Arbitrum Research & Development Collective: Elections & Applications

Arbitrum Research & Development Committee (ARDC)
11

Applicant Information

Background Information

OpenZeppelin has been growing and securing the open economy from the very first-days of the Ethereum network. Since then, it has developed OpenZeppelin Contracts, the most used Solidity Contracts library, a security services arm that has set industry standards and built Defender, a developer security platform to code, audit, deploy, monitor, and operate blockchain applications with confidence.

OpenZeppelin has had a chance to offer its security services to some of the most important players in the Ethereum ecosystem such as Compound, Aave, Ethereum Foundation, Optimism, Matter Labs among others. Over the course of more than 400 audits, OpenZeppelin has developed a suite of internal tools to help teams develop and secure smart contracts.

Open-source is central to the work that OpenZeppelin does, that is why the OpenZeppelin Contracts are the beating heart of the company. They are used by all the top 20 DeFi protocols on Ethereum. The library also offers industry standard implementations such as the Governor contract that the Arbitrum DAO itself uses via Tally.

Despite not having held formal roles within the ArbitrumDAO, we are very eager to contribute to its growth and security through the Security-member role in the ARDC. Our track record with DAOs, notably with the Compound DAO, showcases our ability to bring comprehensive security and governance expertise to the table. As a candidate for the Security member of the ARDC, OpenZeppelin aims to offer its vast experience and holistic approach to security, further enhancing the ArbitrumDAO’s governance framework and ecosystem resilience.

Objectives & Motivation

Joining the Arbitrum Research & Development Collective (ARDC) aligns deeply with OpenZeppelin’s core mission to enhance security and governance within the Ethereum ecosystem. Our motivation stems from a commitment to contribute our expertise to Arbitrum, Ethereum’s largest scalability layer, mirroring the impact we’ve had with foundational projects like the Compound DAO. By integrating our security and development experience, we aim to operationalize and fortify ArbitrumDAO’s security posture, leveraging our successful experiences with the Compound DAO as a blueprint for success.

Our envisioned contribution to the ARDC is multifaceted. We plan to apply our rigorous security and governance frameworks to objectively assess onchain proposals, improve security processes, leverage our existing and adapting our security tooling and develop essential education material to secure the DAOs governance and development process. This approach will expedite governance decision-making, ensuring that the DAO’s operations are both secure and efficient. Our expertise in developing and auditing smart contracts, combined with our proactive security platform Defender, positions us uniquely to enhance the ARDC’s mandate of governance optimization and future-proofing the ArbitrumDAO. Through this, we aim to elevate the Arbitrum ecosystem’s security standards, thereby contributing to its long-term success and resilience.

Skills and Experience

At OpenZeppelin, our unique skill set is a composite of extensive experience in on-chain proposal code reviews, static analysis, and fuzzing capabilities, honed over more than 400 security audits. Our work with the Compound DAO has solidified our proficiency in working on DAO security, by developing frameworks, internal processes and tools that significantly enhance our audit and security review processes.

We pioneered the Governor contract, setting a benchmark in DAO governance, used by the ArbitrumDAO through Tally, underscoring our understanding in governance contracts and creating educational materials.

Our whitebox source code reviews, exemplified by our work with CompoundDAO, affirm our skill in verifying on-chain upgrade proposals’ correctness. In the recent OpenZeppelin Contracts 5.0, our team conducted 38 audit weeks over five phases, incorporating fuzzing tests, formal verification, threat modeling, and invariants testing.

Our commitment to security flaw identification and mitigation shines through our proactive work in ecosystems we are engaged with, such as the critical Solidity compiler bug discovery in 2018 or reporting key issues for Compound DAO over the course of 2023, including 3 Critical and 2 High issues.

Over the years, OpenZeppelin has developed numerous tools to support our audit practice, including Defender, our comprehensive blockchain security platform. We’ve tailored internal tools to ecosystem-specific needs, such as foundry tests for Governor contract proposal cycles which we can contribute to providing quicker, efficient proposal reviews and make that tooling available to others in the Arbitrum community.

