Arbitrum Audit Program

Description

Summary:

• Run an on-going open application for 1 year to support projects that require a subsidy to audit their project,
• Approve a list of auditors into the program and also invite auditing firms from the ADPC’s Security Subsidy Fund to apply for the program.
• Arbitrum Audit Committee will include membership of AF, OCL and a technical expert elected by the DAO

Abstract

It is industry standard and recommended practice that all projects with on-chain smart contracts undergo at least one third party audit. This is because smart contracts can potentially secure millions, if not billions of dollars, yet a single bug in the code can result in the loss of all funds. In many cases, when the smart contract is deployed, it can be difficult to upgrade after launch, and audits should be completed prior to the project going live.

Unfortunately, audits are prohibitively expensive. It is not uncommon for projects to pay ~$20k per auditor per week. If multiple auditors are required for the project, then the bill increases substantially into six figures. This is problematic for early stage projects who may simply lack the funds to pay for an audit or be forced to allocate a significant portion of the funds they have raised from investors to pay for the audit.

This proposal aims to implement a subsidy scheme that will allocate funds to projects that require financial assistance to pay for an audit. To be eligible for the funds, the project will need to satisfy certain requirements such as launching on Arbitrum, relatively early-stage, and with potential for significant success with users.

We plan to run the subsidy program for 1 year, or until all funds are spent, with an appointed Arbitrum Audit committee. A subsidy will be offered as a grant or an investment in the project depending on size and long-term alignment.

Rationale and Goals

1. Support early-stage projects. Promising projects face funding constraints that may prevent their launch without access to a third party audit or for them to somewhat dangerously ‘test in production.’
2. Encourage development on Arbitrum. By supporting builders and early-stage projects, we can potentially help make Arbitrum their home over other blockchains.
3. Scaling Responsibly. Scalability is not just about transaction throughput, but the ability for the system as a whole to secure and protect an increasing number of tokens (TVL).
4. On-demand availability. An open applications process to offer subsidy grants to projects just in time before their planned launch.

Application Process

The Arbitrum Audit Subsidy Program invites projects to apply via an open applications track with a standardised form to gather the following information:

• Team Information
  • Names
  • Background
  • Notable Investors
• Project Information
  • Overview & problem it is solving
  • Why will project achieve product market fit
  • Stage of development & timeline to mainnet
• Audit coverage
  • Scope of audit
  • Lines of code & languages
  • Desired completion date
• Subsidy information
  • Preferred auditor [optional]
  • Audit budget request

The committee will screen the above information based on:

• Technical maturity: Assess whether the code base is ready for a professional audit.
• Team experience: Evaluate whether the team has the experience, expertise, and motivation to successfully launch the project on mainnet.
• Likelihood of success: Judge whether the project has the potential to attract a user base and establish itself as a popular decentralized application on Arbitrum.
• Reasonable scope: Determine if the audit’s scope can be completed within the proposed timeline and budget.
• Arbitrum first: The project will prioritise launching on Arbitrum including One, Nova, and other Arbitrum chains.

A project can be rejected at any stage of the process at the committee’s discretion.

If the committee approves the project during the screening process, then it will undertake due diligence which may include reference checks, reviewing the code related to the audit scope, and other information it may deem necessary to check. Assuming the due diligence succeeds, then the committee will aid the project in connecting with auditors to get the best quote alongside confirming the auditor has the capability to audit the project.

An auditor will be picked based on the rate charged, discount offered, availability to begin the audit and other relevant factors such as experience with similar projects and reputation. In regards to the payment schedule, we expect the subsidy to be paid when the audit is completed by the auditor, subject to project’s and Foundation’s satisfaction

Approving Auditors

The Arbitrum Foundation will take on the role of evaluating auditors who want to apply for this program which includes an interview, reference checks, compliance, and agreement to the terms & conditions of this program. It should be noted that we will conduct an individual negotiation with all approved auditors to take into account potential different rates and offerings from the auditors. Additionally, auditors can apply at any time to join the program.

An approved auditor will have an opportunity to post on the forum to advertise that they have been accepted to the program. This will assist projects with finding auditors that may be suitable for them even if a subsidy is not offered by this program.

Additionally, we will invite auditing firms from the ADPC’s Security Subsidy Fund to apply, with the intention for us to negotiate additional terms that are suitable for this new program.

Arbitrum Audit Committee

We propose a committee with a mixture of technical expertise and DAO representation who will have the necessary skills and time to review proposals on an on-going basis.

1. Chair: Team Member - Arbitrum Foundation (Waiving Payment)
2. Team Member - Offchain Labs (Waiving Payment)
3. Technical Expert - Elected by DAO
4. Team Member - ArbitrumDAO’s OpCo (when operational). We have included the OpCo as a potential team member as soon as it is operational and considers itself ready to join. We do not see this as a blocker and will begin the program without the OpCo, but eager to have their involvement when it is applicable.

The committee will enforce a strict conflict of interest policy such that no member should have any financial ties to an approved auditing firm that is taking part in the program and they should not have a significant conflict of interest with competing blockchain projects. The technical expert should not be part of the auditing firms engaged in the program and will be paid USD$5k per month. We expect the workload to be ~1-2 days per week.

Scope of work includes:

• Attend committee meetings to evaluate proposals,
• Support some due diligence efforts on projects,
• Lend expertise to make good decisions,
• Help with transparency & reporting.

The committee will publish updates in regards to the program every 3 months with a total of 4 reports to be published.

Budget Request

It is not uncommon for projects to pay $10k to $40k per auditor per week depending on the complexity of the project with overall costs exceeding $100k.

If we assume, conservatively, that each project will receive a $100k subsidy, then with a $10m budget, we can subsidize around 100 projects to build on Arbitrum which is approximately 1.9 projects per week for 1 year.

We are requesting a $10m USD budget to subsidise audits for 1 year and $60k to pay for the technical expert. All other costs including legal, management of the program, etc, will be covered by the Arbitrum Foundation.

Our proposal will:

• Request 30m ARB from the treasury,
• Convert ARB into $10m and $60k (compensation),
• Return all remaining and unused ARB back to the DAO

Whenever the program ends, the remaining funds in USDC and ARB, will be returned to the ArbitrumDAO unless the DAO approves the continuation of the program via an off-chain vote.

Timeline

We consider the establishment of a long-term security subsidy fund as an urgent matter to support builders in Arbitrum and will work with contributors in the ArbitrumDAO to get the program set up as soon as possible.

With this in the mind, we are expecting the following timeline:

• 06/2/2025 -> Proposal live on forum
• 20/2/2025 -> Offchain vote (Snapshot)
• 06/3/2025 -> Onchain vote (Tally)

Additionally, we are hoping to run the following governance calls:

• 17/2/2025 at 4pm GMT
• 24/2/2025 at 2pm GMT
• 03/3/2025 at 6pm GMT

Assuming the proposal is approved by the ArbitrumDAO, then we will:

• Run an election to hire the technical expert by 15th March 2025.
• Onboard auditors and open applications for projects by mid April 2025.

An official announcement will be posted for the final start date which will begin the 1 year clock for the program.