Arbitrum Audit Committee

Summary:

• Run an on-going open application for 1 year to support projects that require a subsidy to audit their project.
• Approve a list of auditors into the program and also invite auditing firms from the ADPC’s Security Subsidy Fund to apply for the program.
• Arbitrum Audit Committee will include membership of AF, OCL, a technical expert elected by the DAO, and a team member from the OpCo (when operational).

Abstract

It is industry standard and recommended practice that all projects with on-chain smart contracts undergo at least one third party audit. This is because smart contracts can potentially secure millions, if not billions of dollars, yet a single bug in the code can result in the loss of all funds. In many cases, when the smart contract is deployed, it can be difficult to upgrade after launch, and audits should be completed prior to the project going live.

Unfortunately, audits are prohibitively expensive. It is not uncommon for projects to pay ~$20k per auditor per week. If multiple auditors are required for the project, then the bill increases substantially into six figures. This is problematic for early stage projects who may simply lack the funds to pay for an audit or be forced to allocate a significant portion of the funds they have raised from investors to pay for the audit.

This proposal aims to implement a subsidy scheme that will allocate funds to projects that require financial assistance to pay for an audit. To be eligible for the funds, the project will need to satisfy certain requirements such as launching on Arbitrum and any code audited will need to remain exclusive to our ecosystem for a fixed period of time.

We are targeting relatively early stage projects, projects that have demonstrated product market fit on Arbitrum, and finally projects that have remained loyal to our ecosystem with an upcoming launch or upgrade that has the potential to help grow the ecosystem.

The subsidy program will run for 1 year or until all funds are spent. An appointed Arbitrum Audit committee will run the program. There will be 4 (quarterly) transparency reports alongside a final summary report to keep the DAO abreast about program updates.

Rationale and Goals

1. Support early-stage projects. Promising projects face funding constraints that may prevent their launch without access to a third party audit or for them to somewhat dangerously ‘test in production.’
2. Encourage development on Arbitrum. By supporting builders and early-stage projects, we can potentially help make Arbitrum their home over other blockchains.
3. Scaling Responsibly. Scalability is not just about transaction throughput, but the ability for the system as a whole to secure and protect an increasing number of tokens (TVL).
4. On-demand availability. An open applications process to offer subsidy grants to projects just in time before their planned launch.

Application Process

1600×203 26.7 KB

The Arbitrum Audit Subsidy Program invites projects to apply via an open applications track with a standardised form to gather the following information:

• Team Information
  • Names
  • Background
  • Notable Investors
• Project Information
  • Overview & problem it is solving
  • Why will project achieve product market fit (or evidence of PMF, like traction or other metrics)
  • Stage of development & timeline to mainnet
• Audit coverage
  • Scope of audit
  • Lines of code & languages
  • Desired completion date
  • [extra information here]
• Subsidy information
  • Preferred auditor [optional]
  • Audit budget request

The committee will screen the above information based on:

• Technical maturity: Assess whether the code base is ready for a professional audit.
• Team experience: Evaluate whether the team has the experience, expertise, and motivation to successfully launch the project on mainnet.
• Likelihood of success: Judge whether the project has the potential to attract a user base and establish itself as a popular decentralized application on Arbitrum.
• Reasonable scope: Determine if the audit’s scope can be completed within the proposed timeline and budget.
• Arbitrum first. The project will prioritise launching on Arbitrum including One, Nova, and other Arbitrum chains.

A project can be rejected at any stage of the process at the committee’s discretion.

If the committee approves the project during the screening process, then it will undertake due diligence which may include reference checks, reviewing the code related to the audit scope, and other information it may deem necessary to check. Assuming the due diligence succeeds, then the committee will aid the project in connecting with auditors to get the best quote alongside confirming the auditor has the capability to audit the project.

It is up to the project to decide on the auditor, but it must be in agreement with the Arbitrum Audit committee. We expect auditors to be selected based on the rate charged to the project (i.e., auditor per week cost), availability and timeline for completing the audit and experience with auditing similar projects. In the case of an auditing competition platform, the auditor will need to demonstrate that the auditors on their platform have the required skillset for the specific project.

Keep in mind, this is a subsidy program, which will require the project to pay a portion of the audit, which will also be negotiated as part of the application process.

