Timesheet & Peer Bonus (with giv.one)

Review strategies, polls, comments, do research and make votes

Sync on recovery address and guardian matters with Timeless

More granular stats histogram; Repeated runs for stats retrieval and verifications; Fix a bug with blank staking page caused by scientific representation of javascript numbers; Save output for stats histogram; Review suggested fix on tracked tokens (#314)

Include staked balance for stats histogram; Update key stats numbers

Backup APIs and verifyByEmail for users

Initial review and request for information on Horizon Bridge launch; Research on backup approaches and GCS implementations; Review on Timeless source code pull request related to loading EOTP in memory; Review Timeless proposed security diagram; Provide feedback and guidance on deficiencies and potential areas of improvements

(Continued) and research on best GCS approaches for backup services 

Review of Harmony offsite initiatives; Research, summary, and written plan for Security, Monitoring, Alert initiative

(Continued)

Debugging stats generator; Fix stats issues related to factory deployed address; Identify root cause of zero-balance issues; Address deduplication

(Continued) and deploy stats in production relayer; add api for stats in relayer; update client side stats retrieval and caching; More address and balance deduplication

Stats histogram script and improvements; Granular stats counter including overall counter and balance and those related to Timeless

(Continued)

(Continued)

Fix stats bugs with balance update and address caching; add scripts to refresh all balance

Resolve merge conflict; Debugging with zero balance issues; Sync with John; Factory deployed transaction extraction and address computation

Review v2 routes and components (#310)

Review stats generator first draft (#312); Revise and debugging stats generator, simplify implementation, and significantly optimize the performance; Research on fast statistics retrieval and computation methods

(Continued)

(Continued)

(Continued) and updating testing README; review dynamic custom theming (#301); Review recovery issue (#309)

Fix recovery issues (#309); v2ui review (#304)

Review and revise v2 routes and components (#310)

Response team briefing

Sync with John on testing, statistics generator, and web3 integration

Debug and fix set-recovery-address and general operation issue; Fix major cause of failures in relayer (upgrading from old versions); Sync with Brayden Ooi (propsective frontend development)

Review and debugging and fixing various issues with innerCore testing and adjustment of time in testing (#298); 

(Continued) and various implementations for minimizing of user frictions

(Continued) and extending signup to components where new verification code is set up; 

Experiment with OS-managed verification code; Backend for user signup; Data validation; Autofill OTP in all pages wherever applicable

Security AMA (Twitter Space)

Security Reddit AMA and Medium blog review 

Research and experiments with OS-managed verification code

(Continued) and fix buggy implementation of BATCH operation in contract; Feature request for staked-transfer; RPC Log review for theft investigation

Debugging and sync on InnerCore related tests

Security AMA written responses

v16 release notes and detailed updates and notes on several issues pertaining to v16; Require recovery address before upgrading; Integration with Transak USD gateway and Apple Pay; Security AMA preparation; USDC theft investigation

Sync with John

Fingerprint IP tracing manual review for theft investigation; Fix v2ui wallet header; Review new UI theming #299;

(Continued) Fix and simplify tests pertaining to upgrade, innerCore, security, and spending limit; Simplify test utilities

(Continued)

Review Timeless Proposal

Response team briefing

Review, debug, and fix Create component refactoring (#292)

Relayer analytics ElasticSearch setup, schema, persistence implementation, data capturing, fingerprint (user agent and IP) capturing, request parsing, debugging and testing; Fix Relayer early abort errors; Sync with John

(Continued) ElasticSearch setup and persistence; Add more QR code supported formats (#233)

Prompt warning about sending funds to exchanges; README update

Review Timeless NFT avatar proposals and provide feedback

Debugging panic issue of private RPC node; Experiment and tests with private RPC nodes in production and confirmation of working node

Relayer analytics API and private RPC health check API

(Continued)

(Continued)

(Continued) and experiments with GCP network SSD, local NVME SSD and mergefs

(Continued) conclusion of the experiments and confirmed final, stable RPC node / validator setup

