Attaching here the slide deck of what was discussed Wednesday the 7th, during the public DAO call.

Hey @JoJo since when is @Erezedor been working as a domain allocator for the Dev Tooling domain?

he applied as a domain allocator for the Gaming domain here and didn’t won that election, and @Juandi was the one that applied, alone, to the Dev Tooling domain, and won that election.

So why is Erezedor acting as a Domain Allocator and is the one that has been posting the reviews and comments?

When did this happened?

GM Paulo!
After the election went through, Erezedor was hired by Juandi to work with him, on both the DA program and in other projects he is running, helping on the technical due diligence. Erezedor has been working in the Dev Tooling domain alongside Juandi basically since the beginning of the program.
Him being part of the team was mentioned several times already, is not a secret. This is for example the deck of the first quarterly call of June 2025, in which he is listed as part of the team.

The tenth monthly report is live in our website!

TLDR:

• referencing period: 2nd of January 2026 - 1st of February 2026
• more than 1000 proposals since inception of the program! Specifically, 1063 proposals, in proposals in total, of which 147 were approved and 41 were completed
• Most of the submissions of this period are related to DeFi, Dev Toolings and Consumer App, showing how the active BD effort has been positively steering inbound applications toward the most important vertical of the ecosystem

image986×580 53.3 KB

The eleventh monthly report is live in our website!

image2048×1015 180 KB

TLDR:

• Referencing period: 2nd of February 2026 - 1st of March 2026
• We have reached 1204 proposals submitted, with 168 approved and 45 completed
• We are in the last few week before wrapping up the active phase of the program
• We are working toward an impact report, that we plan to publish in the next few weeks
• We are actively discussing with the OAT a possible continuation of the program under the OpCo

Hi, I hope this type of post is okay here. I submitted a Dev Tooling proposal on March 9th for the PACT Protocol (an agent-to-agent escrow and payment system on Arbitrum) and haven’t heard anything back yet. Just want to make sure it didn’t get lost in the shuffle, especially with the program winding down.

I understand @Juandi and @Erezedor are my guys! The contracts are already deployed and working on Arbitrum One, so happy to answer any questions or provide additional info if needed. Proposal ID is 69af2c2216f9336e4ad2b69f.

Thanks!

Hey!

We are still evaluating the backlog from other proposals, I’ve seen your proposal on Questbook and either Erezedor or I, will take a look into it once we free up our queue.

Best,

Thank you for the update! Please reach out if you need anything

The active phase of the program is now complete

As originally planned, submissions are now officially closed. Over the past year, we received more than 1,200 applications, an outstanding result that reflects the strength and commitment of the Arbitrum community.

Over the coming weeks, the team will finalize the remaining reviews and ensure that any outstanding proposals are properly assessed.

What happens next

• Transition to low-capacity mode
  In line with the Tally proposal, the DAs will now focus on reviewing and disbursing milestones for approved projects, as well as supporting grantees with final reports and interviews.
• Reporting and impact assessment
  The PM will continue producing reports. Following the next monthly update, the DAO can expect a comprehensive Impact Report summarizing the program’s achievements to date.
  Over the next six months, reporting cadence and structure may evolve, reflecting the program’s shift away from application flow tracking toward broader accounting and result analysis.
• Coordination with the Arbitrum Foundation
  We are working closely with the AF to amplify the program’s outcomes and leverage the broader network. This includes sharing information about new Foundation-led initiatives with our grantees and identifying high-potential projects that may benefit from continued support
• Reconcile expenses
  We are working with the AF to review and reconcile operational expenses incurred over the past year, and projected for the next six months, that were not explicitly included in the original proposal but became necessary to support the program. These costs, primarily related to infrastructure, will be drawn from the unused part of the OpEx budget.

Further news on the future of the program will be shared at the end of the month, alongside the final monthly report of the active phase.

[Post Mortem] Security Incident | 13 March 2026

On 11 March 2026, a fraudulent grant application (“Ethereum MCP Dashboard”) was submitted to the Dev Tooling domain by an unknown party. On 13 March, that application was in the Dev Tooling Domain Allocator’s Questbook account, and two Safe transactions were proposed to transfer $35,000 USDC to the attacker’s wallet.

No funds were disbursed. The incident was caught the same day, after a couple of hours, through our standard milestone review process: the DAs did not recognise the proposal, escalated to the PM, and the second Safe signer cancelled both transactions before any disbursement occurred.

What we think happened

We worked through the following scenarios:

• Private key leak: unlikely as the sole explanation. Two separate keys were involved (the Questbook in-app wallet key and the Safe signer key), and both would have needed to be compromised independently.

