Applicant Information
Name of Applicant: Halborn
Applicant’s Representative: Rob Behnke
Email Address: dao@halborn.com
Telegram Handle (if applicable): @robbehnke
LinkedIn Profile (if applicable): Halborn | LinkedIn
Role being applied for: Security-Oriented Member
Background Information
Halborn is an award-winning, elite cybersecurity company for blockchain organizations founded in 2019 by renowned ethical hacker Steven Walbroehl and growth hacker Rob Behnke. We’ve been trusted by organizations such as Uniswap, zkSync, Circle, Solana, Dapper Labs, Polygon, Animoca Brands, and many more:
Halborn personnel have audited hundreds of projects across multiple ecosystems and across numerous chains. With an extremely deep pool of talent, we go well beyond just smart contract audits, offering a full suite of security advisory and assurance services encompassing architecture & design, security roadmapping, advanced penetration testing, cloud & infrastructure assessments, awareness training, code audits, standards and policies recommendations, and much more.
Last year (March 2023), Halborn discovered a 9.8 criticality 0day vulnerability affecting Dogecoin, Litecoin, Zcash, and an additional 280 networks at an estimated exposure cost of $25 billion USD. Additionally, Halborn personnel received the largest bug bounty in Metamask’s history for a key vulnerability finding in June 2022.
We’ve done extensive work with some of the leading on-chain protocols and have had numerous high impact findings. In addition, we’re deeply familiar with the Arbitrum ecosystem due to our work with several key Arbitrum protocols/projects, summarized below.
Key Arbitrum Protocol Engagements
- QodaFi
- Discovered two Critical level risks related to smart contract functions around quote creation and interaction with quote manager. Identified an additional 12 Medium/Low risk findings related to smart contract functionality.
- Gains
- Discovered a Critical level risk related to front running of a bridge within smart contracts. Identified an additional three Medium/Low risk findings related to oracle fee payments.
- Lodestar
- Discovered six Critical level risks and eight High level risks across both smart contract code base and web2 infrastructure and API. In addition, Halborn identified an additional 15 Medium level risks across client infrastructure.
- PlutusDAO, Foxify
- Extensive engagements with other relevant protocols but due to confidentiality will not be publishing findings.
- Chromatic, Isekai, Seneca, Goldlink
- Recently kicked off engagements
A more comprehensive list of public reports can be found at our GitHub: HalbornSecurity (Halborn) · GitHub
As the dedicated security specialist of the ARDC, we will offer a comprehensive set of best in class security solutions for Arbitrum throughout all stages of the governance lifecycle, designed to safeguard, enhance, and future-proof the DAO. Our team’s extensive experience enables us to offer comprehensive service and advisory across all key security needs for the ARDC: secure code reviews, proposal evaluations, threat modeling, and ongoing security research and education. Beyond individual expertise, we leverage the collective knowledge of our diverse team of security professionals, providing well-rounded recommendations, informed insights, and collaborative dialogue.
Our smart contract auditing methodology combines a range of techniques including, but not limited to:
- Manual review
- Fuzzing
- Symbolic execution
- Logical and business rule analysis
Our off-chain assessment methodology includes:
- Mapping content and functionality
- Configuration and deployment
- Identity management and authentication/authorization flaws
- Session handling
- Business logic flaws
- Fuzzing of all input parameters
- Rate limitation tests
- Brute force attempts
- Multiple types of injection (SQL/JSON/HTML/Command)
- Client-side testing
Halborn has conducted around 1,730 security assessments with a success rate of 99.9%. We have extensive experience in not only smart contract audit/assessment, but also in off-chain analysis covering cloud infrastructure, web applications, servers, and mobile applications.
To facilitate governance decision making, Halborn will analyze new proposals, leveraging our deep skillset and tooling to help identify potential risks and provide recommendations for risk reduction measures. Halborn will assign a dedicated Arbitrum point of contact whose responsibility will be coordinating the analysis and communication on all Arbitrum proposals.
