Arbitrum Audit Program

gm @Arbitrum,

We appreciate the effort behind this proposal, it’s exactly what early-stage projects need and it helps created a more connected builder ecosystem within Arbitrum. That said, we have a few points we’d love more clarity on:

1. Why create a separate program instead of using the ADPC?
   We agree with @pedrob’s questions on this.

It would help to know what you learned from ADPC and why you’re steering away from it.

2. Impact of the SOS Initiative
   With the SOS Initiative kicking off, has there been any thought on how that factors into selecting projects for the subsidy?

3. Broader Builder-Support Strategy
   While an audit subsidy is a great start, is there a larger plan for ongoing builder support? We think a more holistic approach—beyond audits—would help strengthen the entire Arbitrum ecosystem.

Overall, we agree on the value of running an audit subsidy program but would love to see a longer-term vision that supports existing and future builders on Arbitrum.

Before moving forward with the details, I’d love to hear your thoughts on the Subsidy Fund implemented by the ADPC. Do you think it was well executed? What is your opinion on the results? And why do you propose making such a drastic change to that model instead of, for instance, suggesting that this new committee execute the v2?

There are a few reasons why we believe it is better for the AF (or potentially the future OpCo, when it is up and running) to take on the work for the security subsidy fund and allow the procurement committee to pursue other initiatives:

• Time to action. The ADPC was approved by the DAO on the 8th February 2024 to put together a framework for subsidising audits. ADPC received funds from the subsidy program on 25th July 2024 to run an 8 week program. Final allocations for the 8 week program were completed in December 2024.

It took around ~10 months to stand up and complete the 8 week program. Unfortunately, this meant there was no security subsidy fund by the ArbitrumDAO for most of 2024. Due to this shortcoming, (the AF) have stepped in via our grant program to sponsor audits for builders over the past year. Furthermore, ADPC is now focused on RPC providers until April 2025 and has also included multiple other work packages in its scope for this term. This implies the DAO will not have a subsidy fund for a further few months.

We believe the security subsidy fund is essential for supporting early stage builders and it should be stood up as soon as possible. We (Arbitrum) cannot afford to further delay a fully fledged program that is openly available at any time.

• Technical expertise. One of the anticipated lessons learnt from the security subsidy program run by the ADPC is the need for involvement of technical experts who can evaluate the project that needs an audit and ensure the quote from the auditor is indeed a fair/accurate assessment.

The ADPC’s membership lacks the technical expertise to evaluate applications for a security subsidy program and will need to fund external parties for assistance. We’d recommend the DAO approve programs that match the ADPC’s core competencies so they can have a greater impact without relying on third parties.

• Financial cost. To date, the ADPC’s has charged the DAO $24k per month for the first 6 months and the current fee is $60k per month for 6 months (150% pay increase). By April 2025, they will have charged the DAO $540k. If the next iteration of the ADPC continues at $60k per month, then it will cost $720k per year ($20k per member excluding other costs such as $54k for operational expenses).

We believe this is a very high overhead to pay for running a $10m security subsidy program. At $720k per year, the AF or upcoming OpCo can hire full time staff to run this alongside other programs that we all deem as mission critical for Arbitrum.

• AF involvement in ADPC program. In most DAO programs, we are not involved in the day-to-day operations of the program, but for the security subsidy fund, we found ourselves heavily involved in the process of selecting which teams get the subsidy to pay auditors and engaging with these stakeholders. Additionally, with the RPC program, the ADPC is insistent that we take on responsibility for their framework from April 2025 onwards.

Our increased involvement was a sign that it may be better for the ADPC to focus on topics that match their core competencies and not necessarily run an audit subsidy program. Additionally, if we are expected to carry on the continuation of a framework and execute it on behalf of others, then we (AF) should just set it up ourselves.

Are there any lessons from that experience that could be applied?

Yes, some of the lessons we can share:

• Funds up front. The ADPC started in February, but only got the funds in July 2025 as there was a requirement to go back to the DAO’s voting process to request the funds. The lesson here is to ensure the DAO allocates funds to new programs and enable it to get started more quickly.

• Technical expertise. Evaluating the cost of an audit requires domain expertise and it is not something a general committee is well-suited for handling. This is why we have put forth this proposal as we can request technical members at the AF and OCL to evaluate audit proposals.

• Services in kind. Some audit firms prefer to not charge a project for the audit in return for tokens/equity later. We should be explicit on whether this type of behaviour should be allowed as it can be beneficial to early-stage projects, but also potentially unfair for competing audit firms.

• Flexibility in scope. After agreements were made between all parties, many projects/auditors also wanted to change the scope of the audits, and requested different terms, accordingly. Flexibility is possible when there is an on-going application process as opposed to the 8-week trial that effectively allocated the entire budget all at once.