Eligibility Requirements

We welcome applications from early stage and existing projects that satisfy the following requirements:

• Smart contracts. Projects must have auditable smart contract code to qualify. We only subsidize audits for smart contracts and not the wider infrastructure. For example, Solidity or Stylus.
• Early stage project. Projects yet to launch their product are eligible or there is a significant upgrade for the code. They are allowed to have received venture capital or grants. Total funds raised will be considered as part of the decision making process by the committee.
• Native deployment. Projects that are operational on Arbitrum must demonstrate either a strong product market fit or a committed alignment with the Arbitrum ecosystem with expectations that subsequent product launches will be successful.
• Migrating deployment. Project is planning to migrate from another blockchain ecosystem to Arbitrum
• New audits only. Only new code, or code that has undergone significant modifications.
• Arbitrum exclusivity. Audited code must remain exclusive to Arbitrum for a fixed period of time.
• Arbitrum ecosystem. The project must launch in the Arbitrum ecosystem which includes all Arbitrum chains (including Arbitrum One or launching their own chain).

With the above in mind, our aim is to target early stage projects with potential to grow on Arbitrum as well as projects with a strong track record or loyalty to the Arbitrum ecosystem.

All audited code MUST remain exclusive to the Arbitrum ecosystem and this will be included in the relevant legal agreements. Breaching exclusivity will obligate the project to repay the full subsidy to the DAO via the Arbitrum Foundation (AF). Non-compliance may lead to legal recourse and/or a proposal to the DAO to ban the project from all future DAO-funded initiatives.

Subsidy Payment Conditions

Subsidy payments will only be paid after the audit is completed. The Arbitrum Foundation will disburse the funds to the auditor. All payments are contingent upon the Foundation’s satisfaction that the audit meets acceptable quality and confirms to industry standards.

Additionally, we will seek when possible to offer the payment in ARB as opposed to USD, subject to the auditor’s needs.

Approving Auditors

The Arbitrum Foundation will take on the role of evaluating auditors who want to apply for this program which includes an interview, reference checks, compliance, and agreement to the terms & conditions of this program. It should be noted that we will conduct an individual negotiation with all approved auditors to take into account potential different rates and offerings from the auditors. Additionally, auditors can apply at any time to join the program.

An approved auditor will have an opportunity to post on the forum to advertise that they have been accepted to the program. This will assist projects with finding auditors that may be suitable for them even if a subsidy is not offered by this program.

Additionally, we will invite auditing firms from the ADPC’s Security Subsidy Fund to apply, with the intention for us to negotiate additional terms that are suitable for this new program.

Arbitrum Audit Committee

We propose a committee with a mixture of technical expertise and DAO representation who will have the necessary skills and time to review proposals on an on-going basis.

1. Chair: Arbitrum Foundation (Waiving Payment)
2. Offchain Labs (Waiving Payment)
3. Technical Expert - Elected by DAO
4. ArbitrumDAO’s OpCo (when operational)

We have included the OpCo as a potential team member as soon as it is operational and considers itself ready to join. The AF will chair the committee to lead the discussion and decision making process with consultation of other committee members.

The committee will enforce a strict conflict of interest policy such that no member should have any financial ties to an approved auditing firm that is taking part in the program and they should not have a significant conflict of interest with competing blockchain projects. The technical expert should not be part of the auditing firms engaged in the program and will be paid USD$5k per month. We expect the workload to be ~1-2 days per week.

Scope of work includes:

• Attend committee meetings to evaluate proposals,
• Support some due diligence efforts on projects,
• Lend expertise to make good decisions,
• Help with transparency & reporting.

Transparency Report

The committee will publish an update in regards to the program every 3 months with a total of 4 reports. Additionally, a final ‘conclusion report’ will be published, after the final audit subsidy is paid.

All reports will include the following information:

• Categories of projects in the pipeline (DeFI, Gaming, SocialFi, etc),
• Total projects rejected, under review and accepted,
• Completed audits alongside disclosure on project and selected auditor,
• Treasury of ARB and USD alongside funds spent to date,
• Success stories.

