Arbitrum Audit Program: Transparency Report #2

Operational Period: November 1, 2025 – January 31, 2026

The DAO-approved Arbitrum Audit Program (AAP) completed its second operational quarter and reached the midpoint of its planned duration in January 2026. At launch, the programme was an experiment in funding ecosystem security. Six months in, the programme has transitioned from early pipeline formation to a more mature, quality-driven intake phase.

The defining signal from the last three months was not raw volume but pipeline maturity and improved operational capability. Teams entered the programme more audit-ready and better aligned with its objectives. The programme saw more referral-driven participation, broader ecosystem diversification beyond DeFi, and a steady audit execution in the second quarter. While the treasury deployment remained conservative, the programme itself stabilised, balancing growth with discipline and building a durable security pipeline.

Key highlights from the second quarter are as follows:

• 69 applications received from diverse categories
• 14 projects approved through multi-criteria committee evaluation, reflecting a 20% approval rate
• 8 audits completed since the launch of the programme
• $454,000 committed across approved projects in Q2
• ~$1M total committed since launch (10% annual budget)

Note: For reporting purposes, Q1 covers August 1 – October 31, 2025, and Q2 covers November 1, 2025 – January 31, 2026. The first transparency report is available here.

Application Pipeline Analysis

Quality Over Volume

The programme received 69 applications in the second quarter, bringing the total to 150 since its launch in August 2025. While raw application volume decreased by 14.8% compared to Q1, approval efficiency improved significantly. Of the total 69 applications, 14 were approved, 45 were rejected, and 10 are under active review.

image1600×847 51.9 KB

This reflects a 20% approval rate, up from 16% in Q1. Please note that, out of all applications received in Q1, 11 were approved (13% approval rate) at the date of publishing the Q1 transparency report. Subsequently, two additional applications received in late Q1 were approved, which moved the Q1 approval rate to 16%.

The acceptance rate in Q2 saw a bump because the quality of applications significantly improved in Q2. Projects applying were more aligned with the goals of the programme and demonstrated better audit readiness, including clear scope definition and code maturity, as compared to applications received in Q1.

Referral-Driven Pipeline Strength

The higher rate of approval in Q2 can be attributed to a combination of more targeted outreach and growing awareness of the programme. A key driver of this improvement was the referral channel. Nearly 50% of all approved applications to the programme came via referrals from auditors or ecosystem members, who were actively encouraged to introduce the programme to teams they were already working with, provided eligibility requirements were met. Amongst approved projects that came through referrals, 71% came from ecosystem members (other builders, Offchain Labs, etc.) and 29% from auditors.

Referral teams consistently demonstrated stronger baseline readiness than non-referral applicants. They typically displayed clearer audit scopes and prior deployment experience and included founders with previous startup, protocol, or engineering backgrounds in Web3. This materially reduced the review friction seen in Q1 and, in some cases, accelerated audit execution.

Similarly, teams referred by ecosystem stakeholders often came with founders whose track records were already known within the Arbitrum community. Together, the referral pipeline indicated a growing trust in the programme and emerging network effects within the ecosystem.

Marketing Impact

Demand from new projects was also influenced by a steady cadence of high-signal educational posts explaining programme utility, eligibility, and audit readiness. On posting days, applications increased by an average of 2-3x compared to baseline intake, indicating participation was driven as much by clarity as visibility. When expectations were clearly communicated, qualified teams responded quickly.

The drop in application volume in Q2, despite stronger marketing efforts, is partly attributable to seasonal factors. The period from November to January included key events like Devconnect Buenos Aires and extended holiday breaks, which hurt participation and slowed the process for many teams. This also shifted applications toward the end of the quarter, pushing several strong candidates into pending review or negotiation phases.

image1522×1138 24.1 KB

The final week of January saw 10 project submissions, all of which are currently undergoing active review (for which an update will be provided in the next report). These pending cases primarily involve requests from the audit team for additional information related to the launch timelines, team details, or compliance with exclusivity requirements. Once this information is reviewed, final decisions will be made.

Importantly, while the quality of applications has improved with fewer low-effort or premature submissions, the rejections are mainly driven by strategic or programmatic constraints. These constraints usually pertain to exclusivity conflicts, timing misalignment, in some cases, readiness gaps, or other go-to-market considerations.