OpenZeppelin’s understanding of DAO security encapsulates a holistic perspective, integrating core functionalities with satellite skills that, while peripheral, are indispensable for a comprehensive security understanding. This includes an expertise in incident response, facilitated by its dedicated practice, or for example our expertise in DAO access control mechanisms through the Access Manager framework released in Contracts 5.0. These elements, though seemingly satellite, are vital in crafting a holistic security framework, enhancing governance, and ensuring robust infrastructure against unauthorized actions.

Proposal Review & Assistance

Utilizing our existing knowledge and security experience from supporting Compound DAO and other DAO-based clients, we would take the following approach to assist and support proposal security:

  • Establish a pipeline so that any smart contract upgrades or new protocol code to be contained in a proposal will have its source code audited prior to being submitted. After an audit is completed and fixes are reviewed, a public report will be shared with the community and may be included in the proposal details.
  • Ensure every proposal that is submitted on-chain will be reviewed to ensure its correctness and that it matches the intent of the proposal text. This process will be managed by a combination of automated tooling and manual review by our team. If the proposal includes source code that has been audited, we will verify that the deployed code matches the code in-scope for the audit. Any issues found will be raised to the community in the forum under the relevant topic.
  • Weekly office hours will be provided to proposal authors that wish us to review their approach or receive guidance prior to submitting their proposal on-chain.
  • We will develop educational guidelines and tooling to assist the community in proposal security and quality assurance. This will include guidance on common mistakes to avoid, tooling to detect known issues and a detailed quality assurance process for common proposal types that require a common set of safety checks to be applied.

Review on Chain Proposal Code Updates

OpenZeppelin has years of experience advising top DeFi protocols on their upgrades and governance practices. As the maintainer of the OpenZeppelin Governor contracts, our team has collaborated with a host of projects including Tally to enhance and address security challenges for DAOs.

OpenZeppelin Governor contains a host of security improvements and enhancements that build on the prior Compound Governor Bravo framework and is now in use by over a thousand on-chain communities. We have a long history with this framework as one of the original auditors of Compound Governor Alpha. We have since worked closely with the Compound Labs team to make it more accessible, extensible and safe for third-parties by releasing an improved version in 2021 as part of the OpenZeppelin Contracts library.

As the security partner for Compound DAO since December of 2021, OpenZeppelin has been active in supporting all aspects of DAO security for the Compound community including:

  • Audits of protocol upgrades prior to being included in governance proposals with 24 audits performed over the last two years.
  • Actively reviewing all proposals to confirm parameter changes and creating tooling to help automate the process with 140 proposals passed over the last two years.
  • Reviewing specific asset listings and defining scalable processes for quality control including community contribution policies and processes for deploying Compound to new EVM chains.
  • Providing a custom, real-time monitoring solution for DAO proposals and suspicious on-chain activity.
  • Supporting emergency community multi-sigs during live incidents and helping to coordinate community response.
  • Managing security tooling grants for the Compound Grant Program for additional third party security teams to contribute to Compound’s security.

More on the work we have completed and delivered for Compound can be found in our past forum posts in 2022 and 2023. We are proud to say that the Compound protocol has not suffered any exploits or loss of funds since our partnership began despite the protocol having grown to operate eight segregated lending markets across four different blockchain networks.

Project Management

OpenZeppelin has been refining its technical project management practice since 2016. Each security services project is accompanied by a technical project manager (PM) that supports the security team in question.

Our project management workflows are tailored to the needs of the client and project. These project management workflows range from managing the development of open-source libraries such as the OpenZeppelin Contracts, providing long-term security services to the Compound DAO, or short-term audits that last 1-week. We believe our strongest asset is our ability to adapt to the needs of our clients and offer a high degree of adaptability to their workflows.

Here are listed some of our achievements, reflecting our commitment to exceptional technical project management:

  • Supported Matter Labs with development of audit plan and strategy for L1 and L2 contracts as part of preparation for zkSync Era go-live.
  • Successful coordination of audit, advisory, monitoring, development and governance work on Compound.
  • Development of a joint audit plan for Contracts 5.0 release that covered close to 100 contracts and was divided over 5 separate phases.

