To begin, thank you @Entropy for the detailed report and findings, we definitely want to make sure we fund the right people, and this is a mistake we will learn from.
Adding the overall incident report below, in how it happened and how we will avoid it in the future:
-
Their team submitted a proposal posing as a Raphael and Zak from Metaverse Architects, putting up a solid proposal for an AI Stylus Auditor that @juandi as the Dev Tooling DA accepted.
-
During the DD process of the DA side, there was an initial call setup to understand their technical competence and previous experience, in the call a Raphael showed up, his technical soundness checked out, he knew what he was talking about, was able to answer technical questions and seemed competent to carry out the terms of the proposal.
-
Post acceptance, the team actually did deliver on all the milestones that was mentioned, the code was and still is working, both the Questbook team and Juandi have delved into the code and it has delivered most of what the milestones requested, the growth metrics weren’t exactly accurate but technically everything was good to go.
-
We find out from the Entropy report that neither Zak nor Raphael are actually the ones who made the proposal. To clarify here, an agreement was signed with a Raphael whose KYC details we have captured that matches, however this Raphael is not the same person as the Raphael that was mentioned in the proposal. We figured this out after having a call with Zak. Our mistake here was not knowing the original full name of the Raphael who had the experience as mentioned in the proposal.
-
Who are the folks that impersonated them? From our findings so far, they were previously colleagues of Zak in the Metaverse Architect team. The impersonators currently run a product called Nexuspay (a Kenyan wallet on top of ETH infrastructure to pay and transfer in USDC and off-ramp to pay utilities in Kenya), and have previosuly tried applying to our grant program under New Protocol ideas, and have submitted more proposals under Dev Tooling too. As such, we can also confirm that the team from Nexus is behind the proposals because they have applied into other domains and proposals inside Dev Tooling. The impersonation team is already implementing better methods of diligence with now turning cameras and exposing their identities as different people while continuing to propose grants that are botched and turned off once delivery is completed.
-
How do we prevent?
- We will be implementing social media proofs as part of the application process once a proposal gets accepted as part of the due diligence, we will use Reclaim to verify that a user is the owner of the social media accounts they claim to be, X and LinkedIn and Github will be our first proofs requested.
- From the Github repos submitted, we will fetch the contributors of the repo and keep it in a data base where we flag if a new proposal has a same contributor involved, so that the DA is aware that one contributor is part of multiple proposals. If found suspicious, we can withold any grant amount left to be disbursed immediately.
- We will implement two member KYC for any proposal that has 2 or more members but no business registration. This will make it harder for the scammers to impersonate or falsify multiple identities.
In addition to the above methods, we’re constantly thinking of new ways to make sure the overall due diligence process is stringent. Would love any ideas from the community’s side too.
Thank you.