• Towards fixed rates. All auditors have different costs, but for each auditor, we should work towards a fixed cost of “per auditor week”, so all projects can benefit from discounted rates.

We think this proposal is valuable, though we see some possible issues. The ARDC v1 saw an issue where proposals would come to the security member to audit contracts for new protocols. Similarly, we can see some issue where these protocols receive auditing work, launch on Arbitrum, but then do the bare minimum in ecosystem management and development after launch, while prioritizing other L2s (eg. Base). With this in mind, does it make sense to have this structure for all apps or for only specific applications (i.e., those built with Stylus) and structure the committee differently for other types of applications, or make a priority pathway instead?

We’d avoid overcomplicating the structure of the committee for other type of applications. The motivation to pick team members from AF or OCL is to take advantage of the domain expertise across the organisations. If there is an application that the committee alone cannot evaluate, then they can request assistance from the wider organisation.

On the final point, how to avoid projects getting a grant and then launching on another chain, this is generally the same problem that all grant programs encounter:

• We will prioritise projects who are leveraging Arbitrum’s core technology stack, like a smart contract for stylus or deploying their own chain.
• We may decide to invest in the project over a simple grant as that offers a closer partnership with the project and helps align incentives for all parties involved to remain on Arbitrum.
• Depending on subsidy size, there may be clauses that require projects to launch on Arbitrum before other projects.

However, for the most part, it is more of an art than a science to avoid the above issue.

Furthermore, could we have some elaboration on the option for investment offered by the subsidy? How would this agreement work, what does DAO involvement look like here, etc? We understand that it may be more difficult to lock in apps (and that the auditing program may not be the right place to bundle this), though it is worth noting.

The AF will perform the investment on behalf of the ArbitrumDAO. We decided to include investing as an option in the program to ensure that if an investment makes sense, then we will be able to do it for the community.

Also, on what metrics should we evaluate the success of this program? Projects safely launched on Arbitrum and consistently used?

The metrics should be 1) how many projects that received a subsidy eventually launched on Arbitrum, 2) the growth of each project relative to similar deployments on other chains, 3) the total funds secured and 4) total funds lost due to smart contract vulnerabilities.

Note, it is always worth keeping in mind, audits are not full-proof to avoid bugs, and the main metric is supporting new projects to launch on Arbitrum with some sanity checking by experts and ultimately trying to avoid projects from being forced to ‘test in production.’

Converting 30M ARB to USD immediately is not the play here coz it creates unnecessary sell pressure.

It is a 1 year program and we will not be converting the ARB to USD upfront.

Our goal is to minimize the total ARB that is exchanged and 30m ARB is just a very conservative estimate for the total budget based on the current exchange rate.

How about this solution: can we take obligations from sponsored projects to remain in the Arbitrum ecosystem? And if they want to leave the ecosystem, they will have to return the money spent on the audit and preferably in Arbitrum tokens. I think this would avoid additional risks

We expect to add exclusivity clauses to nearly all agreements for new projects who have not yet launched or existing projects whenever it is reasonably doable.

In the last iteration of the security subsidy funds, there was a committee that made projects compile a rather long (as far as I can read) form, that resulted in some protocols being selected and others not with criteria that were not super clear… How would it work here? Can existing projects already apply?

We will have an application process and example questions/information requested is already outlined in the proposal. This will be used to help us screen the project before performing more due diligence. All projects will be welcome to apply, but we will prioritise early stage projects or projects that really require the financial assistance.

How will the application process work for projects applying? Will communication with the projects and selection decisions be made publicly, similar to how the Questbook DDA and Stylus Sprint rounds were handled, as they have set a good standard for this?

Many early stage projects will still be in stealth mode when they apply for the audit program and will not want to publicly disclose their audit details. Additionally, we expect this program to be very popular, and many projects who apply will not be accepted simply due to volume & grants available. We are expecting the applications to remain private, but the winners to be announced.

Just to clarify, multiple auditors will be chosen, right? We assume that no single audit firm will dominate the program. Will there be a cap on the number of projects any individual auditor can take on to ensure diversity and prevent monopolization?

Yes, the intention is to have auditors compete amongst each other for the project, hopefully leading to better prices for the project. We should avoid caps to ensure the marketplace remains competitive, but will also ensure that there is not a monopoly.

Also, will there be a marketing push to ensure more projects are aware of it? The success of this program also depends on outreach. Visibility could help attract high-quality projects to apply and build on Arbitrum.

The AF will focus significant resources to market this to all projects building on Arbitrum. As you mention, our goal is to get high quality projects, so they need to be aware of this program!

How are teams determined to be eligible for this support? I think its good that its removing that financial barrier from those teams but we should be a tad cautious not to overspend and audit every team.