In terms of research, Halborn also aims to improve the education level of the ecosystem and expand community knowledge by providing research on relevant topics. Some of our more recent research include the Top 50 DeFi Hacks report in which we analyze the top 50 hacks (by loss value) through 2023 in order to provide a comprehensive summary of different key findings, like potential attack vectors, as well as recommendations to improve a project’s security; or the ChatGPT report in which we analyze the potential use of the AI in relation with blockchain and security, like its ability to detect common vulnerabilities or solve CTFs. Finally, we would also like to mention our regular blog posts in which we share analysis and explanations of some of the most recent relevant DeFi hacks as well as tips to improve security.
Objectives & Motivation
Arbitrum’s extraordinary journey to becoming a cornerstone of decentralization is a testament to its unwavering commitment to innovation. As pioneers in this dynamic landscape, we acknowledge the impressive strides Arbitrum has taken. However, with growth comes increased responsibility, especially in the realm of security.
According to our research, the top 50 hacks from 2016 to 2022 caused over $5.5B in losses, with the number and magnitude of attacks consistently trending higher. More concerning, attacks were not limited to just one type - contract exploits, private key leakage, governance attacks, price manipulation, and rug pulls were all major contributors.
This stark reality underscores the need for comprehensive and ongoing security measures encompassing all these attack vectors. Only by addressing vulnerabilities across the board can we build truly robust and resilient systems.
We believe our expertise and long operating history in the space uniquely position us to be one of the only organizations that can effectively cover all of these areas to help reinforce Arbitrum’s security. Our continuous security advisory and assurance service is a holistic solution that can help Arbitrum and its stakeholders stay aware of, and proactive against, this wide range of threats, as well as providing education and advice to the entire ecosystem.
As part of our ongoing security advisory and assurance service, Halborn will conduct security-focused reviews of forum proposals and discussions. We will leverage our expertise and experience to help identify risks and provide recommendations for risk mitigation. We can develop technical assessments designed to reveal potential vulnerabilities within new proposals (utilizing tools such as Foundry, Hardhat, or Brownie for fork simulation), and offer specific recommendations for improvement.
Halborn will assign a dedicated point of contact to facilitate risk assessments and communicate results and recommendations back to the DAO, as well as to gather questions and inquiries from stakeholders.
Our approach of analyzing proposals and then recommending remedies can help achieve a few things:
- Identify and highlight potential security risks within proposals.
- Help influence and implement change to proposals to strengthen them from a security and governance perspective.
- Elevate broader awareness and education among Arbitrum stakeholders.
By achieving these goals, we can help optimize Arbitrum’s governance process, protect the broader ecosystem, and contribute to the DAO’s long-term success.
Skills and Experience
Halborn has audited hundreds of projects across multiple ecosystems and chains. We have extensive experience in not only smart contract audit/assessment, but also in off-chain analysis covering cloud infrastructure, web applications, servers, and mobile applications.
We form strong, long-term partnerships in order to provide comprehensive and ongoing security services. With our continuous security advisory and assurance offering we act as a key partner to continuously assess our partners’ most vital assets. This includes security architecture assessment, code audits, custom red team engagements, web/cloud/API pen-testing, continuous smart contract auditing, and protocol security assessments.
Halborn has also served as a key ongoing security partner for another popular ecosystem, Solana. We mention this to highlight not only the breadth of our expertise, but also to call out our commitment to establishing strong and successful relationships with leading blockchains operating in the space today. Following are a few of our achievements as part of our ongoing security partnership with Solana:
-
Address Lookup Table and Versioned Transactions
- Address Lookup Tables allow developers to create a collection of related addresses to efficiently load more addresses in a single transaction. In order to use it, the Versioned Transaction format was introduced. These components form part of the Solana core.
-
Durable Nonce Patch
- Solana Foundation engaged Halborn to conduct a security audit on their pull requests, patching the Durable Nonce runtime bug. This component is part of the Solana Layer 1.
-
ELF parser
- Solana Foundation implemented a new dependency-less ELF parser, which is replacing the goblin crate previously used and asked Halborn to perform an audit of this component.
-
Solana runtime
- Halborn audited several components of the Solana runtime along various iterations and corrections. These include Sealevel, Gulf stream or the Gossip Service. Through this process we discovered one medium risk which allowed some built-in programs to not consume compute units, a low one in which transaction prioritization is not enforced, alongside several informational ones.
