| Date | Hours | Tags | Feedback |
|---|---|---|---|
1 | Review strategies, polls, comments, do research and make votes | ||
0.5 | Sync on recovery address and guardian matters with Timeless | ||
2.5 | More granular stats histogram; Repeated runs for stats retrieval and verifications; Fix a bug with blank staking page caused by scientific representation of javascript numbers; Save output for stats histogram; Review suggested fix on tracked tokens (#314) | ||
0.5 | Include staked balance for stats histogram; Update key stats numbers | ||
2 | Backup APIs and verifyByEmail for users | ||
3 | Initial review and request for information on Horizon Bridge launch; Research on backup approaches and GCS implementations; Review on Timeless source code pull request related to loading EOTP in memory; Review Timeless proposed security diagram; Provide feedback and guidance on deficiencies and potential areas of improvements | ||
1 | (Continued) and research on best GCS approaches for backup services | ||
3 | Review of Harmony offsite initiatives; Research, summary, and written plan for Security, Monitoring, Alert initiative | ||
0.5 | (Continued) | ||
2 | Debugging stats generator; Fix stats issues related to factory deployed address; Identify root cause of zero-balance issues; Address deduplication | ||
4.5 | (Continued) and deploy stats in production relayer; add api for stats in relayer; update client side stats retrieval and caching; More address and balance deduplication | ||
1 | Stats histogram script and improvements; Granular stats counter including overall counter and balance and those related to Timeless | ||
1 | (Continued) | ||
2 | (Continued) | ||
2 | Fix stats bugs with balance update and address caching; add scripts to refresh all balance | ||
2 | Resolve merge conflict; Debugging with zero balance issues; Sync with John; Factory deployed transaction extraction and address computation | ||
1 | Review v2 routes and components (#310) | ||
1 | Review stats generator first draft (#312); Revise and debugging stats generator, simplify implementation, and significantly optimize the performance; Research on fast statistics retrieval and computation methods | ||
1 | (Continued) | ||
2 | (Continued) | ||
3.5 | (Continued) and updating testing README; review dynamic custom theming (#301); Review recovery issue (#309) | ||
1.5 | Fix recovery issues (#309); v2ui review (#304) | ||
1 | Review and revise v2 routes and components (#310) | ||
0.5 | Response team briefing | ||
1 | Sync with John on testing, statistics generator, and web3 integration | ||
4 | Debug and fix set-recovery-address and general operation issue; Fix major cause of failures in relayer (upgrading from old versions); Sync with Brayden Ooi (propsective frontend development) | ||
2 | Review and debugging and fixing various issues with innerCore testing and adjustment of time in testing (#298); | ||
5.5 | (Continued) and various implementations for minimizing of user frictions | ||
4 | (Continued) and extending signup to components where new verification code is set up; | ||
5 | Experiment with OS-managed verification code; Backend for user signup; Data validation; Autofill OTP in all pages wherever applicable | ||
2 | Security AMA (Twitter Space) | ||
1 | Security Reddit AMA and Medium blog review | ||
2 | Research and experiments with OS-managed verification code | ||
5 | (Continued) and fix buggy implementation of BATCH operation in contract; Feature request for staked-transfer; RPC Log review for theft investigation | ||
1 | Debugging and sync on InnerCore related tests | ||
1 | Security AMA written responses | ||
4 | v16 release notes and detailed updates and notes on several issues pertaining to v16; Require recovery address before upgrading; Integration with Transak USD gateway and Apple Pay; Security AMA preparation; USDC theft investigation | ||
0.5 | Sync with John | ||
2 | Fingerprint IP tracing manual review for theft investigation; Fix v2ui wallet header; Review new UI theming #299; | ||
1.5 | (Continued) Fix and simplify tests pertaining to upgrade, innerCore, security, and spending limit; Simplify test utilities | ||
2.5 | (Continued) | ||
0.5 | Review Timeless Proposal | ||
0.5 | Response team briefing | ||
5 | Review, debug, and fix Create component refactoring (#292) | ||
