Watch & Listen
Youtube | Spotify | Apple Podcasts
Useful Links
This week, Flywheel hosted the founder of Groom Lake, FDR, an ex-NSA operative who has joined forces with a team of former US military and intelligence operatives to help keep crypto projects safe. In this episode we heard stories how he once found an exploiter through their web camera to creating the ultimate security infantry unit, Groom Lake.
Since 2014, an estimated $80 billion dollars has been stolen due to hacks and exploits.
Last year alone, roughly $10 billion was stolen, of which $4 billion was from crypto alone.
In the second quarter of this year, more than $300M has been lost in crypto. Ethereum itself lost close to $65M to hackers with 55 incidents.
Security in DeFi is lacking and FDR has plans to improve it, whether during active situations that require leverage and incident response plans, or operational moitoring to prevent exploits in the first place.
The Wild West of Crypto
DeFi is the Wild West. With an unstructured industry and growing regulatory considerations, it's safe to say it's almost lawless.
In the actual Wild West, there might be times when local sheriffs or federal agents couldn't help, that's when people would turn to the Pinkertons, a private security guard/detective agency founded around 1850.
In Web3 today we need our own Pinkerton squads. Protocols and people are losing money to hackers and exploits left and right, then naively begging the exploiter(s) to return the stolen money.
At the beginning of this month, we witnessed the unexpected Vyper/Curve exploit that netted the hackers $69 million. In our report, DeFi Dave explained how it all happened.
To give a sense of how long this bug went unnoticed, the exploit had been live since 2021 and just by sheer accident, was patched in the latest version of Vyper 0.3.1. Yet, those contracts of liquidity pools that contained native ETH and were written in versions 0.2.15, 0.2.16, and 0.3.0 still went on with their business with an invisible death warrant front and center...
The vulnerability ultimately came down to incentives around auditing compilers... They exist in a part of the stack that is wrongfully assumed to be safe and hence not looked at by auditors who primarily focus on the smart contract level. In addition, because of how it is structured, Vyper is much simpler to read compared to Solidity making it easier to find exploits.
As we have seen, because protocols are so focused on going to market in a volatile environment, they don't necessarily take the extra time to perform security operations.
When it comes exploit response, time is not the only thing of the essence, it's leverage. During an active situation, a protocol or person needs to escalate quickly in order to gain the upper hand.
FDR shared a story where they mentioned limiting all communications to mitigate the leverage of the exploiter.
So, zero noise on Twitter, no messages, nothing.
Later, the exploiter sent an email via a burner Protonmail address and just like that, the perpetrator has lost their leverage and led to the downfall of the hacker.
Using a well-thought-out psyop, his team at professionally contained the situation.
What is Groom Lake?
As FDR calls it, "Groom Lake is the private military corporation for DeFi."
Groom Lake is a tailored cybersecurity and intelligence operations company. They provide everything from structuring, frameworks, crisis response plans and compliance. Providing proactive and reactive security that protocols want and need. FDR expressed he wanted to create an agile team for Groom Lake, similar to a light infantry unit.
Small, cohesive and highly professional.
Based on current metrics, Groom Lake can get an operative across the globe, deployed live in person, and perform operations within 24-48 hours.
Compared to Web2, in an active situation, they have 72 hours to get everything sorted, not to mention the unlimited resources they have access to. With the many hacks we've seen in crypto, it only takes a few hours for the exploiter/hacker to drain funds, so there's no time to gather the troops.
In today's climate, cybersecurity consultancies often fleece protocols and take advantage of the fact that projects will pay hefty sums for security consulting services. And audits aren't any cheaper... They can range between thousands to hundreds of thousands of dollars,
FDR puts it this way, "You're paying 250k for PR".
Groom Lake offers proactive and reactive security for less than the cost of a single internal cybersecurity hire, and they specialize in everthing: psyops, offensive hacking, defensive security, forensics and even human intelligence. Groom Lake can leverage a network that's on all six continents that's embedded with governments, and institutions.
