizable address- level monitoring and automated rules for response. Add addresses of interest through UI or API and protect against smart contract and application layer risks including but not limited to malicious contract deployment, smart contract exploits, oracle manipulation, MEV/Front-running attacks, phishing scams, private key and access control leakage exploits. 
• How - The implementation and “kill chain” regarding how the response mechanism would mitigate the risks is dependent on the use case. AddressShield can act as a first line of defense, alerting and triggering automated responses like contract pause functions, blocking transactions and triggering workflows. With VigiLens you can build bespoke responses for each threat type (17 in total) on individual addresses or create blanket rules. This can be implemented directly through the UI or API. 
• Audience - The tool integrates with both decentralized/non-custodial and centralized/custodial use cases. In DeFi, it can protect smart contracts against vulnerabilities and exploits. By detecting malicious contract deployments, alerting teams of manipulation attempts, and pausing contracts Cyvers is able to prevent and mitigate asset loss. In contrast, in CeFi it can detect and mitigate access control and private key leakage related exploits. On other networks that VigiLens supports currently, we have lending protocols, DEXs, CEXs, insurance companies, regulators, analytics firms, hedge funds and layer 2’s using the system to protect themselves against these threats

Reputation Risk Scoring Engine - Cross-chain address and smart contract risk exposure scoring.

• Product - Reputation Risk Scoring provides a complete, cross-chain view of an address or contract’s exposure to security and sanctions-related risks. It automatically scans for exposure to scams, smart contract exploits, sanctions lists, illicit funding sources and more. 
• How - Leveraging the VigiLens data set and models, the Reputation Risk Scoring Engine scans the input address and calculates an overview risk score and includes a breakdown by risk type and exposure. Please see the attached deck for further context.
• Audience - Any organization that is looking to ensure they are not facilitating or handling digital assets that may have exposure to illicit activity can use this tool. Many criminals are leveraging cross-chain swaps and bridges as a new way to launder and obfuscate funds and existing compliance tools are not proficient in tracing risk through these types of transactions. As such, regulated organizations who are using existing compliance tools for transaction monitoring may facilitate the trade or on/off ramp of these  assets without knowledge that they carry exposure to illicit activity. Reputation Risk Scoring can be used by CEXs, DEXs, law enforcement, banks, regulators, on/off ramp providers and more.

In short, Cyvers SOC can provide the entire Stellar / Soroban ecosystem with value. From the Foundation itself, to builders and down to the individual users whose assets can be protected, Cyvers SOC can be an additional pillar of security and trust in the Stellar ecosystem. Given the significant leadership role in developing the web3 ecosystem Stellar plays, we believe that Cyvers can help further demonstrate Stellar and Soroban’s commitment to user security and safety.

How does Cyvers SOC use Stellar/Soroban?

• Cyvers is already operational and fully functioning across 9 other blockchains, all 9 of which are EVM-based. Should we be awarded the funding, our goal would be to enable our capabilities on Stellar and Soroban as our first non-EVM supported network. Stellar’s focus on accessibility to payments is something that Cyvers resonates with and we hope to support. With the launch of Soroban, we believe it is even more important to ensure the network is as secure as possible and void of as much illicit activity as possible as transaction volume is bound to increase with the introduction of smart contracts

What makes Cyvers SOC unique?

• While there are other post-deployment security platforms for smart contract exploits, there are no other platforms that are capable of private key and access control leakage detection and response. Approximately 70% of the exploits detected in Q3 alone were of this variety (see slide 19 of pitch deck) resulting in over $540m USD in losses. 
• Due to this capability, we are able to protect organizations that don’t have smart contracts but that still custody or handle digital assets on the Stellar/Soroban networks (organizations or users).
• No other provider has a product similar to VigiLens that can provide real-time exploit data across an entire network.

Revenue Model

• After development and deployment of the Cyvers SOC for Stellar/Soroban, the primary operating cost will be cloud and upgrades as necessary. This will ensure there is continuity of the business as the carrying costs will be low.
• Cyvers leverages a SaaS-based subscription model. Organizations will pay a subscription for the services to ensure their business, assets and end users remain protected.
• Pricing will primarily be determined by a mix of parameters, namely: number of addresses/contracts monitored, transaction volume, number of user licenses, TVL (if applicable), and organization size.
• Business growth is focused on new client acquisition across a broad subset of categories (DeFi, CeFi, government, regulators, law enforcement, hedge funds, insurance companies, data aggregators, financial institutions, etc.)
• Cyvers raised a seed round of funding in December of 2022 and currently has runway until mid 2025. The funding received from this grant would go directly and exclusively to development of Cyvers capabilities on Stellar/Soroban

Marketing Industry Research

• Over $3.6 billion USD was lost in 2022 alone as a result of exploits, hacks and scams. (insert some YoY stats) Cyvers is well positioned in the web3 security market as this problem only continues to grow. The market is saturated with security auditors and even the few organizations that Cyvers competes with are focused primarily on post-deployment smart contract security. Cyvers does this, plus cross-chain asset and network level threat detection as well as security reputational profiling.
• As the crypto space continues to gain traction with every-day consumers, asset security will become a critical area of focus and a regulatory requirement
• Currently, many global regulatory regimes require digital asset businesses to use compliance tools to adhere to the same AML standards that apply to TradFi like Travel Rule and the BSA. The International Organization of Securities Commissions (IOSCO) recently released their policy recommendations for DeFi and there were multiple mentions of the need for security monitoring. Cyvers is confident that similar regulatory requirements will soon emerge with respect to security monitoring and as such, the already substantial addressable market will only expand.

