TL;DR: Safe-keeping the community’s trust and deploying Gitcoin’s good reputation are two parts of a risk strategy that will enable the hypergrowth we’re headed towards.
As we look forward towards Seasons 18 & 19 and prepare workstream budgets, I wanted to take a moment to address the ways in which risk mitigation will be absorbed by the DAO. With the dissolve of FDD, Gitcoin has a unique opportunity to be intentional with our risk strategies and avoid common pitfalls that have crippled our peers.
Since joining this team in November of 2022, I have been overwhelmingly grateful (and frankly relieved) to find that the Gitcoin team is well-prepared to imbed risk thinking in all we do. We are not optimistic to the point of lacking pragmatism. Our rose-tinted glasses do not cloud our vision as we walk into a regenerative future. I am confident that this is the right team to build the tools that enable systems of reallocation that are more fair and more kind than any available today. There are two tenants that are central to our ability to deliver these tools, though: Trust and Reputation.
In short, our reputation is our most valuable asset. It outweighs our treasury holdings in that it delimits the potential value of those same holdings, now and in any future. Currency, after all, is a quantitative indicator of faith.
Meanwhile, the trust of our community enables us to build the future we all want to see. We have trust now and it’s ours to lose.
There are a few key threats to the maintenance of this hard-earned trust and this amazing reputation which we enjoy. The key threats as I see them are:
(1) Status-quo security measures
We’ve been building scrappily and moving fast. But the scams in the space are moving fast, too. We give out money as a core function—we are perhaps among the most obvious targets for low level phishing scams that the web3 world has ever seen.
In addition to the day-to-day exploits inherited from web2 vulnerabilities, we also are becoming increasingly more attractive for novel and higher-skill attacks. We seek to achieve levels of success which would make us a household name, but we need to shore up our security vulnerabilities in direct proportionality to our success in earning new community members. We are committed to open source and we happily solicit pull requests to build on top of our products permissionlessly—but it would be naïve to pretend that there are not increasing incentives for malicious code to be introduced to our products. Right now, Allo contracts have already redistributed $3 million dollars of grants, and as we prepare for Beta, we are taking in even more. Our success means an increased target on our backs, and now is the time to implement protective security practices—not after we’ve experienced an avoidable loss.
To leave you with only one of many possible horror stories: what happens when someone forks our Passport front-end and removes the code that hashes user credentials? All of the sudden, that actor has achieved not one but several sets of matched online credentials for both web2 and web3 accounts, along with cookie data and device information. We have socialized our community to input their info into Passport—it is our responsibility to socialize them also to use best practices and bookmark our pages and whitelist sites who are permitted to call their hot wallets.
(2) Over-generosity with our in-crowd (and the fact that we have an “in-crowd” at all)
While we allow the proverbial masses to determine the outcome of our grants rounds, Gitcoin does make decisions about who can be a funder and currently also makes the decisions (albeit democratically) about who can participate in a grants round as a grantee.
We have not yet found a way to really dig into the performance of our grantees as a retrogressive method, and unfortunately right now the most scrutiny that a grantee project (or a Grants Program Partner for that matter) will undergo is when they approach us for the very first time. The consequence of being overly generous with the “in-crowd” is that it makes for a casual deprioritization of new audiences and new projects who come to us.
With renewed attention on grantee reputation I am excited to think that the solutions for project accountability are in sight. I also want to articulate the positive side of this problem: We can be better advocates for our grantees and win the trust of emerging partners. In providing grantees clear methods to share their successes, and coaching on best practices for quantitative metric-setting, we are only strengthening the support we provide to our grantees. The draw of applying to Gitcoin Grants should not purely be a monetary award and a loose association with our logo. We can give grantees a springboard to their next level of success.
I would love to see Gitcoin getting serious about courting new projects who are outside of our normal audiences. The strength of our grants program depends on a healthy mix of new blood and best-in-class reporting on the success of the projects we’ve funded.
(3) Obscured transparency in decision-making
Is a muddy window still transparent? Fundamentally, maybe the window itself is not at fault for the obstruction. But we have a lot of muddiness in sharing our intents and our directives with community members, not least of which is a culture of verbosity (exhibit A: this post itself).
Not everyone in our community has time to sift through our forums, or watch hours of CSDO meetings. Many of our own core contributors don’t feel up-to-date or able to closely watch these channels. I’m deeply committed to learning practices that will increase transparency—not to shorten the conversation, or cheaply simplify a complex inflection point—but to get the need-to-know information out to the interested parties on a regular, reliable cadence.
I make these call-outs not to imply that the work to address these threats is not already underway. Many people throughout the DAO as well as stewards and individual community members are all already hacking on these core problems. Coming from a risk background, I make these call-outs because I find it useful to articulate and name the monsters in the forest. I’d like to drive consensus around this characterization of the threats we’re facing. If anyone thinks I have omitted key components that our risk strategy should address, I would love to hear that. Similarly, if anyone thinks I’ve overblown the level of threat that any particular category poses—I’d be hugely open to that feedback, too.
It is from a desire to continue to socialize a risk mindset that I wanted to share with the wider group the top three threats I’m thinking about when it comes to trust and reputation. I also wanted to introduce a bit of a language shift: any risk programs at Gitcoin should be protective—not reactive and never combative against our own community.
What traditional organizations too often get wrong is to pit risk mitigation against growth mindset. I am personally convinced that one enables the other. These framings are not at odds, but complimentary. Having worked in fraud and risk at two traditional web2 companies that underwent periods of extreme hypergrowth during IPO—I can honestly say that I feel the tremors before the storm in Gitcoin right now. To seek increased growth is to seek increased risk.
At the base of many of these solutions is the mandate of better data availability. With data comes enriched communication tactics for fact-sharing, and improved ability to meet our community in their attempts to fact-find. I have been ecstatic to see increased awareness for data practices crop up in every single workstream budget this time around.
More on this to come— but thank you to all of the amazing Gitcoiners who I have gotten to work alongside in scoping risk at the DAO. I am overwhelmingly grateful to be solving such high-quality problems with you and clearing the way for the regenerative future.
Thank you especially to @J9leger who was the first to hear my nascent thoughts on trust and reputation. Thank you to the deeply powerful advocate @M0nkeyFl0wer who has looped me into all ongoing risk-related talks in such an effortless way, and @connor who already does so much to remind the DAO of the monsters in the dark forest. @kevin.olsen for encouraging more ambitious data road mapping and @kyle for calling out the need for risk to imbed in all workstreams. To Azeem and Juanna for showing me the power of our reputation when deployed. Infinite thanks to @MathildaDV, @baoki, @zen and @koday for all your energy for the problems and all the talent you bring to the solving.
And of course all the thanks will always go to @disruptionjoe for your thought leadership and for inviting me to hack on these problems at Gitcoin in the first place—most especially for being a brave enough leader to jump first into all things you believe in.
Suffice to say—I for one am very excited for what’s to come.