In the following months, the AAP aims to increase the programme’s reach by coordinating its marketing campaigns with teams that have already completed programme-funded audits. Teams like CAPX.AI, Footium, idOS, Nashpoint, and Stormbit will be leveraged to serve as proof points for the programme’s impact and credibility.

Applicant Composition

Applications continued to maintain a healthy mix of new projects discovering Arbitrum and existing ecosystem participants seeking security support. At the same time, the composition of applicants is beginning to diversify.

While the first 3 months were heavily DeFi-dominant, with 65% of all applications being DeFi projects, the second quarter saw a more nuanced participation. In Q2, DeFi represented 42% of intake, indicating broader participation across sectors rather than a contraction of interest.

image600×371 18.5 KB

The programme is increasingly serving as an ecosystem-wide security apparatus supporting builders across verticals.

Budget Deployed

Across the second quarter, the programme committed approximately $454,000. This figure reflects audits that have been formally approved and scheduled, where an auditor has been selected and a quote finalised. Some more audits have been approved but are still in the auditor selection phase, so their final budget commitments for Q2 are not yet reflected in this total.

Cumulatively, the programme has committed roughly $1 million across its first six months, or about 10% of the annual allocation at the midpoint of the programme. This measured pace of deployment is partly intentional, influenced by the underlying macroeconomic conditions. The broader market remains in a consolidation phase, with fewer teams showing resilience to build long-term. While the audit committee will continue to drive more high-impact applications, the focus remains on supporting resilient, audit-ready teams while preserving flexibility to scale funding as ecosystem conditions strengthen.

Audits Completed

As of January 31, 2026, 8 projects have been completed with audits under the programme. The list is as follows:

1. idOS
2. Nashpoint
3. Footium
4. Stimpak
5. CAPX.AI
6. Stormbit
7. Kandle Finance
8. Triumph Games

Additional project details are available on the public Notion tracker.

Audit execution remains distributed across a broad network of providers. The following 11 audit firms are currently active in the programme:

1. OpenZeppelin
2. Certora
3. Nethermind
4. Ackee Blockchain Security
5. Oak Security
6. Hexens
7. Decurity
8. Pashov Audit Group
9. OXORIO
10. Cyfrin
11. Guardian

On average, each firm has reviewed roughly two projects, with some auditors handling higher volumes due to project preference. Regardless of referral origin, the programme maintains strict pricing oversight to ensure quotes remain fair and consistent with the standards established during the auditor whitelisting process.

Update on Auditor Performance

During the second quarter, the AAP committee worked directly with participating auditors to evaluate quoting efficiency and improve the matching process. Since the beginning, the AAP received 68 quotes from participating auditors. The quoting process has allowed price discovery and a better alignment in favor of projects, confirming that it is useful to maintain this system.

In Transparency Report #1, an imbalance was observed with certain auditors being consistently solicited or declared preferred auditors by projects.

Through the auditor feedback initiative, auditors were actively encouraged to:

• Engage directly with teams requesting quotes through calls or discussions, rather than only submitting written estimates
• Clearly communicate their methodology, expertise, and value proposition to projects applying

Auditors who actively engage with teams directly and explain their capabilities secure assignments more effectively, while projects benefit from a broader and more appropriate set of options.

In parallel, the AAP committee guided teams toward auditors whose track record aligned with their technical needs, helping diversify auditor selection and improve matching quality. These measures are already helping rebalance the ecosystem and improve efficiency within the program.

Impending Programme Improvements

The Foundation is preparing a draft proposal for submission to the DAO (expected in March 2026) to revisit the exclusivity requirement (as outlined in the previous transparency report) and authorise the opening of a pilot program with AI service providers. Onboarding AI security service providers will allow the AAP to provide meaningful support to teams that are not approved for a traditional full-scope audit. For instance, for early-stage or less audit-ready projects, AI-assisted reviews can provide a faster and more cost-efficient security pass, helping teams identify critical vulnerabilities and improve code quality before deployment.

This creates a tiered security pathway: instead of teams leaving the programme without support, they receive preparatory tooling that increases their chances of future audit approval. The change expands coverage without lowering standards and strengthens the overall security posture of the ecosystem.