Debug and fix an ambiguos method call in relayer that is present for older versions; Review and fix a bug with invoking contract call in web client (causing multisig authorization issue #291)

(Continued) Compile script bug fixes, debugging cross-compile and dependency issues, and others; Setup validator

Debugging and profiling RPC and validator node data sync issues

(Continued)

Harmony core / RPC node I/O issue debugging and experiments; Sync with John on testing

(Continued)

Response team briefing

Sync with John

Assist Timeless in meeting regarding NFT and its external partner; Sync with Timeless

(Continued) RPC node and validator setup and debugging; Produce more messages in relayer

Sync with John

Relayer stablity improvement

RPC node custom compiling, setup, data sync, and debugging

Debugging relayer issues; Manual restart and inspections; Sync with Timeless on RPC issue

Sync with Timeless

Response and investigation into Timeless inquiries related to RPC issues

Response team briefing

Upgrade failure issue debugging

Letter of Acknowledgement review and suggestions

Response to Timeless inquiries related to domain registration and pricing mechanisms

Continued Token Testing review (#274)

Continued Token Testing review (#274)

Recent major theft incident tracing, analysis, and TODO suggestions

Sync with John

Review of LittleSnitch safety and feasibilities of using VPN to restrict network connections for major asset transanctions

Response to Timeless inquiry of issues related to an NFT contract and review the contract

Token Testing review (#274)

Further review and response to Timeless NFT contract

Continued Token Testing review (#274)

(Continued) Final review and testing of v16. Release v16; Release testing and documentation of issues (#287)

Provide opinion and analysis to FBI follow-up questions

Response team briefing

Response and investigation to Timeless inquiry regarding wallet creation slowness on Android

Sync with Timeless on RPC issues and solutions

Simplify tests, fix issues and implementation errors; Validate all tests

Review of Ogre theft incident report; Dispatch report to FBI and provide comments

Further bug fixes and simplification of tests; Fix testing framework README and documentations (#273, #274, #282, #283, #279)

(Continued)

(Continued) and fixing red packet, upgrade core library for intelligently flow with commands, fix issues with core flow

(Continued) and debug, testing, live testing in production of key features related to command; Validate security patch and implications

Merge conflict resolution with testing branch; Validate and review tests and test framework

Ogre theft incident investigative report (report #4)

Use command library whereever applicable; Unify commit-reveal

(Continued) Implement command library in core flow

Security issue (#276); Event parsing library issue (#277); Command library issue (#278); Verifying Reliable Relayer (#259); Security Vulnerability (#253); Testing (#279); Test Framework (#282); Test Coverage (#283) Self-hosted RPC nodes (#281); Deliverable documentation and organization

Response team briefing

Command library design, implemetation, debugging

Manual querying and analysis of all possible DFK contract addresses for theft investigation

Sync with John on testing; Fix two security issues (#275)

Continued research and design on proxy mechanisms and same-address upgrade (#189)

Debug and fix issues with command; Add command tests; Finalize security patch #275

Relayer overall error handling improvements; Better handling of cases when a contract is already deployed 

Continued research and design on proxy mechanisms and same-address upgrade (#189)

Ogre theft incident investigation (establishing theft amounts and events)

Local testing and debugging, and documenting solution to Safari HTTPS issue

Sync with Tao on various PRs (WalletConnect, TransactionViewer, hotfixes) and frontend development issues

Response team briefing

Research and design on proxy mechanisms and same-address upgrade (#189)

(Continued)

(Continued) review and next steps for (#251)

Review and detailed feedback on Testing (#263)

Sync with John and resolve key testing development issues

Ogre theft incident investigation

(Continued)

More powerful and consistent log parser; Add message template and amount formatting capability in event library; Transaction viewer rendering fixes and use event library; Fix issues with parsing external payments; Update TODO; 

(Continued)

Review staking (#268) and detailed feedback on testing (#263)

Review of theft incidents related to Ogre and others

Transaction viewer: review, feedback, and planning (#251); Merge conflict resolution; new APIs for RPC methods 