We put together a list of points that we will evaluate like team background, likelihood of success, etc. There are not enough funds to audit every project. Additionally, we believe it is better to return funds to the DAO than to overspend it / make sure the full budget is exhausted on projects we do not believe will ‘make it’.

You are talking about a long term perspective and setting a budget for only 1 year. In my opinion, this is not a long term perspective and Arbitrum already had a program of audit compensation during the year. How is this program better?

All DAO programs should have an expiry time to ensure the authors have to return to the DAO, show results, and then continue the program. We set the expiry time to 1 year with the option to continue via a snapshot vote if there are still funds available. In regards to ADPC program, we have put an answer at the top of this post

I think this budget is greatly overstated. I don’t see 100 projects a year that Arbitrum needs so much that we are ready to give them 30 million ARB. Will we proceed from how much money we have or from what projects we need?

100 projects is an illustration to simply show the number of audit subsidies a $10m budget can cover. However, there are hundreds of projects that will likely apply to this program. The committee’s job is to spot the winners that can move the needle for Arbitrum and ensure they are supported. We do not have a metric to sponsor ‘100 projects in 1 year’ and will only sponsor projects that require the assistance.

Differentiation from ADPC Subsidy Fund: Could you elaborate on how this new program significantly improves upon the revised ADPC Subsidy Fund? What specific shortcomings of the previous program does this address?

There was a simpler question before and we provided an answer earlier in this post.

Timing and Evaluation: The ADPC has announced that they will be posting the Subsidy Fund Outcome report (ADPC Update Thread (Phase II) - #22 by sid_areta) in the coming days. Wouldn’t it be prudent to wait for this report before proceeding with a similar program / giving final shape to a new one? This would allow us to learn from issues of the previous program, identify areas for improvement and ensure we’re not duplicating efforts unnecessarily.

We (the AF) were heavily involved in the ADPC’s security subsidy program and how the funds were allocated. So, we are aware of several lessons learnt that can be applied to this program. The report will be helpful to the wider DAO and it should be publicly available before we reach the on-chain voting stage.

What is the criteria for the election and for onboarding the auditors? There will be a request for a commitment from the auditors to have “X” hours available? One thing is to be part of a “whitelist” with no real commitment, and a different thing is to be aligned with the DAO and have manpower available.

We do not expect an auditor to participate in the program if they are not able to commit time to audit projects. Additionally, if they do not audit any projects, then they will be removed from the whitelist.

Can you share the expected skills/knowledge for both this elected member and the auditors?

We expect the elected member to have a strong technical background with experience of writing smart contracts and obtaining audits for their own project in the past. In regards to auditors, we plan to only accept reputable firms.

Can you share more details about the threshold between grant/investment? Who will decide that? The Audit Commitee?

It’ll be decided by the Audit committee, but the difference in grant or investment will really come down to the individual project and their subsidy request. We do not believe it is wise to advertise or commit to a threshold in advance.

gm

Thank you very much for your detailed response. I agree with many of the opinions and learnings you’ve shared.

Since you mention that you’ve been very involved in the execution of the Subsidy Fund, why do you think this took so long? The DAO is usually not this inefficient in the administration and execution of its programs.

I’m in complete agreement with this. In fact, it was a suggestion I made when the Subsidy Fund was being discussed. However, for some reason, it led to a vote for a new committee rather than incorporating an expert, which was ultimately rejected by the DAO.

To be clear, I wasn’t suggesting that the ADPC (or at least its current composition) continue managing the Subsidy Fund. In fact, I’ve shared my concerns about its execution and am still waiting for the final report, which I understand will be published this week.

However, I don’t necessarily agree with your last point about taking over a framework developed by others and the idea that just because it was developed by others (others would be the DAO in this case), it should be discarded, and you should start from scratch with your own framework.

I believe the process developed by the ADPC did have value, mainly in the criteria outlined for both auditors and projects selection. Maintaining continuity in the process and criteria provides predictability for auditors and projects looking to apply and how to improve for future applications. It also allows the DAO to replace program managers without friction or negatively impacting the program.

In that sense, building a new program from scratch will cause the very delays you are trying to avoid. And of course, this will happen again in the future.

I’m very happy to see you stepping up and getting more directly involved in the DAO. What concerns me, however, is the possibility of you taking ownership of the initiatives and starting from scratch, which could lead to the loss of sustainable frameworks that don’t rely on a single provider or manager (or at least with the intention of reaching that point.). It’s true that you may be the most suitable to execute this work and lead the committee, but I’d prefer that, as a DAO, we can be a bit more inefficient if it means developing frameworks that are sustainable over time for when you decide to step back again.