Proposal Review & Assistance
Halborn personnel will provide proposal reviews and assistance with a focus on identification of any potential risk conditions that may exist. Halborn’s dedicated Arbitrum Project Manager will triage proposals, enlist the appropriate Halborn personnel, provide status updates and communication, and field requests and questions from the DAO and community. Halborn personnel will communicate with proposal submitters or other stakeholders in their preferred communication manager (Telegram, Slack, Email, etc.). Halborn will provide suggestions and recommendations for enhancements, along with detailed reports pertaining to the security review of submitted proposals. The Arbitrum Project Manager will ensure communication with the broader community on the Arbitrum Forums as needed.
Review on Chain Proposal Code Updates
At Halborn, we have a rigorous process for evaluating security risks in on-chain proposals. We monitor for new on chain proposals. Once we identify one, we create a replica of the network (a “fork”) and execute the proposal within it, closely monitoring its behavior and observing results. Next, we scrutinize all addresses involved in the execution, verifying they’re not potentially harmful elements like upgradeable proxies, precomputed addresses, or metamorphic contracts.
In a nutshell:
- Malicious Proposal Review Cont. → Check Snapshot Page continuously
- Proposal Simulation Through Fork
- Proposal Security Review (Solidity - Golang)
Results and recommendations are communicated to the relevant stakeholders, and Halborn can also provide education and dialogue with the broader community to promote ongoing security awareness and improvement.
Project Management
Halborn employs a team of dedicated project and program management specialists who are highly experienced through all phases of the project lifecycle. Since 2020, Halborn has grown and developed the capabilities of its Project Management Office to improve efficient operations of client projects, internal projects, and both internal and external programs. The deep expertise of the team is documented in an internal wiki to improve collaborative synergy across the organization.
Each Halborn client is assigned a dedicated Project Manager to serve as their primary point of contact for any needs during the length of the engagement. A breakdown of our well-established project management workflow can be found below:
We have a 3-pass quality assurance process on all reports and findings, with an initial QA, second QA by our Engineering Director, and a third QA by our VP of Engineering.
For examples of successful long-term project management, we’d point again to the Solana partnership referenced above. As Solana’s key security partner we provide continuous and ongoing security advisory and assurance services, balancing a variety of distinct projects covering multiple facets of their security.
Purpose/Mandate of the ARDC
We believe our ongoing contributions will directly support the ARDC’s mandate. By continually analyzing, evaluating, and suggesting risk mitigation strategies, we offer the DAO a constant security lens for both proposals and ongoing discussions. Our expertise in both smart contract auditing and broader security assessments helps safeguard the DAO against both known and emerging threats, contributing significantly to its long-term resilience.
By actively participating in both forum discussions and proposal reviews, we can significantly elevate security awareness within the community. This deeper understanding will lead to more rigorous debates and ultimately, more robust proposals that better serve the DAO’s interests.
Our ability to perform smart contract audits, infrastructure security assessments, and a host of other security advisory and assurance services as-needed will also directly contribute to stronger security at the protocol and ecosystem level.
Additional Contributions
Halborn has a strong track record of innovation, with a goal of improving the security of the web3 ecosystem. To achieve that end, we have developed tools like Ziion the first open-source, end-to-end, pre-compiled, multi-architecture, multi-protocol blockchain security testing and development solution; and products like Seraph the first blockchain notary that intends to increment security by stopping malicious transactions.
At Halborn we also aim to improve the current state of the art of the ecosystem and spread knowledge by researching different topics of interest. Some of our more recent research include the Top 50 DeFi Hacks report in which we analyze the top 50 hacks (by loss value) through 2023 in order to provide a comprehensive summary of different key findings, like potential attack vectors, as well as recommendations to improve a project’s security; or the ChatGPT report (ChatGPT Vulnerability Detection Report) in which we analyze the potential use of the AI in relation with blockchain and security, like its ability to detect common vulnerabilities or solve CTFs. Finally, we would also like to mention our regular blog posts (Blockchain Security Insights and Hacks Explained | Halborn Blog) in which we share analysis and explanations of some of the most recent relevant DeFi hacks as well as tips to improve security.