Transaction viewer fixes, transaction log parser fixes, support multiple events per transaction, fix staking events; Show commit transactions; Fix display pagination errors; Zero-day vulnerability research and its relation to theft incidents

MetaMask Security Protocol Review

Response team briefing

Sync with John

Sync with Timeless regarding NFT and MADNFT

Review and debug testing issues (John)

Review of Timeless response to security issues; Review Timeless Merkle Tree creation implementation; Experimenting and debugging with different collect reward reveal implementations

Condensed Q1 assessment

Sync with Tao and discuss next steps of developments

Sync with cylim on next frontend developments

Transaction viewer (#251) review and cleanup

(Continued) Unstake functionalities, debugging, testing

Collect reward page for staking; Common components; Fix bugs related to collect reward; Simplify utility functions; Compute funds available for redelegation

(Continued)

(Continued)

2022 Q1 Summary and Assesment

Response team briefing

Simplify reveal calls; Remove dependency to Harmony JS SDK and providers; Fix provider setup for resolver contracts; Fix bugs related to operation code; Fix Enums.OperationType.UNTRACK executor logic; Event hash script update and new events related to staking; Working version of Staking from UI; Use websocket for truffle executions

Staking api and its own rpc base; Improved staking UI, Stake table and reward display; Integration into main UI; Review Timeless custom implementation of Red Packet

Theft investigation suspect finding review

Follow up meeting from Protego (Projext X)

Sync with Timeless regarding upgrade and tokens

Staking client-side implementations, contract improvement, and debugging

Relayer, deployment, scripts updates related to Staking; Sync with John; Sync with Timeless

Theft Incident Analysis, Continued

Relayer debugging, and retry and gas fees patch for more robustness 

Theft Incident Analysis, Continued

Sync with John

Staking functionalities in contract

(Continued)

Theft Incident Analysis

Chrome Extension Build and Review; Follow-up from Erfan (Projext X, NFT anti-scam project)

Response team briefing

Theft Incident Analysis, Continued; Sync with John (5pm)

(Continued)

Probablistics self-recover multi-account relayer implementation, experimentation, deployments

(Continued) and review, merge #265

Timeless initial source code review and initial security issue analysis

Meeting with code4rena (crowdsourced audit)

Testing PR review and feedback (#263); Chrome Extension hash review and debugging

Debugging, testing, and confirming Chrome Extension Build 1.2.7; Theft amount review

Relayer debugging; Manual resets and devops scripts; Experimenting with local setups and various RPCs

Theft incident cause analysis; Contract staking implementation review; Adding staking contract; Remove cached Truffle artifacts; Relayer issue analysis and feedback

Recent theft incidents review and follow-up

Experimentation with Ganache CLI setup and migration from UI version; README for env setup

(Continued) and produce findings and next steps; Remove Harmony provider and use of JS SDK

Chrome Extension buidling, review, and debugging

Further experimentation and deployment of using websocket providers; Review and merge #261

Chrome Extension further testing and debugging

Relayer and RPC debugging and experimenting

Relayer use managed nonce and overall improvements

Analysis of relayer logs and interactions between relayer and Harmony transaction pool

Chrome Extension building, build error fixes, and hash difference investigation; Celo incident research

Sync with John

Next generation UI review and planning (#260)

Relayer error analysis and debugging

Analysis and feedback on Shashank's Security Review Analysis

Sync with Shashank; Review of minor implementation flaw identified

Debug and fix constant variable references; Response team briefing; 

Sync with SilentAuth

Chrome Extension review, building and end-to-end testing; Relayer monitoring; Review and feedback on transaction viewer (#251), , truffle-removal changes (#240) and fix errors; Domain update functionalities Q&A

RPC reliability investigation and analysis; Sync with Timeless

Response team briefing

Briefing with John

Code review and testing of extension wallet patch #124

1wallet core / web edition planning and work organization for March

Response team briefing and discussion on next steps

(Continued)

Evaluation of Numisme (Project X) and discussions

Joint evaluation on Project X prospect "FDIC for Wallet"