10 | Relayer analytics ElasticSearch setup, schema, persistence implementation, data capturing, fingerprint (user agent and IP) capturing, request parsing, debugging and testing; Fix Relayer early abort errors; Sync with John | ||
3 | (Continued) ElasticSearch setup and persistence; Add more QR code supported formats (#233) | ||
2 | Prompt warning about sending funds to exchanges; README update | ||
0.5 | Review Timeless NFT avatar proposals and provide feedback | ||
3.5 | Debugging panic issue of private RPC node; Experiment and tests with private RPC nodes in production and confirmation of working node | ||
5 | Relayer analytics API and private RPC health check API | ||
1.5 | (Continued) | ||
1 | (Continued) | ||
2 | (Continued) and experiments with GCP network SSD, local NVME SSD and mergefs | ||
3 | (Continued) conclusion of the experiments and confirmed final, stable RPC node / validator setup | ||
4 | Debug and fix an ambiguos method call in relayer that is present for older versions; Review and fix a bug with invoking contract call in web client (causing multisig authorization issue #291) | ||
4 | (Continued) Compile script bug fixes, debugging cross-compile and dependency issues, and others; Setup validator | ||
2 | Debugging and profiling RPC and validator node data sync issues | ||
1.5 | (Continued) | ||
3.5 | Harmony core / RPC node I/O issue debugging and experiments; Sync with John on testing | ||
3 | (Continued) | ||
0.5 | Response team briefing | ||
0.5 | Sync with John | ||
1.5 | Assist Timeless in meeting regarding NFT and its external partner; Sync with Timeless | ||
4 | (Continued) RPC node and validator setup and debugging; Produce more messages in relayer | ||
0.5 | Sync with John | ||
1 | Relayer stablity improvement | ||
4 | RPC node custom compiling, setup, data sync, and debugging | ||
1 | Debugging relayer issues; Manual restart and inspections; Sync with Timeless on RPC issue | ||
1.5 | Sync with Timeless | ||
0.5 | Response and investigation into Timeless inquiries related to RPC issues | ||
0.5 | Response team briefing | ||
0.5 | Upgrade failure issue debugging | ||
0.5 | Letter of Acknowledgement review and suggestions | ||
0.5 | Response to Timeless inquiries related to domain registration and pricing mechanisms | ||
1 | Continued Token Testing review (#274) | ||
1 | Continued Token Testing review (#274) | ||
1 | Recent major theft incident tracing, analysis, and TODO suggestions | ||
0.5 | Sync with John | ||
2 | Review of LittleSnitch safety and feasibilities of using VPN to restrict network connections for major asset transanctions | ||
1 | Response to Timeless inquiry of issues related to an NFT contract and review the contract | ||
1 | Token Testing review (#274) | ||
0.5 | Further review and response to Timeless NFT contract | ||
1 | Continued Token Testing review (#274) | ||
3 | (Continued) Final review and testing of v16. Release v16; Release testing and documentation of issues (#287) | ||
1 | Provide opinion and analysis to FBI follow-up questions | ||
0.5 | Response team briefing | ||
0.5 | Response and investigation to Timeless inquiry regarding wallet creation slowness on Android | ||
0.5 | Sync with Timeless on RPC issues and solutions | ||
4 | Simplify tests, fix issues and implementation errors; Validate all tests | ||
2 | Review of Ogre theft incident report; Dispatch report to FBI and provide comments | ||
4 | Further bug fixes and simplification of tests; Fix testing framework README and documentations (#273, #274, #282, #283, #279) | ||
3 | (Continued) | ||
3 | (Continued) and fixing red packet, upgrade core library for intelligently flow with commands, fix issues with core flow | ||
5.5 | (Continued) and debug, testing, live testing in production of key features related to command; Validate security patch and implications | ||
1 | Merge conflict resolution with testing branch; Validate and review tests and test framework | ||
7 | Ogre theft incident investigative report (report #4) | ||
1 | Use command library whereever applicable; Unify commit-reveal | ||
2.5 | (Continued) Implement command library in core flow | ||