• Questbook frontend bug / API issue: on the day of the incident, one of the DAs was actively queuing milestones for a different, legitimate proposal. This mirrors a pattern seen in previous seasons where Questbook’s frontend has misdirected milestone entries to the wrong proposal. Notably, no transaction notifications were received that day, which is not normal; any transaction through Safe or Questbook ordinarily triggers one. This scenario would mean that both the approval and the transactions were misdirected by a platform-level issue rather than by an external attacker. This remains under investigation with Questbook.

• Compromised machine: a compromised machine could explain how both keys were accessed. However, the DAs runs a fully isolated environment on this domain, and if the machine had been exploited, other wallets on the same provider would have been affected (and they weren’t). The machine was fully investigated and sanitised, with no conclusive evidence of compromise found.

What we did

• DA’s machine wiped and sanitised
• DA’s Questbook workspace account revoked and rotated
• DA’s Safe signer wallet rotated on the Dev Tooling Safe: owner removed, new owner added
• Education SAFE key rotation completed (Dev Tooling DAs are backup signers there): owner removed, new owner added
• OpEx Safe key rotation: owner removed, new owner added

Questbook have also shipped several platform fixes off the back of this: review checks before payout are now enforced, KYC and contract completion are strictly required before disbursement, a duplicate approval bug was fixed, and GraphQL introspection has been disabled in production. As explained in more details in the attached report, these technical fixes will break the pattern exploited to allow the attack.

What stopped the funds from moving

The manual milestone review process. When milestones are queued, an internal bot notifies the DAs, who verify each one against the proposal. The PM then independently checks the amount and destination address. No automation would have caught this: it required a human recognising that the proposal itself was not one they had approved.

Happy to answer questions. Full post mortem available here

The first bymonthly report of the low capacity phase is live in our website!

image2100×900 25.9 KB

image1500×900 26.6 KB

image1800×900 55.7 KB

TLDR:

• Referencing period: 2nd of March 2026 - 1st of April 2026 (2 months)
• This is the first report of the “low capacity phase”, a phase lasting until September in which we just review the milestones of the approved projects and support the builders
• We have reached 1262 proposals submitted, with 190 approved and 60 completed
• Total capital allocated: $5.3M out of $6.75M (78%)
• Total disbursed so far: $2.6M (50%)

Thanks for sharing this update and the transparency around the incident and program metrics. The overall numbers on proposals, approvals, completions and capital allocation are very helpful.

For future reports, it would be great to add a bit more structure for governance:

• Basic impact data per domain (Infra, Tooling, DeFi, etc.) and simple KPIs per grant, so tokenholders can see outcomes, not just counts.

• A funnel view (submitted → approved → funded → completed) and domain-wise approval rates to understand capital efficiency.

• A public grant registry (grantee, amount, domain, status) so the community can drill down beyond aggregates.

• A concise risk register and short incident timeline to make the security post-mortem easier to interpret for non-technical delegates.

These additions would make an already strong reporting effort even more useful for delegates and future funding discussion… @JoJo

Arbitrum D.A.O. Grant Program S3 Impact Report

image1046×1480 70.1 KB

Hello delegates,
we are here to present the Impact Report for Season 3 of the D.A.O. Grant Program!

S3 has so far ran for twelve months across five domains in the active phase, and further 3 months out of 6 planned for the low capacity phase. Of 1,262 applications, 190 were approved for $5.26M in total allocations. We’ve disbursed $2.69M, closed 61 projects with final reports published in the forum, and kept OpEx at around 13% of grantee capital across the full 18-month program.

While we are proud of these numbers, is interesting to analyse what has got built so far.
Education domain brought Arbitrum into regulator rooms in Argentina and Brazil that the DAO
couldn’t have accessed alone.
The Developer Tooling domain, without any central coordination, assembled a full open-source Stylus developer experience from independent grant applications.
In the Orbit domain, we have seen real experiments and testing of IoT devices and local businesses in Kansas going on-chain.
In the NPAI, Maldo launched a live services marketplace in Uruguay with 1,000 providers running on Arbitrum mainnet.

The report is not about the usual categorization of proposals or graphs that we see in the monthly reporting, but tries to analyse and quantify the impact achieved so far through both the lens of Arbitrum as an ecosystem, and the Customer Acquisition Cost for each proposal.

Generally speaking, we think the program did exactly what it was designed to do in 2024.

But the chain has moved.

Robinhood Chain, BlackRock, Franklin Templeton, the ATM initiative itself, tell us how Arbitrum is now an institutional chain, and the current program mandate wasn’t built for that. The program is succeeding at the job it was given; just, the job needs to evolve, and any future season should be designed with that in mind from the start.