Adding a Security SME to the ADPC

Based on the feedback to the ADPC’s Subsidy Fund proposal to add a Security SME to the ADPC, we have managed to secure a trusted third party, who we are proposing to provide its services to the ADPC including:

1. Crafting the technical and business requirements for the RFP for security service providers;
2. Helping the ADPC whitelist the security service providers based on their RFP responses over a 4-week span.

We have managed to secure the help of DeDaub. DeDaub is a well-known security services firm which has worked with the likes of the Ethereum Foundation, EigenLayer, Chainlink, GMX, Lido, Maple, Pendle, etc., and has completed 200+ audits for 59 clients over 14 chains.

The next step before onboarding DeDaub is to get the DAO’s confirmation via Snapshot to use part of the ADPC’s budget to pay them. Note, the ADPC already has the funds in the Multi-Sig as part of the original endowment, but since this was not explicitly approved for spending by the DAO in the original Tally vote, we are requesting approval via Snapshot to use these funds to pay DeDaub. Find details below:

We propose to pay DeDaub a total of 12k ARB for their assistance on crafting the requirements and helping whitelist the security service providers. We believe this is fair since:

• Each ADPC member gets compensated $8k worth of ARB per month;
• The technical and specialist nature of the work allowing for a higher rate;
• The difficulty we have had in sourcing Security SMEs who are not conflicted out, as mentioned above;
• The market rates for Security SMEs (we were quoted $500/hour by another SME).

As such, we believe a compensation of 12k ARB is fair for the value DeDaub will bring to the ADPC and to this process.

Moreover, we also request an additional 10k ARB to the ADPC’s budget as an operational buffer to ensure that the ADPC can operate with speed and does not need to get the DAO’s approval for any small operational matters. Of course, this will be returned to the DAO’s treasury upon the completion of the ADPC’s tenure if it has not been utilized, and will not be spent on any internal salaries.

We will put up a Snapshot to get the ball rolling on this budget approval and reduce the likelihood of any delay in meeting timelines.

Summary Ask: 22k ARB in total (12k ARB compensation for DeDaub and 10k ARB operational buffer) to use from the ADPC’s buffer in the multi-sig.

Note: To confirm, DeDaub’s participation as the Security SME will preclude them from responding to the RFP and applying to be a whitelisted security service provider.

I propose to give people a choice of audit company.
It’s worth talking to at least one more, albeit with different conditions.

Hi @cp0x, thanks for voicing your opinion. Appreciate the time taken to digest the proposal!

The selection of DeDaub is a result of the ADPC’s careful deliberation as a committee.

Here some more context on how we selected DeDaub:

The ADPC was elected as a trusted committee to fulfil this specific mandate of whitelisting security service providers via an RFP process. Based on the information we have gathered from speaking to various parties on the nature of the work needing to be performed by DeDaub, the difficulty in sourcing non-conflicted security SMEs, the current market rates for security SMEs, and the need for us to move quickly to define the requirements, whitelist the security service providers and not cause any delays, we firmly believe that DeDaub is the right choice for this task.

We have heard about DeDaub and their past work and we’re confident they will be great at this role given the positive vote. Overall, our stance is that we respect the ADPC’s choice in this and the budget ask is also really reasonable in our opinion.

For transparency sake, it would be nice to hear of the other companies the committee considered and maybe why you went with Dedaub in the end?

Michigan Blockchain is in favor of appointing DeDaub. We believe the cost is reasonable and their relevant track record working with major protocols makes them a good fit as the SME.

I second this. We are in support of DeDaub but think it would be interesting to hear about the other groups in consideration

Voting “for” on onboarding DeDaub as security consultant

• price is reasonable
• there is the need of a technical consultant that knows both the topic and is engaged in the market, so understand rates and other relevant issues
• appreciate that ADPC has money in their pocket but is still asking the DAO to use it.

On people asking “can we get other SME / alternative”. I totally understand where this comes from, and I undertand is the first thought one could have. But I think we should detach a bit from this type of thinking that, at this point, is a bit encapsulated.
If we elect a committee, and we assigne a budget, we should trust that committee. Micromanaging the committee instead is only detrimental, drags the discussion toward how to do stuff instead of effective doing stuff, kills the purpose of having a committee in the first place cause if they have to ask to the dao for everything at that point why were they even elected?

Cheers and nice job guys.

I’m voting in favour of this proposal.
Costs and budget + buffer seem reasonable and DeDaub has a proven track record.

I’d also like to know which other firms were candidates for this position. I trust the committees decision on their selection process but would still be interesting to know which options were considered.

Completely IN FAVOR.

From the reasonable budget, the background and the necessary arguments of this role in the committee.

We have decided to vote in favor of this proposal primarily because we trust the committee’s thorough selection process and decision-making. The proposed security consultant, DeDaub, has been carefully chosen by the committee, and we believe they are best positioned to evaluate the available options and select the most qualified candidate. Additionally, the costs and budget, including the necessary buffer, appear reasonable, and DeDaub has a proven track record of expertise and engagement in the relevant market, which is crucial for this role. We recognize the need for a technical consultant with these qualifications.