As mentioned during the governance calls, we do not plan to release specific financial details related to individual subsidy payment. The ADPC acknowledged that auditors are sensitive to revealing their rates to competitors. Additionally, this information is often leveraged by potential grantees during the negotiation process which would make the committee’s job more difficult.

We may also have a delay in reporting the ‘funds spent to date’ depending on the total grants issued to help preserve some privacy around individual subsidies paid. We hope to include success stories, but this will be in later reports as it will take time for audits to be completed, protocols to launch, and for success stories to emerge.

Additionally, all grantees of the program will be requested to publish a growth report to the DAO, 2, 4 and 6 months after their project is launched on Arbitrum. In this report, we expect the grantee to publish metrics relevant to their project, including but not limited to, total value locked (TVL), protocol fees generated, integration with other protocols in Arbitrum, utilization of assets, etc. The committee will work with the grantee to determine the relevant metrics and deadlines for publishing the report. The Arbitrum Foundation will keep track of the reports after the program has finished to ensure they are all published to the DAO.

Budget Request

It is not uncommon for projects to pay $10k to $40k per auditor per week depending on the complexity of the project with overall costs exceeding $100k.

If we assume, conservatively, that each project will receive a $100k subsidy, then with a $10m budget, we can subsidize around 100 projects to build on Arbitrum which is approximately 1.9 projects per week for 1 year.

We are requesting a $10m USD budget to subsidise audits for 1 year and $60k to pay for the technical expert. All other costs including legal, management of the program, etc, will be covered by the Arbitrum Foundation.

Our proposal will:

• Request 30m ARB from the treasury,
• Convert ARB into $10m and $60k (compensation),
• Return all unused ARB and USDC back to the DAO

Whenever the program ends, the remaining funds in USDC and ARB, will be returned to the ArbitrumDAO unless the DAO approves the continuation of the program via an off-chain vote.

We intend to convert ARB to USD periodically throughout the duration of the auditing program as opposed to exchanging it all at once.

Timeline

We consider the establishment of a long-term security subsidy fund as an urgent matter to support builders in Arbitrum and will work with contributors in the ArbitrumDAO to get the program set up as soon as possible.

We have run three governance calls with two recorded [1,2] and the temperature check vote has passed on Snapshot.

We plan to put the proposal up for an on-chain vote for the 13th March 2025.

This on-chain vote is ~2 weeks later than anticipated in the original proposal. The delay is due to the many helpful comments and discussions we have had with contributors in the DAO. We believe the proposal should hopefully satisfy most comments that have been raised over the past few weeks and the proposal is overall better thanks to the process.

Assuming the proposal is approved by the ArbitrumDAO, then we will:

• Hold an election to hire the technical expert that should be concluded by 10th April 2025.
• Onboard auditors and open applications for projects by late April 2025.

An official announcement will be published to declare the start date and when the 1 year clock for the program begins.

Thank you for posting a well-structured proposal. It is very straightforward. Overall, I like the idea of helping projects cover audit costs, especially the projects that have good potential for Arbitrum. I do have some concerns about a few points of the proposal.

1. In my opinion, auditing firms are known for their “dynamic” pricing. Prices vary quite a lot depending on the type of project (for example: is the project well-funded by VC? Does it have known teams or partners endorsing the project? etc.). I am afraid we will not get fair pricing since the client here is Arbitrum. How can we make sure that we get fair pricing?

2. I suggest inviting multiple auditing firms and run some kind of bidding process for each project. I would suggest the “Sealed bid” method or something similar. What do you think about this idea?

3. Is it realistic for a team of 3 committee members (while 2 of them are not being paid for this) working part-time to vet 100 projects? We are talking about paying up to $100k to audit one project, which is a significant amount. How can we make sure to really support the right projects? Maybe expand to 5 committee members?

I think with the power and reputation of Arbitrum DAO, we can ask audit firms to be paid in ARB tokens (instead of selling to USD). This would lower the selling pressure. Since the price of ARB tokens is low, they might even hold it for some time or even better; get involved in governance.

Thank you for considering my feedback.

Hello,

Thank you for publishing this proposal.

We agree with the points mentioned, but it would also be valuable to consider the risks users face when interacting with these projects. Depending on the project, some may involve significantly larger financial movements from users than others. Taking this into account could help ensure that the initiative benefits not only the selected projects but also the community in a more direct and meaningful way.