Theft amount verification and correction

Response team briefing; Review of Quoc's extension wallet final report

Sync with Timeless: roadmap, planning, NFT, campains, adoption strategies, technology discussions 

Initial engagement with mycryptomine on 1wallet integration and feasibility evaluation

Joint evaluation on Project X prospect Panther Protocol

Preliminary evaluation on POQ (Project X) and its legal materials (SEC letter, conclusion and patent)

Term finalization meeting with C14; Scheduling with remaining Project X prospects; Term finalization with Protego

Preparation and joint evaluation of Project X prospect Cedar

Project X decision meeting and sync up

Research and analysis on Panther Protocol (for Project X)

(Continued)

Silent Auth detailed proposal additional feedback and questions

Diligence meeting with Deepwaters

Statement of Work clarification meeting with Coalfire 

Preparation and semi-joint evaluation of Project X prospect Shift

Diligence meeting with Project X investee C14; Research and diligence on C14 thesis

Research and technical diligence on Project X investee Deepwaters

Joint evaluation of Project X prospect HOPR

Research and independent evaluation on MetaLoop; Sourcing Project X leads; Analysis on Webacy

Joint evaluation of HexaTorch

Research and offline evaluation on Project X prospect Cytus

Preparation and joint evaluation of Project X prospect Protego

Joint evaluation of Project X prospect Deepwaters

Project X deal sourcing (Xoogler meetup #2)

Evaluation of Project X leads

Joint evaluation of Project X prospect Gryphon; 1wallet design sync with Darren

Joint evaluation of Project X prospect C14

Sync with FBI (with Merkle Science)

Project X deal sourcing (Xoogler meetup)

Evaluation of Project X prospect DSCAPE, meeting, and internal discussion

Sync with Merkle Science on Tornado Cash findings

Response team briefing

Evaluation of Project X leads (Xoogler Demo Day projects)

Evaluation of Project X leads

Sync with private investigator regarding suspect

Response team briefing

Sync with Timeless; Adjustment of 1wallet v14 RPC endpoint; Performance tests and analysis

Revisiting zero-day and UAE vulnerability; Internal discussions; Victim password strength review and analysis

Response team briefing

Response team briefing; Investigation on new victim (GU); Emergency response

Malware analysis and risk review

Silent Auth proposal evaluation and feedback

Onboarding Michael M and discussions

Anchain finding presentation and discussions

Malware investigation

Theft case investigation (lead from Binance related activities)

Response team briefing

Finalization of "Use Ethereum NFT on Harmony as Avatar"

Sync with Coalfire

(Continued)

Review and experimentation of Matthew's vulnerability report #1

Revision on "Use Ethereum NFT on Harmony as Avatar"

Receivng updates from AnChain and discussions of issues and next steps

1wallet, project document: Use Ethereum NFT on Harmony as Avatar

Response team briefing

New victim browser history analysis (BL, DD) and manual inspection of all common sites

Investigation and analysis of reported suspicious Ethereum trasanction and contract address that invokes Harmony bridge

Initial engagement with Merkle Science

Research and feasibility study on amount-matching based Tornado Cash tracing techniques and past success stories

Extension production deployment and hash-verification step-by-step guide; Quick analysis of new victim / incident

New hackathon victim interview, analysis, and recommendation; 1wallet - engagement with Meson team (cross-chain stablecoin bridge integration)

Victim interview and Q&A call (DD)

Response team briefing

Sync with Silent Auth

Response team briefing

Coalfire initial engagement and scope discussion

Onboarding Matthew for extension wallet vulnerability investigation

Reproduction and verification of Quoc's extension build; Review of private investigator preliminary report

Victim interview and Q&A call (BL)

Response team briefing

Response team briefing

Discussion Matthew for extension wallet code analysis

Experimentation with XSS vulnerabilities in Vue; NDA with SecureLayer7 / Cure53

Analysis of new victim profiles and priorities (unassigned code names)

