TODO: Debt DAO internal opsec vs Helping users improve their opsec?
- Gird+ Lattice >>>>>
- diversity of hardware wallets on multisigs
- Only hardware wallets and multisigs allowed on multisigs
- Multisigs - We separate our Treasury holding assets from our Arbiter multisig that executes trades and liquidates users. These are the only Debt DAO accounts.
- bot hot wallets
- 2FA mandated wherever possible w/ Authenticator apps. SMS and phone verification disbaled wherever possible.
Multisigs & Signers
- always retype domains and username to prevent homoglyph ASCII phishing
- minimizes personal/work life details in public social media. Vacations, your exact role/responsibility, if you have a faimly, etc. can all be used to phish you or other people in the org
- Verify people across channels. discord, telegram, IRL, email, twitter, 3rd parties, etc. when starting or moving to a new platform to verify their identity on the new platform.
Helping Users with Opsec
- wallet setup security
- Do fake phishing attacks to identify weak members of network
- non-SIM 2FA