Thanks for the proposal. I really think it is very well constructed and has goals that can bring great benefits to the chain by helping projects launch in a safer way for users. I believe this is a crucial step for the ecosystem, especially since hacks have caused significant reputational damage.

From the pool of relevant auditors, who will be responsible for selecting the final one for each project? Will it be the committee or the project? I’m not entirely clear on who will make the final decision.

Also, is there a clear maximum amount per project that will be spent on auditing? The 100K assumption per project seems rather vague. I believe there should be a maximum amount, and even a maximum percentage for the cost subsidy everyone should have skin on the game.

Will this be converted immediately, or on an ongoing basis as needed? i suggest this is ongoing to reduce selling preassure.

Thanks

I see the need and some risks:

• funding projects that then migrate to other ecos => why not make these audits some sort of investment or what sort of mitigation can be put in place?
• how are projects selected? there can be a lot of failures with early stage projects => having more structured programs for systematic validation and derisking (like e.g. the Hackathon Continuation Program) could mitigate this risk. Otherwise requiring some sort of traction in a PoC, letters of intent to purchase if B2B, or doing DD on validation… tricky.

Personally I see a better strategy in having business clusters with a combination of services/support programs that are deeply attuned to each vertical as opposed to generalist programs where the risk of misallocaiton is big.

Thanks for the feedback so far!

1. In my opinion, auditing firms are known for their “dynamic” pricing. Prices vary quite a lot depending on the type of project (for example: is the project well-funded by VC? Does it have known teams or partners endorsing the project? etc.). I am afraid we will not get fair pricing since the client here is Arbitrum. How can we make sure that we get fair pricing?

It’ll be up to the council, and the wider Arbitrum Foundation, to make sure that prices negotiated are fair relative to the skills / offerings of the auditor. We have experience with these types of negotiations already and expect it to go reasonably well.

Additionally, we anticipate the program to be competitive amongst auditors, so we will always seek to matchmake projects with auditors who offer the best value for money (without compromising on quality).

2. I suggest inviting multiple auditing firms and run some kind of bidding process for each project. I would suggest the “Sealed bid” method or something similar. What do you think about this idea?

During the matchmaking phase, it is quite common for a project to retrieve quotes from different audit providers. It is “sort of” like a sealed bid auction, since the project shouldn’t share the quotes with the competitors.

3. Is it realistic for a team of 3 committee members (while 2 of them are not being paid for this) working part-time to vet 100 projects? We are talking about paying up to $100k to audit one project, which is a significant amount. How can we make sure to really support the right projects? Maybe expand to 5 committee members?

Committee members will be responsible for evaluating the projects and ultimately making decisions, but the AF will take on the operational and volume work. We expect 3 committee members to be sufficient for running the program.

4. I think with the power and reputation of Arbitrum DAO, we can ask audit firms to be paid in ARB tokens (instead of selling to USD). This would lower the selling pressure. Since the price of ARB tokens is low, they might even hold it for some time or even better; get involved in governance.

Service providers typically quote their services in USD. We can have a combination of USD and ARB for alignment, but we generally can’t force service providers to accept ARB only.

From the pool of relevant auditors, who will be responsible for selecting the final one for each project? Will it be the committee or the project? I’m not entirely clear on who will make the final decision.

All auditors must be pre-approved for the program. This will predominantly be performed by the Arbitrum Foundation with support of the council members. Will clarify this in the proposal.

Also, is there a clear maximum amount per project that will be spent on auditing? The 100K assumption per project seems rather vague. I believe there should be a maximum amount, and even a maximum percentage for the cost subsidy everyone should have skin on the game.

We decided against a maximum cap in favour of offering the option to invest in projects as opposed to simply grants. If there is a subsidy that is larger than normal, it could be issued as an investment, and ultimately help align the project with the Arbitrum ecosystem. In nearly all cases, projects will also be expected to have skin in the game and pay for a portion of the audit.

Will this be converted immediately, or on an ongoing basis as needed? i suggest this is ongoing to reduce selling preassure.

It is a year-long program; so there is no requirement to exchange the funds immediately.

funding projects that then migrate to other ecos => why not make these audits some sort of investment or what sort of mitigation can be put in place?