What potential challenges do we face?

• Adapting our systems to a non-EVM network
  • We are going to build an ETL for non EVM networks, train our machine learning models on non solidity languages and build a risk engine unique to the Stellar and Soroban network.
• Given the block finality on Stellar is very quick, being able to provide the same proficiency as EVMs could be a challenge
  • That being said, our architecture is designed to be extremely fast and efficient. Today, we support EVMs L2 like Optimism that have block confirmation speeds comparable to Stellar.

User Validation & Case Studies

• Cyvers SOC has detected 95% of exploits since its inception with 85% being detected before or by the first transaction. 80% of the $6 billion USD lost between 2022 and 2023 could have been protected if Cyvers SOC was implemented. 

• One recent example of how effective our system can be is with the organization Remitano, a CEX. Though they were not yet a client, our system flagged an exploit of $2.7m USD . We contacted them and by working with us and collaborating with law enforcement and Tether, we were able to provide the tools and data to have $2m of the lost assets returned/recovered.
• Currently, Cyvers has a client mix of DeFi protocols, CEXs, Layer 2 blockchains, data providers as clients. We are also engaged with regulators, DEXs, bridges, layer 1 and layer 2 protocols, and more.
• The platform detected exploits impacting Curve Finance, Euler, Multichain, Stake.com, CoinsPaid, AlphaPo, PolyNetwork, Huobi Global, Balancer and many more. The deck attached provides further examples on slides 18 onwards.

Additional Questions

• Do you plan to run horizon as well?
  • We are planning to test data providers and in some cases where we still have high latency or other instabilities we will look to run our own nodes. Naturally, this means leveraging Horizon and especially for historical transactions. 
• How do you plan to interact with wallets to stop fraudulent transactions in the AddressShield product?
  • Our platform monitors everything broadcasted to the network -> detects any malicious activity in real-time --> alerts and allows DApps and builders to automate customized responses to prevent illicit activity. For example, if it is a contract we can execute a transaction to invoke specific function to pause the protocol or other emergency function, in case of a wallet we can execute pre-signed rescue transaction to migrate the funds to specific backup wallet defined by the user. The response/reaction is dependent on the specific circumstance and desired action of the end user. 
• Not as sure that their exploit prediction will be as useful due to a lack of data to train models on
  • We have both supervised and unsupervised approaches to detect malicious contracts and provide early warnings. While the training data set is valuable, it does not means that we cannot provide protection without it. We can detect anomalous contracts with malicious code and we can use transfer learning techniques to bolster the system if a lack of data is present.

Deliverables List

Submission 1 - Activation Award

1. Stellar Blockchain ETL
   1. Deploy and maintain Stellar nodes that will act as the primary data source for the Cyvers SOC analytical engine 
   2. Implement services such as block listeners and block providers responsible for retrieving transactional data using Horizon
   3. Implement services such as block listeners and block providers responsible for retrieving smart contract data using Soroban
   4. Implement Parsers and enrich network data with market prices
   5. Extract required features for ML models - what features?

Completion criteria: Blockchain data flows from nodes to the ETL and ready for ML models.

Expected Duration: 45 days, 1500 dev hours, 4 team members

Expected Budget: $50,000 USD

Deddy and Meir, the co-founders, embarked on their cryptocurrency investment journey in late 2020. During this time, they recognized a substantial gap in the blockchain security landscape. While there were numerous auditing companies available for pre-deployment assessments and an abundance of analytics and investigation firms for postmortem analysis, there was a conspicuous absence of solutions designed to safeguard digital asset businesses in real-time. This realization led to the establishment of Cyvers in late 2021.

Leveraging their extensive background in AI and software engineering gained from previous ventures, Deddy and Meir assembled a highly skilled team of experts in the realms of AI, blockchain, and Big Data. Cyvers has since undergone rigorous testing and has proven its capability to identify wallet breaches and smart contract exploits on a daily basis.

Submission 2 - Community Award

1. Attack Detection Engine

1. Research and build datasets for malicious contracts and attacks
2. Build ML models for Preparation Phase of attack: Malicious funding and malicious contracts deployments
3. Build ML models for behavioral analysis model that can detect access control / private key leakage attack 
4. Build risk engine and model that will be responsible for classification of the attacks and risk scoring to transactions & interactions
5. Deploy ML models and risk engine 
   1. Note: All models currently exist for other chains so only modifications for Stellar/Soroban would be necessary.

Completion criteria: Alerts are generated on real-time transactions 

Expected Duration: 60 days, 2000 dev hours, 6 team members

Expected Budget: $60,000 USD

3. Alerting and Response engine

1. Implement alerting mechanism: Slack, Discord, email, Telegram etc. 
2. Implement automated response / semi automated to transfer funds from wallet/contract to customer backup wallet
3. Implement automated response / semi automated to pause contract

Completion criteria: Actions are triggered by analytical engine and executed as defined

Expected Duration: 30 days, 1200 dev hours, 5 team members

Expected Budget: $40,000 USD