That’s why, for instance::

This aspect seems a bit concerning when considering the continuity of the program in the future. We can certainly trust you AF to manage it, and you will likely do it great. But the day you decide to step away, it will become a problem. That’s precisely why the procurement process was created.

In this same regard:

This is something you can set up and execute, but since it’s not a standardized process, it could eventually be lost (with the criterias applied and the knowledge obtained).

The same goes for the idea of offering investments. It’s very interesting and may be appropriate, but as it’s structured, it’s not creating a framework that can be replicated in the future for other PMs.

I think this composition of the committee is appropriate. That’s why I believe using the existing framework, with the lessons you’ve pointed out as areas for improvement, can be a great complement to create a kind of v2 program that is sustainable over time, regardless of who makes up the committee.

Hi all, given the Foundation’s response concerning the ADPC, we thought it was important to respond and clarify the facts.

In regards to the Foundation’s proposal, it needs to be mentioned that we shared a detailed proposal for continuing the Subsidy Fund — including a proposed $10M fund size and other specifics, such as a detailed scope — with the Foundation a week prior to their announcement to internalise the extension, and discussed it with them until the day they posted this Audit Program proposal.

We had also spent several weeks educating the Foundation on the operation of the framework, including a session in Bangkok with the core members of the team to walk through the tasks involved in running such a procurement framework and fund. On the basis of the feedback during that session, as well as strong support from the community, the industry and project teams involved in the initial 8 week run, we concluded that the ADPC was best placed to manage this for the DAO and prepared a proposal to submit last week.

The Foundation promised to get back with feedback, but instead posted this proposal by themselves without informing us. At no point in the past 12 months did the Foundation raise any concerns with us about ADPC operations, timeliness or cost effectiveness despite us having near daily communications with them. We strongly believe that the Foundation is a key stakeholder in the operation of the DAO and wanted to ensure they were not blindsided by any work being undertaken by the ADPC as poor communication between us could result in the DAO being ambushed by events. The ADPC is proud of its exemplary professionalism shown to date and are deeply troubled by any implications suggesting otherwise.

In summary it is incorrect to state that the DAO would not have had another subsidy fund - this was, in fact, on the horizon and we had planned on posting it imminently after receiving the Foundation’s feedback which, in the end, we never received.

We can discuss what it means to work for a DAO, the associated costs, and how pricing is determined among various stakeholders. However, we would have appreciated a more transparent communication process from the Foundation.

Respectfully, we can understand a business decision of wanting to run an ecosystem like a corporation and not a DAO. This is not what we are arguing against.

We, delegates, and other service providers have contributed to the ecosystem, effectively taking a bet on its success. This also means working together in a partnership. We understand the Foundation’s decision to internalise the DAO and its key initiatives run by service providers and would only ever want them success in continuing the innovative procurement models designed by the ADPC team.

More broadly, we think the Foundation’s expertise and resources (which the DAO has significantly funded) could be better utilised in spinning up programs that are not already tackled by contributors vs. going on a hiring sprint to internalise these functions.

Considering the history of the DAO and involvement of its participants (delegates and service providers) who have spent 2 years to try to get this experiment right, our strong preference is a continuation of the direct communication we had had with the Foundation until very recently as this shift by the Foundation to internalise a proposal that external contributors had been working on (and that the Foundation were aware of) could have resulted in a more streamlined approach and more seamless transition planning. The current approach is sub-optimal for the DAO, and we believe other delegates and ecosystem participants would tend to agree. The ADPC remains prepared to work with the Foundation on the understanding this can be done with mutual respect and transparency.

This is not an effort to challenge who runs the program, we are happy to support the transition to make sure the value we created is not lost, if the push to internalize continues.

Rather, we hope the Foundation will reconsider its overall communication and collaboration approach.

Otherwise, we are concerned it may lead to the offboarding of other remaining DAO contributors and delegates, who have long been the core of the ecosystem - as this is not how partners should be treated.

Find below responses to some of the statements:

The first step towards running the subsidy fund was creating the procurement framework for whitelisting security auditors for the DAO. As we mentioned in the Phase I Outcome Report, we began operations for ADPC Phase I from February 21, 2024, while the RFP process to whitelist auditors took place between June 19 and July 22, 2024.

During this period, the Foundation took more than a month to get back to us on our proposed framework (as mentioned in the Phase I Outcome Report), and ultimately told us that the legal terms would be redundant due to the Foundation having its own preferred model. This introduced significant delays into the process.

Moreover, the ADPC was ready to begin the Subsidy Fund even earlier and we announced the whitelisted security service providers in August - another month’s delay took place since the providers had to undergo KYB and sign the Head Agreement with the Foundation.

The ADPC took this feedback into consideration early on and onboarded DeDaub as a technical expert. This was based on feedback from the DAO and actioned immediately. DeDaub was funded for a total cost of 12K ARB, which we think is very fair for a technical party of their calibre.