In the proposal, we are offering the option to also use the subsidy to invest in the project, although we’d prefer if the project made its own in Arbitrum first

How are projects selected? there can be a lot of failures with early stage projects => having more structured programs for systematic validation and derisking (like e.g. the Hackathon Continuation Program) could mitigate this risk. Otherwise requiring some sort of traction in a PoC, letters of intent to purchase if B2B, or doing DD on validation… tricky.

In the proposal, it mentions the committee will screen based on scope, likelihood of success, team experience, due diligence of the tech, etc. Behind the scenes, it will form a matrix that will score the project and offer confidence that the project should be eligible to receive a subsidy.

Of course, like any selection process, the final decision will depend on whether the committee believes the project is likely to get product market fit and the team is truly focused on building for the long term.

gm

Thanks for the proposal; I agree with the rationale.

Before moving forward with the details, I’d love to hear your thoughts on the Subsidy Fund implemented by the ADPC. Do you think it was well executed? What is your opinion on the results? And why do you propose making such a drastic change to that model instead of, for instance, suggesting that this new committee execute the v2?

Are there any lessons from that experience that could be applied?

Hi @Arbitrum

We think this proposal is valuable, though we see some possible issues. The ARDC v1 saw an issue where proposals would come to the security member to audit contracts for new protocols. Similarly, we can see some issue where these protocols receive auditing work, launch on Arbitrum, but then do the bare minimum in ecosystem management and development after launch, while prioritizing other L2s (eg. Base). With this in mind, does it make sense to have this structure for all apps or for only specific applications (i.e., those built with Stylus) and structure the committee differently for other types of applications, or make a priority pathway instead?

Furthermore, could we have some elaboration on the option for investment offered by the subsidy? How would this agreement work, what does DAO involvement look like here, etc? We understand that it may be more difficult to lock in apps (and that the auditing program may not be the right place to bundle this), though it is worth noting.

Also, on what metrics should we evaluate the success of this program? Projects safely launched on Arbitrum and consistently used?

Good initiative and I’ve got some suggestions about the token mechanics.

Converting 30M ARB to USD immediately is not the play here coz it creates unnecessary sell pressure. Instead, we should:

1. Keep the funds in ARB and only convert when actually paying for audits
2. Let auditors choose to receive payment in ARB if they want (maybe even incentivize it)

If we’re bullish on Arbitrum’s (which this proposal shows we are), then keeping funds in ARB aligns everyone’s incentives. Plus, if ARB price goes up, we could end up funding even more audits than the planned ~100 projects.

Think about it - converting everything upfront to USD is like saying “we don’t believe ARB will perform well in the next year.” That’s the opposite message we want to send to builders choosing which L2 to deploy on.

I support the core idea and trust the Foundation’s judgment on project selection, but let’s modify the treasury management approach.

Thanks for the proposal!

I think this is a very useful idea. After reading all the above-mentioned comments from other delegates and the answers to them, many questions disappeared by themselves.

As @danielo said, there is concern that projects will take advantage of the grant and then go to other ecosystems.

In addition to investing as an opportunity to avoid risks, I have one more suggestion

How about this solution: can we take obligations from sponsored projects to remain in the Arbitrum ecosystem? And if they want to leave the ecosystem, they will have to return the money spent on the audit and preferably in Arbitrum tokens. I think this would avoid additional risks

My main question revolves around criteria of selecting the projects.

In the last iteration of the security subsidy funds, there was a committee that made projects compile a rather long (as far as I can read) form, that resulted in some protocols being selected and others not with criteria that were not super clear… How would it work here? Can existing projects already apply?

The following reflects the views of the Lampros DAO governance team, composed of Chain_L (@Blueweb), @Euphoria, and Hirangi Pandya (@Nyx), based on our combined research, analysis, and ideation.

Thank you for putting forward this proposal.

We’re glad to see the Arbitrum Foundation leading this initiative. Definitely, audits play a critical role in securing on-chain projects, but they are often too expensive for early-stage teams. By offering subsidies, this program removes a major financial barrier, making it easier for developers to launch safely on Arbitrum instead of choosing other chains.