Scope of Services
Halborn will provide an end-to-end security solution, acting as Arbitrum’s full stack security partner. We offer a comprehensive solution, providing a deep roster of security and cryptography experts supported by a robust group of project managers and technical teams to provide ongoing advisory and assurance across the full range of security needs. Our scope of work includes two components:
-
1. Continuous Security Assurance - Halborn will provide advisory, insights, recommendations, and dialogue on an ongoing basis. We will assist Arbitrum and ecosystem participants by reviewing all governance proposals, developing and implementing a security strategy, identifying risks, and providing recommendations for risk reduction measures. Halborn will answer questions from the community, proposal authors, or other stakeholders as needed. We’ll also provide research and general education to the Arbitrum ecosystem.
-
2. Discrete Workstream Services - Halborn will provide up to 2 project-based workstream services per month. These can include:
- Smart Contract Security Audit
- Layer 1 / Layer 2 blockchain Audit
- Web Application Security Test
- Mobile Application Security Test
- Advanced Penetration Testing
- Vulnerability Assessment
- Security Architecture & Risk Assessment
Our proposed fee for these services is $500,000 USD per six-months Term, payable in ARB. Halborn commits to providing a maximum of 4 engineering work weeks per month dedicated exclusively to each of the two workstreams. This brings the cost to $20,833 per engineer week. We also commit to 1 part-time Technical Project Manager to handle all communications, assignments and escalations. This budget is roughly equivalent to a maximum of 36% of the total Security member allocation of 665,000, based on today’s ARB price.
-
Halborn will invoice the DAO for work performed in connection with the Deliverables for the preceding month for up to $83,333 USD worth of ARB (based on prior 30-day TWAP from coingecko.com). If, in any individual month, the DAO does not utilize the full security engineer time allocation, that month’s invoice will be pro-rated to reflect the lower amount of resources utilized.
-
In order to further align incentives, all ARB Tokens received in connection with this Agreement will be locked and staked for one (1) year from the date of service delivery. Halborn agrees not to trade, sell, or otherwise move, transfer or dispose of any ARB Tokens received in connection with this Agreement for at least one (1) year after receipt of the ARB Tokens.
The DAO shall deliver payment associated with each invoice within a reasonable time after receipt of such invoice, provided that the Deliverables associated with such invoice have been delivered in a satisfactory manner, as determined by the DAO.
Summary
Halborn is an award-winning, elite cybersecurity company for blockchain organizations founded in 2019 by renowned ethical hacker Steven Walbroehl and growth hacker Rob Behnke. We’ve been trusted by organizations such as Uniswap, Matter Labs, Circle, Solana, Dapper Labs, Polygon, Animoca Brands, and many more.
Halborn’s differentiated approach to security goes beyond discrete one-off engagements – we leverage our deep bench of security talent to act as a continuous and ongoing security partner for the entire Arbitrum ecosystem. This includes ongoing advisory and assurance services, as well as a menu of distinct project-based workstreams that can be utilized as needed. This combined approach of ongoing advisory + security workstream engagements provides comprehensive coverage and allows us to act as a true partner to Arbitrum, enabling us to significantly enhance, safeguard, and future-proof the DAO.
Key Differentiators
- Holistic Security: We go beyond code audits with a holistic approach, offering continuous security advisory and assurance services.
- Strong Incentive Alignment: Halborn commits to aligning our incentives with Arbitrum by locking and staking all ARB tokens received for at least one (1) year.
- Real-World Impact: Discovered critical vulnerabilities in Dogecoin and received the largest bug bounty in MetaMask’s history, demonstrating our vigilance and industry leadership.
- Proven Methodology: Combines manual code review, fuzzing, symbolic execution, and threat modeling for maximum effect.
- Extensive Arbitrum Experience: Directly engaged with leading Arbitrum protocols, delivering insights and tangible security improvements.
- Track Record as Key Ecosystem Partner: We have a strong track record in similar engagements, evidenced by our long-standing position as Solana’s key continuous security partner.
Summary for ARDC
- Dedicated Arbitrum Security Expert: Deliver tailored, expert guidance to safeguard the DAO.
- Proposal Risk Assessment: Rigorous security analysis of all proposals to optimize decision-making.
- Security Research & Education: Proactive research on threats, and educational materials to bolster community understanding.
- Flexible Services: Up to 2 project-based services per month (audits, testing, assessments) in addition to continuous advisory and assurance services to respond to the DAO’s evolving needs.