If the Arbitrum Foundation preferred to use technical members at the AF to sense-check audit proposals, we would have been happy to implement this feedback had this been communicated to us.

Regardless, we think engaging a third-party audit expert as an impartial referee makes much more sense than involving technical AF members who do not have a keen view into the dynamics of the audit market.

This is not correct - the Foundation did not review a single application or was in any other way involved in the selection of projects. The Foundation was only involved in (1) an investigation of potential malicious behaviour (as they are the legal counterparty) and (2) aligning with ADPC on adherence to legal terms (as they are the legal counterparty).

For further questions, we will join the office hours later and then plan to refrain from further comments.

I don’t agree with that. That’s what we created the ADPC program for.
We’re duplicating their work in this proposal.
Besides, I don’t understand why the Arbitrum Foundation takes money for the program from DAO, and DAO barely participates in it.

See what ADPC writes here above

@Entropy can an Office Hours discussion which includes both members of the Foundation and ADPC be organized?

We feel it’s better to thrash the issues being put forth by both @Arbitrum and @adpc prior to a vote on the proposal. We understand that an Office Hours was recently held but in light of this new information, would be prudent to have another discussion with both parties involved.

So another flagship for Arbitrum to attract and retain projects. It will encourage developers to choose Arbitrum which will help grow and expand our ecosystem.

That said, there are some things to consider before approving a $10M proposal. From my experience working with audit firms, $100K per project seems high tbh. Typically, it’s around $30K-80K (from essential to premium packages). This even doesn’t include referral fees or discounts for handling 100 projects, so I may be wrong, but just wanted to raise this

Like other delegates, I agree that paying in ARB more than USD would help reduce sell pressure for the DAO.

At the end of the day, if the proposal is passed, I hope the program will have a reimbursement process for projects that get audited but don’t perform well.

The ADPC’s post was published 5 minutes before the governance call yesterday and led to a discussion during the governance call. The discussion lasted about ~40 minutes.

The AF acknowledged that Patrick (who authored this proposal) was unaware of the ADPC’s plan to run another subsidy program and had been working on the proposal for a few weeks (since mid-January). The AF governance team received the ADPC’s proposal 2 days prior to the AF posting their own version and it was not yet reviewed by Patrick / the governance team. Patrick had communicated with some delegates on a call that the AF was working on an audit program and that it was due to be published in the coming days. On hindsight, he should have communicated to the ADPC that the AF was working on a subsidy program.

There were also discussions behind why the program had been delayed, but the general conclusion (from our perspective) was that the ADPC might be better suited to focus on topics and procurement that matches their core competencies as this will empower them to run with initiatives without relying on third parties. Topics that are very technical in nature, like this subsidy fund, might be best handled by the AF / OCL / OpCo.

There are two more planned governance calls (on 24th Feb and 3rd Mar) for the auditing program already. The topic could be rehashed, but generally, it is good to focus on the content of this proposal so we can make sure it has the best chance of success.

…and also for the following calls to be recorded, and for those recordings to be shared with the DAO in this thread.

yesterday’s call, as far as I’m aware, was not recorded unfortunately.

I am writing on behalf of the Arbitrum Governance Collective (AGC), a newly formed group of significant token holders focused on active participation in governance and value creation for the Arbitrum ecosystem.

Before addressing the proposal’s structural flaws, we must address a critical credibility issue: The Foundation claims to be “heavily involved in the process of selecting which teams get the subsidy.” The ADPC explicitly states this is false - that “the Foundation did not review a single application.” One of these statements is untrue. Token holders deserve to know which version is accurate before being asked to trust the Foundation with $10M in DAO funds.

Let me outline our major concerns:

1. Amateur Hour Management Structure

The Foundation proposes to run a $10M program with part-time, unpaid committee members “next to their everyday duties.” This is frankly absurd. You don’t run what you yourself call a “mission-critical” program as a side hobby. The proposed structure screams of inexperience in running professional investment operations.

2. False Economy & Hidden Costs

The Foundation’s claim they will “waive fees” is either naive or deliberately misleading. These costs will simply be absorbed into their DAO-funded operational budget. More concerning is the opportunity cost of running this critical program sub-optimally. One bad investment decision could cost multiples of any supposed savings.

3. Fundamental Misunderstanding of Required Expertise

The Foundation’s fixation on “technical expertise” demonstrates a basic misunderstanding of what this program requires. What’s needed is deep knowledge of the security services market and audit space - not generic technical knowledge. The ADPC demonstrated this understanding by engaging DeDaub, an established security firm. Why would a random technical person from the Foundation or OCL have more relevant expertise than actual auditing professionals? This misalignment of expertise requirements raises serious concerns about the Foundation’s ability to even properly scope this program.