VueJS injection vulnerability experimentation

Private investigator initial briefing and preliminary assignment of work

Response team briefing

Report #3 on theft incidents (New Victims, Perpetrator Tracing, Previous Victims, Suspect, Backend Server Log, Frontend Fingerprints, Total Economical Damage); Analysis of linkage between attacks on multiple victims 

Response team briefing

Sync with Sukanta and internal discussions

Secureworks second and final engagement (not to proceed)

Engagement with red teams and security firms; Review of all victim and perpetrator addresses, blacklisting states, and movements offunds; 

Secureworks initial engagement

Response team briefing

MyContainer incident review, analysis, and discussion

Engagement with private investigators and preliminary exchange of information

Chrome extension wallet PR 117 review and testing; Sync with Quoc

Sync with Anchain; Response team briefing

Response team internal discussions and planning

(Continued) Merged and launched v15; fix 6x6 restore failure after a wallet is upgraded and renewed from v14; Full release notes;

Deploying v14 and v15 relayers, setting endpoints and system services; Monitor network stability and debug related issues

Response team briefing; Victim counselling procedure consultation (MN); Further investigation into fingerprints and transaction patterns, based on new data collected from new victims;

SecureLayer7 / Cure53 engagement and initial briefing; Internal discussions; 

(Continued) check whether wallet hasSuperOTP; Fix issues with upgrade to v15 wallet; clear otp input only when it is nonempty; Restrict non-v15 wallets from adjusting limits; Blacklist some recovery addresses and make 1wallet DAO their recovery address during upgrade; keep react component loaded during restore to ensure wallet parameters are properly passed; Ensure worker parameter has seed; move debug message to debug mode only; Add innerRoots check on localExport; Add fallback params in Upgrade; Use api.harmony.one RPC by default; improve messages related to emitted events; fix metamask tool; remove Chrome extension wallet from readme; Improve renewal messaging; Fix an issue which may cause multiple workers to be created; 

Chrome extension wallet incident response: new victim profile (MN), investigation, internal discussions; Emergency responses; Tornado Cash tracing and matching patterns against known hackers and victims

(Continued); 1wallet: Fix some issues which may cause renewal to malfunction or incorrectly make wallet "expired". Fix worker spamming logs; More granular messages and instructions when user access functionalities that require renewed / upgraded wallets; Make upgrade box promptable; Fix a bug in renewal which causes the process to stall; Fix a bug on renewal which old core parameters are used, in lieu of new ones; Implement early terimination to enable much more efficient calls to deriveSuperOTP; Fix zero-valued effectivetime in renewal; 

abortion mechanism in event message; Core lib: EOTPDerivation; core util: genOTPStr (for efficient debugging when multiple OTPs are required); Add more verbose logging to relayer; use EOTPDerivation in relevant functions; Revamp spending limit prompts and checking mechanisms; fix bug in remaining limit display in balance page; Fix renew-now link

better organized renew page

fix truffle distinction between dev and ganache; core lib: add sanity check of parameters to makeCore; CoreDisplaced and CoreDisplacementFailed error handlings; use oldInfo's (i.e. previous security parameters / OTP roots on contract) effectiveTime on deriveSuperEOTP; More structured frontend infrastructure utils (useSuperOps, useOpsBase); Fullly functional renewal for v15

AnChain sync; Response team briefing; Sync with Quoc; Analysis of possible scammer/imposter and linkage of hacks

1wallet: core flow util: deriveSuperOTP; use deriveSuperOTP in RestoreByCodes; fully functional spend limit adjustment component; 

Response team briefing; New victim analysis and next step recommendations (MC); Formulation of special process for large accounts at risk; Internal discussions

(Continued) Interview with owners of large accounts at risk

Review and debug 1wallet #228 (bundle size reduction), #241 (hotfix of missing styles); Fix bug in core processing util (missing array initialization); Increase timeout in response to RPC instability; Utilities for intelligently producing wallet name hints and make use in every place where names are referred; Create wallet component shared functions regarding before/after commit and preparing proofs; Rearrange balance and spend limit components; Spend limit adjustment components; 

(Continued)

Response team briefing