We are generally in favor of the proposal but would appreciate some clarification -

How will the application process work for projects applying? Will communication with the projects and selection decisions be made publicly, similar to how the Questbook DDA and Stylus Sprint rounds were handled, as they have set a good standard for this?

Just to clarify, multiple auditors will be chosen, right? We assume that no single audit firm will dominate the program. Will there be a cap on the number of projects any individual auditor can take on to ensure diversity and prevent monopolization?

Also, will there be a marketing push to ensure more projects are aware of it? The success of this program also depends on outreach. Visibility could help attract high-quality projects to apply and build on Arbitrum.

Overall, we fully support this initiative and appreciate the effort to strengthen security in the ecosystem.

How are teams determined to be elegible for this support? I think its good that its removing that financial barrier from those teams but we should be a tad cautious not to overspend and audit every team.

While we work through the remaining questions, the updated target Snapshot date is now February 20th.

I would like to echo these questions raised by pedrob, which immediately came to mind while reading this proposal. Introducing this new audit program while barely mentioning the ADPC’s security subsidy fund, and the lessons learned from those experiences, seems odd.

Before moving forward with the details, I’d love to hear your thoughts on the Subsidy Fund implemented by the ADPC. Do you think it was well executed? What is your opinion on the results? And why do you propose making such a drastic change to that model instead of, for instance, suggesting that this new committee execute the v2?

Are there any lessons from that experience that could be applied?

Thank you for the offer.
Supporting projects with audits is a great way to reduce potential user losses in the Arbitrum ecosystem

However, there are also questions:

If funds are allocated from the DAO, I do not understand why the Arbitrum Foundation should head it.
In fact, nothing will depend on the DAO’s vote and decisions made by the Arbitrum Foundation and Offchain Labs will override the DAO.
I would like to see more DAO presence in this committee.

2. You are talking about a long term perspective and setting a budget for only 1 year. In my opinion, this is not a long term perspective and Arbitrum already had a program of audit compensation during the year. How is this program better?

3. I think this budget is greatly overstated. I don’t see 100 projects a year that Arbitrum needs so much that we are ready to give them 30 million ARB. Will we proceed from how much money we have or from what projects we need?

4. I think we could give money for audit projects together with the AVI (Arbitrum Venture Initiative) project.
   On the one hand, we help the project, on the other, if it is successfully deployed, we will receive a profit. This scheme is much more honest than simply throwing money at projects, most of which, according to statistics, will be unsuccessful.

I really like this proposal. Audit costs are a significant barrier to entry for early-stage projects, and subsidizing them for valuable teams is a highly effective way to support builders in the Arbitrum ecosystem. Security is critical, especially for new projects, and reducing the financial burden of audits will help ensure that promising teams can launch safely without cutting corners.

@Arbitrum , I appreciate this proposal and agree with the need for funding to support projects with audit expenses, which can be prohibitively expensive for many teams. However, I have some questions and concerns:

• Differentiation from ADPC Subsidy Fund: Could you elaborate on how this new program significantly improves upon the revised ADPC Subsidy Fund? What specific shortcomings of the previous program does this address?

• Timing and Evaluation: The ADPC has announced that they will be posting the Subsidy Fund Outcome report (ADPC Update Thread (Phase II) - #22 by sid_areta) in the coming days. Wouldn’t it be prudent to wait for this report before proceeding with a similar program / giving final shape to a new one? This would allow us to learn from issues of the previous program, identify areas for improvement and ensure we’re not duplicating efforts unnecessarily.

I think this should be considered before moving forward with this proposal. Especially in the current state, our efforts should truly add value to the eco and be perfected before publishing, otherwise we risk contributing to a waste of resources.

In my opinion, no one is better positioned than OCL and AF to evaluate the projects that can have a boost through audit, so I sincerely don’t mind them taking the lead as they did already in the stylus program.

Hello, thanks for your proposal!

I have a few questions:

• What is the criteria for the election and for onboarding the auditors? There will be a request of a commitment from the auditors to have “X” hours available? One thing is to be part of a “whitelist” with no real commitment, and a different thing is to be aligned with the DAO and have manpower available.
• Can you share the expected skills/knowledge for both this elected member and the auditors?

• Can you share more details about the threshold between grant/investment? Who will decide that? The Audit Commitee?