4.5 | Security issue (#276); Event parsing library issue (#277); Command library issue (#278); Verifying Reliable Relayer (#259); Security Vulnerability (#253); Testing (#279); Test Framework (#282); Test Coverage (#283) Self-hosted RPC nodes (#281); Deliverable documentation and organization | ||
1 | Response team briefing | ||
6 | Command library design, implemetation, debugging | ||
1 | Manual querying and analysis of all possible DFK contract addresses for theft investigation | ||
2 | Sync with John on testing; Fix two security issues (#275) | ||
5 | Continued research and design on proxy mechanisms and same-address upgrade (#189) | ||
1.5 | Debug and fix issues with command; Add command tests; Finalize security patch #275 | ||
2 | Relayer overall error handling improvements; Better handling of cases when a contract is already deployed | ||
5 | Continued research and design on proxy mechanisms and same-address upgrade (#189) | ||
2 | Ogre theft incident investigation (establishing theft amounts and events) | ||
1 | Local testing and debugging, and documenting solution to Safari HTTPS issue | ||
1 | Sync with Tao on various PRs (WalletConnect, TransactionViewer, hotfixes) and frontend development issues | ||
0.5 | Response team briefing | ||
2.5 | Research and design on proxy mechanisms and same-address upgrade (#189) | ||
2.5 | (Continued) | ||
3 | (Continued) review and next steps for (#251) | ||
2 | Review and detailed feedback on Testing (#263) | ||
1 | Sync with John and resolve key testing development issues | ||
1 | Ogre theft incident investigation | ||
2 | (Continued) | ||
4 | More powerful and consistent log parser; Add message template and amount formatting capability in event library; Transaction viewer rendering fixes and use event library; Fix issues with parsing external payments; Update TODO; | ||
2 | (Continued) | ||
4 | Review staking (#268) and detailed feedback on testing (#263) | ||
1 | Review of theft incidents related to Ogre and others | ||
1 | Transaction viewer: review, feedback, and planning (#251); Merge conflict resolution; new APIs for RPC methods | ||
4 | Transaction viewer fixes, transaction log parser fixes, support multiple events per transaction, fix staking events; Show commit transactions; Fix display pagination errors; Zero-day vulnerability research and its relation to theft incidents | ||
1 | MetaMask Security Protocol Review | ||
0.5 | Response team briefing | ||
1 | Sync with John | ||
0.5 | Sync with Timeless regarding NFT and MADNFT | ||
1 | Review and debug testing issues (John) | ||
2.5 | Review of Timeless response to security issues; Review Timeless Merkle Tree creation implementation; Experimenting and debugging with different collect reward reveal implementations | ||
0.5 | Condensed Q1 assessment | ||
1 | Sync with Tao and discuss next steps of developments | ||
0.5 | Sync with cylim on next frontend developments | ||
2.5 | Transaction viewer (#251) review and cleanup | ||
4 | (Continued) Unstake functionalities, debugging, testing | ||
1 | Collect reward page for staking; Common components; Fix bugs related to collect reward; Simplify utility functions; Compute funds available for redelegation | ||
5 | (Continued) | ||
1 | (Continued) | ||
1.5 | 2022 Q1 Summary and Assesment | ||
0.5 | Response team briefing | ||
4 | Simplify reveal calls; Remove dependency to Harmony JS SDK and providers; Fix provider setup for resolver contracts; Fix bugs related to operation code; Fix Enums.OperationType.UNTRACK executor logic; Event hash script update and new events related to staking; Working version of Staking from UI; Use websocket for truffle executions | ||
3 | Staking api and its own rpc base; Improved staking UI, Stake table and reward display; Integration into main UI; Review Timeless custom implementation of Red Packet | ||
0.5 | Theft investigation suspect finding review | ||
0.5 | Follow up meeting from Protego (Projext X) | ||
1 | Sync with Timeless regarding upgrade and tokens | ||
4 | Staking client-side implementations, contract improvement, and debugging | ||
4 | Relayer, deployment, scripts updates related to Staking; Sync with John; Sync with Timeless | ||
1 | Theft Incident Analysis, Continued | ||
1 | Relayer debugging, and retry and gas fees patch for more robustness | ||
1 | Theft Incident Analysis, Continued | ||
1 | Sync with John | ||
1 | Staking functionalities in contract | ||
