ARDC (V2) Security Election

Description

Introduction

On the 19th of November 2024, the ARDC Tally proposal was executed, marking the ArbitrumDAO’s decision to extend the ARDC with the launch of the ARDC V2. This iteration features a collaborative structure, comprising specialised working members in Research, Risk and Security, alongside a Supervisory Council. The program is designed to deliver ongoing, specialised specialised assistance to the ArbitrumDAO. For more details, see the executed proposal here: https://www.tally.xyz/gov/arbitrum/proposal/36792157050667056852025000136263368859227883753318633087194112219909798752014?govId=eip155:42161:0x789fC99093B09aD01C34DC7251D0C89ce743e5a4

Following a call for applications, a review process and an amendment period, conducted in accordance with the Election Process ratified by the ArbitrumDAO, the elections for the Arbitrum Research and Development Collective are now open. The full version of the applications can be viewed here:

https://forum.arbitrum.foundation/t/election-application-thread-v2-arbitrum-research-development-collective/27267/16

We encourage all Arbitrum Delegates to vote responsibly and in the best interests of the ArbitrumDAO.

OpenZeppelin

• Applicant: OpenZeppelin
• Applicant Representative: Michael Lewellen
• Telegram Handle: @cyloncat
• LinkedIn Profile: OpenZeppelin | LinkedIn
• Role being applied for: Security Working Member
• Hourly Rate (in USDC): $600/hour for individual security researchers

Experience

OpenZeppelin has been a foundational security provider in the blockchain ecosystem since 2016, with their open-source OpenZeppelin Contracts library being widely trusted and serving as the core infrastructure for secure smart contract development. Previous work with Arbitrum includes evaluating key governance upgrades, verifying proposal correctness, and conducting security design assessments for projects like Timeboost and BOLD. Their contributions to the Stylus Contracts Library further solidify their integration into the Arbitrum ecosystem, leveraging expertise in Stylus runtime.

OpenZeppelin’s approach to security includes fuzzing, and rigorous manual review that addresses vulnerabilities from multiple angles, even developing the Defender platform and being the only security provider to identify a critical vulnerability in their Uniswap V4 Audit. Having participated in the ARDC V1, OpenZeppelin carried out reviews of governance upgrades, verification of proposal correctness, and security design evaluations.

Proposed Scope of Work for Arbitrum:

Deliverables for first two-months

Specific work that we expect to complete within the first two months of the ARDC V2 program. Please note that some of these deliverables are time-dependent on the proposal details being ready for our security feedback within the 2-month time period.

1. Security Council Improvement Suggestions: OpenZeppelin will contribute recommendations for enhancing the Arbitrum Security Council’s functionality, such as enabling multi-sig support for company entities to streamline operations. We will also propose setting technical requirements to ensure at least 9 of the 12 council members possess the technical skills to independently verify emergency upgrades. We’ve already seen forum requests for testing the technical expertise of Council candidates and additional suggestions from the Arbitrum Foundation that we plan to address.
2. Technical Upgrade Security Feedback & Proposal Reviews on Timeboost, Bold, Orbit Chains and Fast Withdrawals: Following up on our prior Security Analyses for BOLD and Timeboost, we expect to review the implementations of these mechanisms for security risks before submission on-chain and provide executive summaries of their impact. We also anticipate reviews of fast withdrawals and Orbit chain proposals that line up with the Arbitrum Foundation’s recommendations.
3. Suggestions to Improve the DAO’s Technical Decision-Making Process: We’ll explore and recommend a technical decision-making framework to improve the DAO’s current process of debating technical trade-offs when implementing upcoming proposals. We’ll especially take the experiences learned from the Arbitrum Governor V2 Upgrade discussion on whether to perform a migration upgrade or direct proxy upgrade.
4. Definition and Security Risk Analysis of a Governance Attack: We’ll examine Arbitrum’s current governance system to identify the potential risks of a governance attack similar to Humpy’s earlier attempt on Compound this year, to better safeguard the DAO. This includes defining the difference between a controversial/contentious proposal and an outright governance attack from an outside entity accumulating tokens and manipulating votes in a manner that warrants a security response. This includes answering questions raised by the Arbitrum Foundation here.

Ongoing Scope of Work

Work that we expect to be ongoing depending on the current proposals and requests made to us throughout our ARDC term.

1. Proposer Assistance and Payload Preparation: Upon request from a proposal that has passed a snapshot, OpenZeppelin will support non-technical proposal authors in preparing their proposals, guiding them through best practices in proposal construction to meet the Arbitrum DAO’s technical and security requirements. We will offer security insights throughout the drafting process to preemptively address any potential vulnerabilities, helping authors create secure and well-structured proposals. This item comes directly from delegate feedback we received following ARDC V1.
2. Proposal Security Review Process: OpenZeppelin will conduct security reviews of proposal payloads submitted to Tally (ideally in draft form prior to submission), ensuring their integrity and alignment with the intended governance actions. We will provide a final security check to verify that the proposal’s on-chain deployment matches the reviewed content along with an executive summary explaining the proposal’s impact for non-technical readers. This process will include manual security checks, supplemented by automated tools where possible, to ensure robustness and accuracy. Our forum reports on proposal safety will foster transparency and community engagement with proposal security.
3. Governance Upgrade Audits: As the primary auditor for governance upgrades, OpenZeppelin will collaborate closely with Tally and Scopelift to ensure future upgrades are secure and aligned with the Arbitrum DAO’s roadmap. Through this collaboration, we’ll also explore integration opportunities with OpenZeppelin Governor, identifying feature enhancements that could serve both Arbitrum DAO and the broader ecosystem as part of the OpenZeppelin Governor Working Group that we’ve recently launched alongside Tally, ScopeLift and Agora.
4. Additional Security Audits: While we’ve explicitly proposed that the Security Member serves as the primary auditor for governance upgrades, we are also happy to conduct security audits for other smart contracts wherever the Supervisory Council considers them to be in-scope for the ARDC. This could include any smart contracts to be utilized in a governance proposal such as the Franchiser Contracts used by Event Horizon that we audited in ARDC V1.

