Operational Period: February 01, 2026 – April 30, 2026

The DAO-approved Arbitrum Audit Program (AAP) completed its third operational quarter during the period from February 01, 2026, to April 30, 2026 (“Q3”). Launched on August 01, 2025, the program runs an open application process for one year to support teams seeking audit subsidies to improve the security and reliability of their projects.

Q3 was the program’s busiest quarter since launch in terms of application volume. The committee reviewed 108 applications, representing a 56% increase compared to Q2 and a 33% increase compared to Q1. Despite the rise in submissions, evaluation standards remained consistent, with 12 projects initially approved, reflecting an 11% acceptance rate. However, the quarter also saw a notable increase in post-approval withdrawals, reducing the number of projects that ultimately proceeded through the program.

Across these approved audits, 14 have been completed and security firms identified 297 vulnerabilities, including 8 classified as critical, while reviewing a total of 21,882 lines of code. These findings underscore the importance of rigorous security review in strengthening the resilience and reliability of applications building within the Arbitrum ecosystem.

While application volume increased significantly during the quarter, the proportion of mature, audit-ready teams did not expand at the same pace. The committee absorbed this increased demand without lowering evaluation standards, maintaining a focus on supporting projects with strong technical readiness, ecosystem alignment, and long-term potential.

Key highlights

1. 108 applications received during Q3, with DeFi remaining the most prominent category.

2. 12 projects were initially approved through committee evaluation, representing an 11% approval rate. Following post-approval withdrawals, 7 projects ultimately continued through the program.

3. Across 14 completed audits, 297 vulnerabilities were identified (including 8 classified as critical and 31 as high), and 21,882 lines of code were reviewed.

4. Approximately $1.12 million has been committed for approved audits since launch, with total audit commitments expected to reach approximately $2 million, including audits currently in progress or pending execution.

Application Pipeline Analysis

Highest Application Volume Since Launch

The program received 108 applications during Q3, marking the highest quarterly intake since launch. For comparison, the program received 81 applications in Q1 and 69 applications in Q2. The increase in submissions reflects the cumulative impact of ongoing ecosystem outreach and marketing efforts, but more notably, the growing role of referrals in driving high-quality deal flow. Of the 7 projects ultimately onboarded, 5 originated through referrals from audit firms, ecosystem partners, or previously supported teams. Projects that successfully completed audits helped expand awareness, effectively becoming advocates for the initiative.

Despite the substantial increase in application volume, the committee maintained a consistent review framework and evaluation standard throughout the quarter. As a result, approval rates declined relative to prior quarters, falling to 11%, compared to 13% in Q2 and 20% in Q1. While 12 projects initially received approval, 5 later withdrew from the program, resulting in 7 projects being fully onboarded. One of the approved engagements represented an extension of a previously supported audit.

image2470×1138 100 KB

Post-Approval Withdrawals

Q3 saw a higher-than-usual number of post-approval withdrawals, where projects exited the program after initially receiving committee approval. These withdrawals were primarily driven by technical delays and misalignment with certain program requirements, particularly around ecosystem exclusivity expectations for supported deployments. However, introducing greater flexibility around exclusivity requirements enabled the program to invite applications from teams that would otherwise have been ineligible for support.

The withdrawals broadly fell into two categories:

• Some teams secured integration or partnership opportunities that required deployment environments outside of Arbitrum, leading them to voluntarily withdraw from the program.

• Other teams decided to significantly rework portions of their codebase or feature set after approval and were unable to provide a reliable timeline for delivering an audit-ready implementation. These teams have been encouraged to reapply once development stabilises and a revised codebase is ready for review.

The committee is actively monitoring this trend and evaluating process improvements that may help reduce post-approval attrition in future while preserving flexibility for high-quality teams navigating evolving product roadmaps.

Application Quality

The primary driver behind high Q3 rejections was overall application quality. A large portion of applicants had limited operational and technical maturity, with many submissions coming from solo founders or early-stage teams whose products, value propositions, or codebases were not yet sufficiently developed for a formal security audit process.

In many cases, these teams would likely benefit more from earlier-stage ecosystem support initiatives, such as Open House and Arbitrum Mentorship program, before applying to the Arbitrum Audit Program. The teams were consequently guided towards these programs.

The second major factor behind rejections was insufficient alignment with the program’s ecosystem requirements and exclusivity expectations. Several applicants were unable to clearly articulate a credible Arbitrum-focused growth strategy, while others were unwilling or unable to commit to the deployment and ecosystem alignment conditions associated with the program.

Compared to previous quarters, the underlying rejection patterns remained broadly consistent. However, the increase in overall application volume was accompanied by a proportional increase in lower-maturity submissions. This significantly expanded the committee’s review workload without resulting in a corresponding increase in high-quality, audit-ready projects progressing through onboarding.

Applicant Composition

The applicant pool reflected a healthy mix of new teams discovering the Arbitrum ecosystem alongside more established ecosystem participants seeking security support.