Technical Project Managers are part of the project from start to finish. They act as the point of contact for all security services related topics and provide regular updates on the project’s progress. Additionally, our PMs have the ability to leverage and learn from a wide range of different teams in our company such as our open source development teams working on OpenZeppelin Contract. Finally, the dedicated project management office (PMO) handles all the scheduling and provides all the necessary information, tools and resources to our teams to successfully complete all of our engagements.

Purpose/Mandate of the ARDC

OpenZeppelin’s application to become a security member of the Arbitrum Research & Development Collective (ARDC) is underpinned by our profound commitment to enhancing the security and resilience of the Arbitrum ecosystem. Recognizing the ARDC’s mandate to optimize governance and future-proof the ArbitrumDAO through research, risk assessment, secure code reviews, threat modeling, and testing enhancements, we present our application centered on our expertise in blockchain security and more specifically past experience in servicing large DAOs.

Our contribution towards achieving the ARDC’s mandate will be multifaceted, focusing primarily on elevating the security posture of the Arbitrum ecosystem. This will be achieved by bringing our extensive experience in security audits, our domain expertise in serving the Compound DAO and our holistic approach to blockchain security.

Additional Contributions

We are an active contributor to many Ethereum community public goods and security initiatives including the following:

As an active, leading member of the Ethereum security community that regularly contributes to public goods, we are well positioned to contribute to the Arbitrum community by supporting the education of safe smart contract development practices and developing security standards specific to ARDC’s needs.

Scope of Services & Applicable Fees

OpenZeppelin proposes offering 30 security engineering weeks for the 6 months period with a cost of 25k per engineer per week, for a total of $750,000. OpenZeppelin will aim to use 6 security engineering weeks per month, although this might fluctuate depending on the ARDC’s needs.

The services that are in scope for this proposal are:

  • Reviewing ALL governance proposals made to Arbitrum Core and Arbitrum Treasury.
    • These reviews will include confirming the proposal code matches the intent of the proposal text and contains no backdoors or misconfigurations.
    • If the proposal includes new code or a smart contract upgrade, we will also determine if it matches the source code in-scope as part of the audit report. If not already audited by a trusted vendor of ARDC, a full audit of the source code must be scheduled with our team separately ahead of time.
    • Any security issues detected will be announced to the community within 3 business days of the proposal submission date.
    • There will be no limit on the number of proposals that OpenZeppelin will review in this manner over the course of the 6 month period, even if the allocated time of 30 engineering weeks is exceeded.
  • Auditing the source code for smart contract upgrades and new deployments that are planned to go through governance.
    • These audits must be requested and scheduled with our team ahead of being proposed on-chain. We will provide a public form and pipeline for teams to request an audit.
    • If there are not enough security engineering weeks available to audit all requested proposal changes, OpenZeppelin will work with the Arbitrum coalition to determine the most appropriate priorities.
  • Advising on community usage of security tooling for static analysis, fuzzing, invariant testing and other methodologies. Our team may also develop custom testing suites for community-specific needs or as components of specific audits we perform.
    • We will also publicize and make available any tooling we develop internally for use in our proposal reviews so that proposal authors may use them to simulate their proposals ahead of time to confirm correctness.
  • Providing Educational Materials, Guidelines and a Quality Assurance Process for Arbitrum proposals and upgrades. We will also offer weekly office hours to have discussions with proposal authors and provide resources for them to prepare safe proposals.

Summary

OpenZeppelin, leveraging its role in Ethereum’s security landscape, aims to extend its comprehensive expertise to the Arbitrum Research & Development Collective (ARDC) by becoming its Security member. Highlighted by our impactful collaboration with the Compound DAO, we’re poised to contribute significantly to the ArbitrumDAO, focusing on enhancing governance and ecosystem security. Our proposed involvement includes conducting rigorous on-chain proposal code reviews, leveraging advanced security tools, and creating educational materials to support the ARDC’s objectives. This commitment underscores our dedication to strengthening the ArbitrumDAO’s governance framework and ensuring its resilience against security threats.

Feel free to attach any relevant documents, portfolios, or links to previous work or contributions.

1 Like