These deliverables address critical security needs and emphasize proactive upgrades and enhanced security governance. OpenZeppelin’s approach allows flexibility in addressing additional security tasks as ARDC’s term progresses. We are also open to additional feedback from other delegates and the guidance of the Supervisory Council, once elected.

Trail of Bits

• Name of Applicant: Trail of Bits
• Applicant’s Representative: Ken Trueba
• Telegram Handle: TrailofBits_Ken
• LinkedIn Profile: Trail of Bits | LinkedIn
• The role being applied for: Security Working Member
• Hourly Rate : $700

Experience

Trail of Bits has been a leader in software security for over 12 years, combining cutting-edge security research with an attacker’s perspective to minimize risks and strengthen code. They have performed over 300 blockchain security reviews, dedicating 200+ engineer weeks of Arbitrum security reviews through their work with Offchain Labs, reviewing essential components such as Nitro, Timeboost Auction, Stylus, BoLD and the majority of ArbOS updates.

Trail of Bits excel in program analysis and tooling, as demonstrated by their numerous open-source projects, such as Slither, Echidna, Medusa, which combine a pragmatic approach and fundamental knowledge to create tools that provide value to their users. Setting them apart from other security consulting firms, Trail of Bits maintains a dedicated Research & Engineering division that integrates the latest advancements in security research into every project.

Arbitrum Scope of Work:

For the initial two months of the 6-month term, our services will include one or more of the following tasks, according to the priorities and needs of the ArbitrumDAO:

• Review on-chain proposal code updates
  • White-box security review of source code through a combination of manual and automated review, which may include a review the proposal for design flaws and identifying security and correctness properties
  • Reviews do not include proposals that are initiated by Offchain Labs and the Arbitrum Foundation. These proposals are already going through security reviews (including by Trail of Bits)
  • If 12 engineer-weeks are not enough to review all the on-going proposals in a quarter (or 24 in the 6 months period), Trail of Bits will either perform a review of some of the proposals, or a best effort of as many as possible. Trail of Bits will agree with the Arbitrum coalition and its Advocate to determine the priorities.
  • Deliverables are full security reports with technical information regarding findings and appendices as needed. A typical report follows the outline below:
    • Executive Summary (short description of what was tested and an analysis of overall security risk based on the findings and brief summary of the recommendations)
    • Code Maturity Evaluation (holistic evaluation of the codebase and overall approach to software development and security, as well as recommendations intended to inform medium- and long-term strategy for improving software development and resilience to future security incidents)
    • Comprehensive List of Vulnerabilities (detailed explanations sufficient to identify and/or reproduce the vulnerability, attack and exploit scenario to provide context for the vulnerability, and recommended short- and long-term mitigation steps)
    • Trail of Bits has a discrete team of Technical Editors that reviews every client deliverable we write and an extensive, internally developed style guide that engineers are trained against.
• Invariants development
  • Creation of invariants targeting components for future upgrades. The invariants will help developers of upgrade to ensure the correctness of their addition
  • Activities may include but are not limited to:
    • Identify security and correctness at the function or system level
    • Write invariants to test them with state-of-the-art fuzzers (Echidna, Medusa, foundry fuzzer)
    • Documentation and guidance to help the community contribute to the invariants
  • Deliverables are the code for the security invariants produced, in runnable state including any documentation and tool instructions.
• Tooling Creation and Enhancement
  • Develop and enhance tooling to enhance the security of the Arbitrum ecosystem and its proposals, including:
    • Specific static analysis bug detectors targeting code update.
    • Visualize the state of the governance contracts, in particular: the state of previous proposals, current emitted and delegates votes, how the tokens are delegated,
    • Visualize and verify correct encoding of values used in the governance contracts and the action contracts.
  • Deliverable are specific features in isolated open-source PRs in the repository of each tool with a small description of the impact on the Arbitrum DAO goals.
• Office hours
• Security consultation
• Incident response/disaster recovery
• Additional services, based on the ARDC needs, which can include:
  • Design review
  • Threat modeling
  • Blogpost or public presentation
  • Appsec or cryptography review
  • Guidance on incident response plan or monitoring

Trail of Bits has a robust, adaptive approach to executing projects, and our history of providing high-caliber security research and engineering solutions equips us well for managing ad hoc or flexible tasks, as requested by the Supervisory Council.