DeFi remained the dominant category, accounting for 54% of all applications (58), followed by Infrastructure (30) and AI (7). Among the projects that successfully completed onboarding without cancellation or withdrawal, DeFi remained the most represented category. Three of the approved projects – Variational, Nashpoint, and ARU Reserve – were DeFi-focused, while Superset represented the Infrastructure category.

image1284×762 56.1 KB

The composition of approved projects would have been notably more diverse had all initially approved teams proceeded through the program. The withdrawn or paused projects included teams across gaming, infrastructure, AI, and DeFi, indicating that interest in the program continues to expand beyond DeFi.

Audits Completed & Security Findings

Across approved audits, 14 have been completed since launch, of which five are in production. The following projects have completed audits through the Arbitrum Audit Program:

1. Bleap
2. Triumph Games
3. Cybro
4. Kandle Finance
5. idOS
6. Footium
7. Tezoro
8. Kleros
9. Nashpoint 1
10. Nashpoint 2 (extension of initial audit)
11. Stormbit Finance
12. Capx AI 1
13. Capx AI 2 (extension of initial audit)
14. Stimpak (Duels)

Across all approved audits, the program has committed a total of $1,225,120.
Across all 14 completed audits, the average audit cost is $46,363. The average audit cost per line of code was $45/LoC. However, for audits covering codebases larger than 3,000 LoC, the average cost falls to approximately $15 per LoC. This shows the scale of audit pricing and provides important context when comparing the cost of larger audits.

image2612×978 73.7 KB

While several cancelled or withdrawn audits reduced near-term expenditure during Q3, audits currently in progress, paused, or pending execution are expected to bring the program’s total committed capital closer to approximately $2 million over time.

image1574×910 85 KB

Across all 14 completed audits, auditors identified 297 vulnerabilities, including 8 classified as critical severity issues, with the potential to pose significant risk if they were not detected as part of the AAP. A total of 21,882 lines of code were audited under the completed audits.

Budget Deployed

As of April 30, 2026, the program has committed $1,225,120, representing approximately 12% of the total $10 million annual budget. While budget deployment remains conservative relative to the total allocation, this reflects a deliberate decision by the committee to maintain consistent selection standards throughout the program’s lifecycle.

As noted in the previous transparency report, participating teams have consistently requested higher audit coverage, often up to 100% of audit costs, in exchange for accepting the program’s exclusivity requirements. In most approved cases, the program accommodated these requests. As a result, while the total number of financed teams remains relatively modest compared to the available budget, supported teams have generally received deeper financial support per engagement.

Audits currently paused, pending activation, or under negotiation are expected to bring cumulative commitments to approximately $2 million once activated, particularly as several pipeline projects involve larger and more complex codebases requiring more extensive review scopes. A portion of the remaining budget is also expected to be allocated toward the planned AI service provider pilot. While pricing discussions with prospective providers are still ongoing, the expected allocation for this initiative remains negligible relative to the overall program budget.

Auditor Participation & Expansion

During Q3, the program’s roster expanded to 13 approved audit providers. Trail of Bits and Blackthorn (Sherlock) were added as two new auditors following the completion of the program’s due diligence and onboarding process.

Both firms had previously participated in the initial auditor review and whitelisting process during the program’s launch phase but were not onboarded at that time. Their addition during Q3 reflects continued demand from applicants and broader ecosystem interest in working with these firms.

The committee has consistently observed that applicants tend to show strong preferences, with many teams explicitly requesting to work with specific providers based on reputation, prior working relationships, or technical specialisation. The addition of new high-quality firms, therefore, helps expand auditor availability while aligning with applicant demand.

The 13 approved auditors participating in the program during Q3 were:

1. OpenZeppelin
2. Certora
3. Nethermind
4. Ackee Blockchain Security
5. Oak Security
6. Hexens
7. Decurity
8. Pashov Audit Group
9. OXORIO
10. Cyfrin
11. Guardian
12. Trail of Bits
13. Blackthorn (Sherlock)

Revisiting the Exclusivity Requirement

Following discussions raised in previous quarters, a formal governance proposal was submitted to the DAO to revisit the program’s exclusivity requirement. The proposal introduced a shift from a strict mandatory exclusivity condition toward a more flexible ecosystem alignment framework.

Under the revised framework, Arbitrum exclusivity continues to remain the preferred standard for supported projects. However, the committee now has limited discretion to grant exemptions in cases where projects demonstrate strong strategic alignment with the Arbitrum ecosystem despite operating in a broader multi-chain context.

The updated framework has since been approved and applied selectively to a small number of projects. During Q3, three projects received exemptions under the revised policy, including Superset, a cross-chain stablecoin and foreign exchange infrastructure project that selected Arbitrum as its primary hub chain and could drive substantial transaction volume and network activity.

Audit Completion Timeline

The AAP approaches its scheduled completion on 31 July 2026. Applications will remain open until 31 July.

Audits approved prior to the application deadline will continue to be supported through completion, even if they extend beyond the program’s close date. To accommodate this, we anticipate an additional two-month wind-down period following the application deadline to process and finalise all pending audits before the program can be fully sunset.

A final transparency report will be published once all approved audits have been completed and all program commitments have been fulfilled.