Best & Worst Security Practices
When asked what are the best and worst security practices for users and founders, FDR had a fair amount to say.
If you're using a VPN for enhanced privacy, choose one with localized, proprietary software and take full advantage of its advanced settings. Be aware that the "Fourteen Eyes Alliance," a coalition of 14 countries including the United States, Germany, and the UK, shares surveillance information among its members. For maximum privacy, opt for a VPN provider based outside these countries. As FDR said, "The minute your data leaves your custody, it's fair game..."
Another example of poor security practices is using SMS for 2FA... FDR said it best, "Like what? Just why?" mentioning that it's better than nothing though, there's no reason to use SMS for 2FA. Instead of using SMS, someone can easily use a virtual authenticator. FDR favoured using VAs (i.e. Google Authenticator, Authy) because they're convenient, safe and simple to use. Yubikeys are also another good practice, a little more on the schizo side of things, but very secure.
Along with these 'lower level' security practices, the number one thing FDR preached was for protocols to set up Crisis Response Plans (CRP). In the U.S. military, clear communication is critical for effective coordination and successful outcomes. If an issue like a security exploit occurs, everyone involved knows their roles thanks to a predefined Crisis Response Plan (CRP). Community managers are prepared with preset messages and work in shifts for the first 48 hours. The incident response manager serves as a central hub, coordinating actions to ensure everyone is aligned. Legal, PR, and communications teams are ready to draft negotiation emails. Proactivity is key; everyone knows their responsibilities and executes them efficiently. Following FDR's advice, it's crucial to practice CRPs at least annually, similar to fire drills. These measures ensure both individuals and the entire protocol are prepared for worst-case scenarios like hacks or other exploits.
What is Drosera
Drosera is the world's first Decentralized Automated Responder Collective (DARC), a set of smart contracts built on top of EigenLayer that permits consensus layer ETH operators to mitigate hacks.
Drosera provides 24/7 monitoring and incident response capabilities.
Protocols benefit from reduced gas costs because the advanced validation checks are executed off-chain. Drosera uses proprietary technology that cloaks protocol security configurations, operators included.
Drosera is a a byproduct of Groom Lake after FDR realized that in Web3 there are very agile teams in a very unstructured industry and environment with little regulatory consideration trying to optimize speed to get products into the space as fast as possible. Oftentimes, projects don't have time to look into Security operations and ensure everything is safe. Enter Drosera...
When developing Drosera, FDR prioritized user-friendly access, recognizing that the DeFi and Crypto sectors often lack approachability for both users and founders. Drosera is designed to be accessible, offering services at a cost lower than bug bounties and audits. FDR envisions a streamlined user experience, where clients can easily access Drosera's features by visiting the website and clicking a button.
Drosera mitigates security exploits through a five-step process. First, a protocol posts a 'job' that outlines specific validity conditions and emergency response actions. Second, Drosera Operators engage with this 'job' to conduct automated surveillance on the protocol's behalf. Third, these operators detect any state changes that violate the validity conditions and immediately broadcast this status. Fourth, operator consensus is reached and the protocol's pre-set emergency action is activated through a submission by one of the operators. Finally, this action effectively contains and mitigates further risks to the protocol. FDR assures that within a 24-48 hour window, Drosera can swiftly move from detection to deployment, even locating and confronting the exploiter directly.
In contrast to fully programmatic approaches, Drosera streamlines the security process by reducing the need for complex structuring, saving developer time and cutting additional costs. As the first to offer approachable security solutions, Drosera incrementally secures networks one block at a time.
As for its development timeline, Drosera is in the process of being built on EigenLayer as an Actively Validated Service (AVS). Its Minimum Viable Product (MVP) is pending deployment to gather initial, real-world data and establish itself as "The Security AVS." In Phase 2, the focus will shift to B2B business development with key partners, serving as an entry point into the broader EVM ecosystem. By Q1 of 2026, Drosera aims to complete its Series A fundraising round to evolve into a fully democratized and decentralized security marketplace.