Hey everyone, first of all, thank you all for your feedback and support on the proposal. We, as the ADPC, appreciate the time taken to follow the process steps and digest the proposals.

As this was requested, I’m chiming in here with some details on the decision-making process behind selecting DeDaub:

• We did consider multiple firms as potential security service providers.
• Red Guild: Declined our offer
• Violet: Had a great scoping call. However, the cost for services were significantly more expensive than our allocated budget.
• Additionally, we consulted with the ARDC DAO advocate, who advised that a member of the ARDC security team would have a conflict of interest if selected.

We further extended our search by consulting a list of firms from our benchmarking survey, all of whom expressed a desire to be whitelisted as security service providers. After evaluating all these options, DeDaub emerged as the most suitable choice given their expertise, reasonable cost alignment with our budget, and the absence of any conflict of interest.

Be mindful that we acted in the best interest of the DAO, weighing expertise and cost of the providers, and speed of execution. From our perspective as a committee, we have considered sufficient options to make an informed decision here

Thank you @Bernard for disclosing more details.

Fully agree with this.
The point of a committee is to give them enough autonomy to make decisions and spend their budget on the area they were designated.

Voting FOR.

Voted for because DeDaub seems like a solid provider and the costs are reasonable.

I have voted “For” this proposal on Snapshot. I appreciate the ADPC coming to the DAO for approval on something like this, as already having the funds they didn’t need to do this. Although personally I don’t think it’s necessary.

I think at it’s core the DAO has assigned a budget and elected a committee to run this project. So while I think having a natural skepticism and curiosity is fair, I don’t think we need to necessarily monitor every action. Both from a practical standpoint but also tone setting for future committees (i.e., they feel every time a decision is made that is not by the letter of the Tally vote they have to come to the forums and justify expenses.).

Ultimately, that’s really neither here nor there to the specific proposal at hand. We should trust what the committee’s judgement in vetting DeDaub. Both them specifically as well as reaching out to other possible consultants. The price seems reasonable and no one has raised concerns, so I feel comfrotable approving this decision.

Thank you to @Bernard on giving more detail on DeDaub.

We are in favor of the proposal to add a Security SME to the ADPC for several reasons. Firstly, the cost and budget outlined in the proposal are reasonable and align with the expected benefits of enhancing security expertise within the council. Additionally, DeDaub, the entity proposed to fill this role, has a proven track record in security matters, which gives us confidence in their ability to contribute effectively to the ADPC’s goals.

Thank you @sid_areta for putting together the proposal and @Bernard for additional and transparent information for voters. (We fully agree with what @JoJo pointed out, but also appreciate transparent information and data for their decisions)

We vote FOR the proposal because it’s clearly addressed the feedback on the Subsidy Fund proposal, the selection of the firm, DeDaub is solid (Excellent works with recognized projects), and the cost seems reasonable.

Savvy DAO has voted FOR the proposal “Adding a Security SME to the ADPC.”

We support this decision because DeDaub is a well-recognized firm with a solid track record in security, making them a great choice for our needs. The proposed compensation of 12k ARB is fair given the technical expertise required and the challenge of finding suitable Security SMEs without conflicts of interest.

Additionally, the 10k ARB operational buffer is a smart move to keep the ADPC efficient without constant approvals for minor expenses. This proactive approach ensures smooth operations and fiscal responsibility as unused funds will return to the DAO’s treasury.

Overall, this proposal is well-prepared, financially sound, and critical for enhancing our security capabilities efficiently.

See delegate thread here: Savvy DAO - Delegate Communication Thread - #22 by SavvyDAO

Blockworks Research will be voting FOR this proposal on Snapshot.

We don’t have much to add to what has already been pointed out by other community members here, but we think it’s important to reiterate what was said by @JoJo regarding trusting an elected committee. It’s inefficient for the DAO as a whole to participate in the decision-making process of every single implementation, and given that elected committee members are specialized within their operational area, the DAO should feel comfortable relying on these members to make the optimal decisions. We also appreciate the additional color concerning the selection process provided by @Bernard. Lastly, the amount of ARB requested seems very reasonable.

The following reflects the views of L2BEAT’s governance team, composed of @krst and @Sinkas, and it’s based on the combined research, fact-checking, and ideation of the two.

We’re voting in favor of adding DeDaub as a security advisor to the ADPC. We believe they have a more than adequate background, and the budget request is reasonable and within the budget allocated by the ADPC.

However, we would like to note that it’s a pity that by having them advise ADPC we are excluding them from the potential application as an audit provider. There are not that many respectable auditing companies in the market and having one of them excluded from the fast-track service eligibility is a definite clear loss for projects in the ecosystem.

At the same time, we would like to ask ADPC to extend their consultations regarding the business requirements to existing big protocols running on Arbitrum, as they already have a broad knowledge of the necessary needs and experience on what to watch out for when procuring these services.

We appreciate ADPC’s transparency on how they selected DeDaub over other providers and we are supporting the proposal in the comfort of knowing that they explored all options before making a decision to present to the DAO.

Unfortunately missed out on this Snapshot due to it being final exam week here at Princeton, but we would’ve voted for adding DeDaub to the ADPC. The price seems reasonable and the rationale behind choosing them for this position is sound.