4. Lack of Investment Expertise

This is fundamentally an investment program requiring sophisticated venture capital and private equity experience in evaluating early-stage projects. The Foundation’s emphasis on technical expertise while completely ignoring the need for investment acumen shows a fundamental misunderstanding of what drives successful project selection and portfolio management. Where is the venture capital expertise on their proposed committee? Who has experience managing comparable investment programs?

5. Concerning Pattern of Unilateral Actions & Misuse of Operational Budget

The Foundation states they have been “stepping in via our grant program to sponsor audits for builders over the past year.” This raises serious governance concerns. The DAO funded the Foundation for specific operational purposes and the ADPC was explicitly voted in to manage audit subsidies. The Foundation’s operational budget was not intended as a shadow grant program. While we appreciate the desire to support builders, this pattern of unilateral actions outside established governance frameworks and apparent repurposing of operational funds demands immediate scrutiny. We request:

• Full transparency regarding these expenditures

• Clarification on which operational budget lines were used

• Explanation of how this aligns with their DAO-approved mandate

6. Organizational Dysfunction

The Foundation’s complete failure to coordinate internally is alarming. They were actively working with the ADPC on this exact initiative, received a detailed proposal, and then launched a competing proposal without any communication. This level of organizational dysfunction raises serious questions about their capacity to manage complex programs.

7. Misdiagnosis of Current Issues

While the current ADPC structure has inefficiencies, we believe these primarily stem from the three-party structure and alignment with the Foundation. The solution isn’t to add more bureaucracy - it’s to streamline operations.

Our Solution:

Rather than allowing the Foundation to experiment with DAO funds or maintaining a complex multi-party structure, we propose selecting ONE premier service provider with:

• Proven track record in initiative management

• Established relationships with top audit firms

• Clear accountability structure

• Performance-based compensation alignment

• Deep venture capital/private equity expertise

This is how professional investment operations work. Not through part-time committees, not through complex multi-party structures, and certainly not through foundation bureaucrats playing venture capitalist.

Questions the Foundation Must Answer:

1. Will you address the discrepancy between your claim of involvement in project selection and ADPC’s statement?

2. Can you name a single successful program of this magnitude you’ve managed?

3. How do you justify running a $10M program as a part-time endeavor?

4. What governance framework guided your unilateral audit funding decisions?

We urge all token holders to vote NO on this proposal and support bringing in a qualified professional firm to manage this critical program.

The DAO deserves professional management of its resources, not amateur hour experiments with critical infrastructure.

hey @Arbitrum do you intend to publish this proposal for offchain vote on snapshot, tomorrow?

Hello and welcome @Q12 in the arbitrum forum. Quite a way to enter the arena.

I have no horse in this race but I am quite curious about your approach and several statements, to which I would gladly read some clarification if you would be kind enough to answer my questions.

I agree that there should be more clarity on this. I also think that there could be a disconnection between contributing as evaluating proposals, and contributing as taking care of other tasks such as the legal part or avoiding frauds. Both tasks are contributing to the initiative, both have also a different degree of importance in term of outcome for the end user (in this case, the protocol) and the broad ecosystem (the dao, the foundation).

This seems stretched. AFAIK the foundation didn’t publish the amount of workforce they would employee in this; nor we do know how much opco will be able to take on, nor how many fte will OCL put on the table. Finally, there is a third paid member.

This is, honestly, just taking a situation and bending it around. I could answer in several ways; will do by quoting the official docs:
The Foundation operates as a neutral steward in order to support the ArbitrumDAO, the continuous innovation of the Arbitrum technology and the development and education of the Arbitrum community.
The Foundation literally has a budget to support the DAO. In the statement above you are trying to highlight in a negative light the equivalent of saying “the sky is blue”. IMHO, of course.

I honestly think you are putting the cart in front of the horse here. There is a third, paid member, that could be literally dedaub or someone working for an audit firm. In the recent stylus program, we had 2 person from open zeppelin for example. More than saying that foundation has a “fixation”, wouldn’t it be better to highlight that the third member should be, in your opinion, someone with a deep knowledge of the security market? And so, maybe, only nominated and not elected by the DAO? (and btw i would tend to agree with this).
As a final note, slamming ocl/af about technical expertise here feels excessive and uncalled. This is not to simply be a cheerleader: but all of this that we have now, this whole ecosystem, would not exists without these people. Saying that this expertise, paired with a third member that is vertical in security, doesn’t count, is being short-sighted at best, ill intended at worst.