0.5 | (Continued) | ||
2.5 | Theft Incident Analysis | ||
2 | Chrome Extension Build and Review; Follow-up from Erfan (Projext X, NFT anti-scam project) | ||
0.5 | Response team briefing | ||
4.5 | Theft Incident Analysis, Continued; Sync with John (5pm) | ||
5.5 | (Continued) | ||
3 | Probablistics self-recover multi-account relayer implementation, experimentation, deployments | ||
4 | (Continued) and review, merge #265 | ||
2 | Timeless initial source code review and initial security issue analysis | ||
0.5 | Meeting with code4rena (crowdsourced audit) | ||
3 | Testing PR review and feedback (#263); Chrome Extension hash review and debugging | ||
1.5 | Debugging, testing, and confirming Chrome Extension Build 1.2.7; Theft amount review | ||
1 | Relayer debugging; Manual resets and devops scripts; Experimenting with local setups and various RPCs | ||
4 | Theft incident cause analysis; Contract staking implementation review; Adding staking contract; Remove cached Truffle artifacts; Relayer issue analysis and feedback | ||
1 | Recent theft incidents review and follow-up | ||
2.5 | Experimentation with Ganache CLI setup and migration from UI version; README for env setup | ||
4 | (Continued) and produce findings and next steps; Remove Harmony provider and use of JS SDK | ||
1 | Chrome Extension buidling, review, and debugging | ||
1.5 | Further experimentation and deployment of using websocket providers; Review and merge #261 | ||
0.5 | Chrome Extension further testing and debugging | ||
1 | Relayer and RPC debugging and experimenting | ||
4 | Relayer use managed nonce and overall improvements | ||
3 | Analysis of relayer logs and interactions between relayer and Harmony transaction pool | ||
1 | Chrome Extension building, build error fixes, and hash difference investigation; Celo incident research | ||
0.5 | Sync with John | ||
1 | Next generation UI review and planning (#260) | ||
1 | Relayer error analysis and debugging | ||
2.5 | Analysis and feedback on Shashank's Security Review Analysis | ||
1 | Sync with Shashank; Review of minor implementation flaw identified | ||
1.5 | Debug and fix constant variable references; Response team briefing; | ||
1 | Sync with SilentAuth | ||
5 | Chrome Extension review, building and end-to-end testing; Relayer monitoring; Review and feedback on transaction viewer (#251), , truffle-removal changes (#240) and fix errors; Domain update functionalities Q&A | ||
1 | RPC reliability investigation and analysis; Sync with Timeless | ||
0.5 | Response team briefing | ||
1 | Briefing with John | ||
2 | Code review and testing of extension wallet patch #124 | ||
1.5 | 1wallet core / web edition planning and work organization for March | ||
1 | Response team briefing and discussion on next steps | ||
1.5 | (Continued) | ||
0.5 | Evaluation of Numisme (Project X) and discussions | ||
1 | Joint evaluation on Project X prospect "FDIC for Wallet" | ||
0.5 | Theft amount verification and correction | ||
1 | Response team briefing; Review of Quoc's extension wallet final report | ||
0.5 | Sync with Timeless: roadmap, planning, NFT, campains, adoption strategies, technology discussions | ||
0.5 | Initial engagement with mycryptomine on 1wallet integration and feasibility evaluation | ||
1 | Joint evaluation on Project X prospect Panther Protocol | ||
1 | Preliminary evaluation on POQ (Project X) and its legal materials (SEC letter, conclusion and patent) | ||
0.5 | Term finalization meeting with C14; Scheduling with remaining Project X prospects; Term finalization with Protego | ||
1.5 | Preparation and joint evaluation of Project X prospect Cedar | ||
0.5 | Project X decision meeting and sync up | ||
3.5 | Research and analysis on Panther Protocol (for Project X) | ||
2 | (Continued) | ||
1 | Silent Auth detailed proposal additional feedback and questions | ||
1 | Diligence meeting with Deepwaters | ||
0.5 | Statement of Work clarification meeting with Coalfire | ||
1.5 | Preparation and semi-joint evaluation of Project X prospect Shift | ||
2.5 | Diligence meeting with Project X investee C14; Research and diligence on C14 thesis | ||
1 | Research and technical diligence on Project X investee Deepwaters | ||
1.5 | Joint evaluation of Project X prospect HOPR | ||
2 | Research and independent evaluation on MetaLoop; Sourcing Project X leads; Analysis on Webacy | ||
1.5 | Joint evaluation of HexaTorch | ||
1 | Research and offline evaluation on Project X prospect Cytus | ||
1.5 | Preparation and joint evaluation of Project X prospect Protego | ||
1.5 | Joint evaluation of Project X prospect Deepwaters | ||
1.5 | Project X deal sourcing (Xoogler meetup #2) | ||
0.5 | Evaluation of Project X leads | ||
1.5 | Joint evaluation of Project X prospect Gryphon; 1wallet design sync with Darren | ||
1 | Joint evaluation of Project X prospect C14 | ||
1 | Sync with FBI (with Merkle Science) | ||
1 | Project X deal sourcing (Xoogler meetup) | ||
1 | Evaluation of Project X prospect DSCAPE, meeting, and internal discussion | ||
1 | Sync with Merkle Science on Tornado Cash findings | ||
0.5 | Response team briefing | ||
1 | Evaluation of Project X leads (Xoogler Demo Day projects) | ||
0.5 | Evaluation of Project X leads | ||
0.5 | Sync with private investigator regarding suspect | ||
0.5 | Response team briefing | ||
1.5 | Sync with Timeless; Adjustment of 1wallet v14 RPC endpoint; Performance tests and analysis | ||
0.5 | Revisiting zero-day and UAE vulnerability; Internal discussions; Victim password strength review and analysis | ||
0.5 | Response team briefing | ||
1.5 | Response team briefing; Investigation on new victim (GU); Emergency response | ||
1 | Malware analysis and risk review | ||
1 | Silent Auth proposal evaluation and feedback | ||
1 | Onboarding Michael M and discussions | ||
1 | Anchain finding presentation and discussions | ||
0.5 | Malware investigation | ||
1 | Theft case investigation (lead from Binance related activities) | ||
0.5 | Response team briefing | ||
1.5 | Finalization of "Use Ethereum NFT on Harmony as Avatar" | ||
1 | Sync with Coalfire | ||
1.5 | (Continued) | ||
1.5 | Review and experimentation of Matthew's vulnerability report #1 | ||
0.5 | Revision on "Use Ethereum NFT on Harmony as Avatar" | ||
1 | Receivng updates from AnChain and discussions of issues and next steps | ||
2.5 | 1wallet, project document: Use Ethereum NFT on Harmony as Avatar | ||
0.5 | Response team briefing | ||
0.5 | |||
3 | New victim browser history analysis (BL, DD) and manual inspection of all common sites | ||
1.5 | Investigation and analysis of reported suspicious Ethereum trasanction and contract address that invokes Harmony bridge | ||
0.5 | Initial engagement with Merkle Science | ||
0.5 | Research and feasibility study on amount-matching based Tornado Cash tracing techniques and past success stories | ||
1.5 | Extension production deployment and hash-verification step-by-step guide; Quick analysis of new victim / incident | ||
1 | New hackathon victim interview, analysis, and recommendation; 1wallet - engagement with Meson team (cross-chain stablecoin bridge integration) | ||
0.5 | Victim interview and Q&A call (DD) | ||
0.5 | Response team briefing | ||
1 | Sync with Silent Auth | ||
0.5 | Response team briefing | ||
0.5 | Coalfire initial engagement and scope discussion | ||
0.5 | Onboarding Matthew for extension wallet vulnerability investigation | ||
1 | Reproduction and verification of Quoc's extension build; Review of private investigator preliminary report | ||
0.5 | Victim interview and Q&A call (BL) | ||
0.5 | Response team briefing | ||
0.5 | Response team briefing | ||
0.5 | Discussion Matthew for extension wallet code analysis | ||
0.5 | Experimentation with XSS vulnerabilities in Vue; NDA with SecureLayer7 / Cure53 | ||
0.5 | Analysis of new victim profiles and priorities (unassigned code names) | ||
0.5 | VueJS injection vulnerability experimentation | ||
0.5 | Private investigator initial briefing and preliminary assignment of work | ||
0.5 | Response team briefing | ||
3 | Report #3 on theft incidents (New Victims, Perpetrator Tracing, Previous Victims, Suspect, Backend Server Log, Frontend Fingerprints, Total Economical Damage); Analysis of linkage between attacks on multiple victims | ||
1 | Response team briefing | ||
0.5 | Sync with Sukanta and internal discussions | ||
0.25 | Secureworks second and final engagement (not to proceed) | ||
1.5 | Engagement with red teams and security firms; Review of all victim and perpetrator addresses, blacklisting states, and movements offunds; | ||