A bit puzzled by this. The program afaik is not intended to do investments. So why are you mentioning it? I can agree that, de facto, financing an important audit for a project is an indirect investment in the ecosystem, but is not the main focus here. @danielo above proposed this approach, which I could like, but we currently don’t have the structures/infra/legal to support this and is a bit soon (but also soon we could have the avi, we will have the opco, we will have sos goals that might match this). Anyway, feels like someone asking what time is it, and having as an answer “thursday”.

The foundation has a grant program that can also include audits for what I know. This has been true and known since the very beginning. You can find more info here. Beside, in every ecosystem foundations have internal grant programs to sponsor protocols and builders. I agree tho that more transparency in this sense would be something good for the dao as well.

Defining this situation as a complete failure seems a mix of being excessive or slandering. You choose what applies here best.
Looking at the answer from the Foundation, there has been indeed miscommunication with both one party (areta/axis/daimon) and internally (people talking with adpc vs people preparing the proposal). This is something that yes, can improve and should improve. Looking at the opening roles for the AF, they are indeed looking for further people for dao relationship, and at the same time we as a dao need to better organize single PoC for verticals. Because I know for a fact that AF gets pinged by tons of individuals for tons of different things, with the people being pinged not necessarily in charge of taking this inbound request.
I am digressing a bit here and I am not trying to justify anybody here. There is definitely margin of improvement in comms on all sides.

I don’t honestly think this initiative is AF experimenting with dao funds: they want to pay audits for protocols in arbitrum.

This is where you fall short. Coming in an anon form, to the dao, criticising at an horizontal level, and then proposing “a single one premier service” without knowing if you might have a conflict in proposing this is where everything that you wrote can just fall in credibility. To be clear: is not that the idea of subsidizing through a third party is necessarily wrong.

Now, you likely lost a decent amount of time in writing the above. I for sure lost at least 40 minutes trying to answer here, so let’s try to take out something good for everybody involved in this discussion:

• There is a merit for AF to improve comms, both internally and with the DAO. From what I understand, looking at recent changes, recent hiring proposals, this should hopefully happen, but is gonna take time and won’t happen in a single day or week. At the same time, we as a DAO need one or more steward capable of taking inbound requests and proposals, big or small, to avoid losing track of stuff. This last part doesn’t necessarily apply to this situation but is still relevant imho
• There is also a merit for the AF to open a bit the transparency regarding grants. One thing we have seen is that AF has certain criterias to select protocols, and the various DAO programs might have others. Increasing transparency, while not necessarily disclosing the amounts or other sensitive data, could probably benefit the coordination of all stakeholders
• There is indeed a merit for the Foundation to potentially negotiate privately with entities (areta, axis, single delegates and contributor) to be part of certain initiatives. I am honestly not sure if AF has the legal capabilities to do so; if not possible, opco should be able help in this sense, and AF should find a way to leverage it. This because if an entity or a person has been contributing to the Arbitrum ecosystem for 3 months, 6 months, 1 year or more, just replacing that entity with someone else has a cost exactly like replacing any person or SP in a company has a cost. A cultural cost, an alignment cost, a time cost and so on. I am not saying that in this specific case AF should have for example negotiated with the current ADPC member for a different structure, a different payment etc, even tho it would have been maybe ideal; but if we think about Areta, Axis, Daimon, DeDaub hypothetically not contributing anymore to the DAO, it would honestly be a pity if the reason is just due to the monetary compensation or miscommunications when these entities have run several programs in arbitrum. We should always find ways to preserve the value we create more than destroy it

• there is a merit for the DAO to start having a profound discussion on having point of focus capable of coordinating the hundreds of initiatives that we have to also make life of OCL/AF easier. We just can’t pretend that answering to a lot of messages coming everyday from very different people is normal from the AF side
• finally @Q12 would be interesting to know who you do effectively represent. Understanding that we have a bovine asking an anon his identity, if this is not impossible I strongly invite you to participate to the next governance call, happening tuesday, 25th, at 4PM utc or the audit call happening monday, 24th, 2PM utc. I have added the links to the call. It would be quite good to be able to talk about the points you raised.

Hopefully! L2Beat mentioned on the call that they will be dropping feedback. It might depend on their questions and whether we can get answers for them on time.

The following reflects the views of L2BEAT’s governance team, composed of @krst and @Sinkas. It’s based on their combined research, fact-checking, and ideation.

We want to thank the ADPC for all the work they’ve done in setting up the framework and whitelisting security service providers. We hope to see the Foundation use the groundwork the ADPC has done and build on top of it.

In our view, this is an expected pathway for many different initiatives the DAO undertakes; a third-party contributor proposes something and leads the charge, and once the concept is proven, the AF (or in the future, the OpCo) internalizes it and optimizes it to be as efficient as possible, creating value within the DAO structures.