0.25 | Secureworks initial engagement | ||
0.5 | Response team briefing | ||
1 | MyContainer incident review, analysis, and discussion | ||
1.5 | Engagement with private investigators and preliminary exchange of information | ||
1 | Chrome extension wallet PR 117 review and testing; Sync with Quoc | ||
1 | Sync with Anchain; Response team briefing | ||
1 | Response team internal discussions and planning | ||
3 | (Continued) Merged and launched v15; fix 6x6 restore failure after a wallet is upgraded and renewed from v14; Full release notes; | ||
2 | Deploying v14 and v15 relayers, setting endpoints and system services; Monitor network stability and debug related issues | ||
4 | Response team briefing; Victim counselling procedure consultation (MN); Further investigation into fingerprints and transaction patterns, based on new data collected from new victims; | ||
0.5 | SecureLayer7 / Cure53 engagement and initial briefing; Internal discussions; | ||
6 | (Continued) check whether wallet hasSuperOTP; Fix issues with upgrade to v15 wallet; clear otp input only when it is nonempty; Restrict non-v15 wallets from adjusting limits; Blacklist some recovery addresses and make 1wallet DAO their recovery address during upgrade; keep react component loaded during restore to ensure wallet parameters are properly passed; Ensure worker parameter has seed; move debug message to debug mode only; Add innerRoots check on localExport; Add fallback params in Upgrade; Use api.harmony.one RPC by default; improve messages related to emitted events; fix metamask tool; remove Chrome extension wallet from readme; Improve renewal messaging; Fix an issue which may cause multiple workers to be created; | ||
1 | Chrome extension wallet incident response: new victim profile (MN), investigation, internal discussions; Emergency responses; Tornado Cash tracing and matching patterns against known hackers and victims | ||
9 | (Continued); 1wallet: Fix some issues which may cause renewal to malfunction or incorrectly make wallet "expired". Fix worker spamming logs; More granular messages and instructions when user access functionalities that require renewed / upgraded wallets; Make upgrade box promptable; Fix a bug in renewal which causes the process to stall; Fix a bug on renewal which old core parameters are used, in lieu of new ones; Implement early terimination to enable much more efficient calls to deriveSuperOTP; Fix zero-valued effectivetime in renewal; | ||
4 | abortion mechanism in event message; Core lib: EOTPDerivation; core util: genOTPStr (for efficient debugging when multiple OTPs are required); Add more verbose logging to relayer; use EOTPDerivation in relevant functions; Revamp spending limit prompts and checking mechanisms; fix bug in remaining limit display in balance page; Fix renew-now link | ||
1 | better organized renew page | ||
6 | fix truffle distinction between dev and ganache; core lib: add sanity check of parameters to makeCore; CoreDisplaced and CoreDisplacementFailed error handlings; use oldInfo's (i.e. previous security parameters / OTP roots on contract) effectiveTime on deriveSuperEOTP; More structured frontend infrastructure utils (useSuperOps, useOpsBase); Fullly functional renewal for v15 | ||
2.5 | AnChain sync; Response team briefing; Sync with Quoc; Analysis of possible scammer/imposter and linkage of hacks | ||
6 | 1wallet: core flow util: deriveSuperOTP; use deriveSuperOTP in RestoreByCodes; fully functional spend limit adjustment component; | ||
1 | Response team briefing; New victim analysis and next step recommendations (MC); Formulation of special process for large accounts at risk; Internal discussions | ||
0.5 | (Continued) Interview with owners of large accounts at risk | ||
3.5 | Review and debug 1wallet #228 (bundle size reduction), #241 (hotfix of missing styles); Fix bug in core processing util (missing array initialization); Increase timeout in response to RPC instability; Utilities for intelligently producing wallet name hints and make use in every place where names are referred; Create wallet component shared functions regarding before/after commit and preparing proofs; Rearrange balance and spend limit components; Spend limit adjustment components; | ||
6.5 | (Continued) | ||
0.5 | Response team briefing |