At this time, the DAO has no way of providing a security audit subsidy to projects, given that the previous subsidy fund from the ADPC has run out and there have been no steps to renew it. In our view, it makes sense for the Foundation to administer the security subsidy fund, given its position and proximity to both builders and Arbitrum’s tech.

One thing we’d like to point out about the proposal itself is that the Foundation will run the subsidy fund on behalf of the DAO using the DAO’s funds. As such, we’ll hold them to the same standard as any and all other contributors and service providers, and we actually expect them to be an example of what a DAO-funded program should look like.

We would also like to emphasize that we see this program as a BD initiative that should first and foremost drive the growth of the Arbitrum ecosystem. Therefore, we expect that whoever the OCL and AF representatives will be in the committee, they will coordinate internally to make sure that the projects selected to receive audit grants are in line with Arbitrum’s long-term growth strategy.

I agree with @CastleCapital and @paulofonseca.

As a matter of policy all calls in Arbitrum should be recorded so all people can access relevant information in the deliberation and decision-making process, either real-time or async according to one’s need and style.

I think every call in Arbitrum should be recorded as a policy and be on the record. This needs to be solved.
i.e. its not ok this controversial Audit call from earlier in this week was not recorded, I was not on it and don’t have the required information to make a decision on this matter.
That’s not good enough in my mind as a way for Arbitrum to operate and as a matter of priority this needs to get solved.

I would even go so far as to say AF should not proceed to snapshot without and before doing a repeat call, including ADPC/the relevant service providers & it must be recorded so all global DAO participants can access the information as part of decision making.

In addition for a controversial proposal I am not in favour of proposals being rushed to snapshot exactly at 7 days if forum dialogue isn’t resolving/converging to a state that makes sense to move to Snapshot. I’m seeing more of this behaviour DAO wide and don’t think its a good practice. I think proposal authors should take extra time and care if there is strong divergent sentiment to dig deeper and extend the deliberative process.

This proposal isn’t only about this proposal it strikes to the heart of settling the expectations and agreements people understand and are experiencing unclarity in the social contract between Arbitrum Foundation and DAO service providers.

@stonecoldpat and those stewarding this from the Foundation, I invite slowing down at this pivotal moment staying with the tension and working through resolving/converging to something encompassing the real feedback of contributors.

Can we pause on taking this to Snapshot today and setup another meeting?

we don’t have a fully streamlined setup for investments (that’s coming) but we do have the ability to make investments and we already broke a lot of ground here with the Hackathon Continuation program. The Foundation has capabilities to sign investment contracts so if they’re willing to allocate capacity here, I don’t see why this would be a problem. Once a template contract is setup, the responsibility then falls to the team operating the program to negotiate these (which could be a challenge but not necessarily insurmountable).

What I’m understand is that the program proposed here moves us from partial subsidy of Audits to full subsidy, and this creates incentive misalignment (projects can abuse the program by getting crap audited). That seems like a move in the wrong direction and could be rectified by getting projects to bear part of the costs (current system as I understand) or otherwise by making audit subsidies an investment (with the complications mentioned above)

Entropy has posted this proposal to Snapshot on behalf of the Arbitrum Foundation. It is now live for voting.

I am voting in favor of this proposal. It is the type of proposal that allows for the growth of the ecosystem, and we need it. The only thing I would suggest (besides maybe waiting another week, as looking at the comments might make it seem rushed, but now is on snapshot so doesn’t matter) is a commitment to more clarity in the selection process before moving to Tally. In the last ADPC, for example, we had excellent documentation, but there was no mention of the projects that applied and were rejected, or the reasons behind it. I understand this could stem from data and privacy concerns, but overall, I believe the benefits of disclosing the full selection process outweigh keeping it gated.

LobbyFi’s rationale on the price and making the voting power available for sale for this proposal

We regard this proposal as one profiting the broader community, with (potentially) 100 projects on Arbitrum to undergo a security audit. Therefore, we will obviously make the auction model available for this proposal.

Since the most of the asked amount is going toward paing for audits directly, the price of the instant buy will be a 2% of the “technical expert’s” compensations that is to be appointed internally ($60k * 2% ≈ 0.45 ETH).

Some thoughts on this Arbitrum Audit Program:

• Clarify Relationship with Existing Initiatives: The ArbitrumDAO Procurement Committee has recently completed a pilot phase of the Security Subsidy Fund, which subsidized security services for 22 projects over an 8-week period. Woudl be nice to see how the new Audit Program will complement or differ from this existing fund to prevent redundancy and ensure efficient resource utilization.
• Some other concerns about potential overlaps between the proposed program and existing initiatives makes sense.
• Since the ADPC has established procurement frameworks and whitelisted security service providers, prolly makes sense to move these existing structures to streamline the implementation of the new program,

Overall, our biggest concern points are with relation for ADPC and how the audit program can best interact between them.