Arbitrum Research & Development Collective: Elections & Applications

DAO Programs & Initiatives
13

Applicant Information

Background Information

Cyfrin

Home to some of the best smart contract security researchers in the market and one of the strongest Developer Relations teams in the industry - professionals in Cyfrin come from backgrounds like Chainlink, Compound, Alchemy, Aragon, WorldCoin, Microsoft, Google, and other popular FinTech companies.

Patrick Collins

Cyfrin’s CEO and former Lead of Chainlink DevRel, Patrick, revolutionized the industry by onboarding hundreds of thousands of developers into web3, with over 3 million views on his courses and ~160,000 subscribers across platforms.

He has the most highly viewed educational content for Solidity developers worldwide, reaching millions of students across both Web2 and Web3. His previous educational content contributed to the Chainlink oracle network growth, significantly bolstering its prominence within Web3 and ultimately establishing it as the industry standard.

Through Cyfrin Updraft, Cyfrin’s educational platform, he directs his courses toward the Arbitrum ecosystem by building all of the courses on Arbitrum and encouraging hundreds of thousands of developers to do the same. There are currently over 100,000 students enrolled in this program, and we have helped a host of those students get top jobs in Web3.

1600×933 299 KB

Hans Friese

Cyfrin’s Head Auditor and Co-founder, Hans, is one of the world’s top auditors, consistently ranking at the top within competitive auditor leaderboards. He has found medium and high risks on some of the most prominent protocols in Web3, including Ondo Finance, Olympus DAO, Frax, Blur, and many more. He is also the founder and Lead Engineer of Solodit, the most used vulnerability aggregator tool for auditors. It serves as a repository for audit reports, aiming to enhance transparency and trust in the web3 ecosystem by providing an easier way for users to find and review security assessments of blockchain projects.

This consolidation allows developers, investors, and users to easily review the security assessments of different protocols, allowing a more informed and secure space. Solodit is vital in promoting best practices and trust in the rapidly evolving blockchain space by simplifying access to these reports. This initiative reflects Hans’ commitment to improving security by making vital information available to the community.

Alex Roan

Cyfrin’s CTO, Alex, is a veteran Web3 developer whose work has contributed to securing billions of dollars in value with DeFi.

He was in the early cohort of hires at Chainlink Labs and was instrumental in early Price Feed integrations with Web3 powerhouses such as Compound Finance. From there, he became the engineering lead on the Cross Chain Interprobility Protocol (CCIP) project. This solution is utilized today by 94 Arbitrum protocols and 120 on Ethereum, including GMX, AAVE, Sushi, Beefy, Rocketpool, and WooFi.

Alex has also been a key contributor to some of the top protocols in the Arbitrum Ecosystem including GMX, where he developed the integration of High Frequency Price Automation for Chainlink Keeper Data Streams. Alex also worked on Chainlink Staking contracts, indirectly supporting the Chainlink BUILD program. It is an initiative to help early-stage and established Web3 projects grow by providing them with enhanced access to Chainlink services and technical support. There are several Arbitrum and Ethereum protocols involved with this program.

As the CTO of Cyfrin, he has led their World class auditing team. He is developing several security-focused services and open-source tools, such as the Codehawks competitive audit platform and Aderyn, a Rust-based Solidity AST Analyzer designed to identify potential vulnerabilities.

Mark Scrine

Cyfrin’s CSO, Mark, was the Strategic Lead for Proof of Reserve at Chainlink Labs and led several of their biggest integrations, securing over $3.2B of TVL in minting for the solution. These included protocols such as TUSD, Matrix Port, AAVE, BackedFi, Poundtoken, Stablr, and Swell Network. Before moving into his role on Proof of Reserve, his primary focus was to support the integration of price feeds, automation, and VRF across DeFi, contributing to enhancing the security of hundreds of protocols on the Ethereum and Arbitrum ecosystems.

More recently, at Cyfrin, he has become the CSO and developed partnerships with some of the biggest protocols in the space across several different verticals within the Ethereum and Arbitrum ecosystems. He has also supported Immutable Lawyer & DK with the Arbitrum DAO in establishing the ArbitrumDAO Procurement for Service Providers.

Cyfrin will hire a dedicated Project Manager if selected. They will be supported by the individuals mentioned above alongside the entire Cyfrin team and resources. We want to have a dedicated focus on the ARDC and not have any other external or internal distractions - so hiring one dedicated to this would be the most beneficial to the ARDC. This security expert will hold a developer-first role at Cyfrin and will be supported by our team of Security Researchers, Engineers, and DevRels.

Security, Education & Framework

Cyfrin is interested in contributing to the Arbitrum Research & Development Collective (ARDC) for Security Enhancement, Educational Initiatives, and Framework Development. Our expertise in blockchain security and smart contract audits uniquely positions us to do this successfully.

Security Enhancement: At the core of Cyfrin’s mission is enhancing smart contract security. We previously proposed establishing the Arbitrum Security Enhancement Fund to sponsor audits for projects within the Arbitrum ecosystem.

Through our private and competitive audits, Cyfrin has secured over $25B in TVL. Our in-house team of world-class security researchers produces tooling and content on their work to improve security for the industry in general. Cyfrin also championed the ‘ArbitrumDAO Procurement Committee’ and helped shape some processes with potential Procurement Committee Members.

Our team brings a deep technical skill set to every project we take on, including static and manual analysis, vulnerability detection, advanced fuzz testing, formal verification, monitoring, and emergency crisis management.

For DAOs particularly, visualizing the state of contracts, ensuring the correct encoding of values, and assessing risky transactions is critical to securing the entire Arbitrum ecosystem against potential attacks and malicious actors.

Additionally, our proficiency extends to conducting white box source code reviews, a meticulous process to identify design flaws and verify the security and correctness properties of on-chain upgrade proposals. This capability is essential in preempting and preventing governance attacks, enhancing the ecosystem’s resilience.

Educational Initiatives: Cyfrin is already deploying our industry-leading DevRel team towards educational programs tailored for Arbitrum developers through Cyfrin Updraft with the support of The Arbitrum Foundation. This includes courses on Solidity 101, Foundry 101, Advanced Foundry, and Security and Auditing courses. We aim to empower developers with the knowledge and necessary tools to prioritize security at every development lifecycle stage, mitigating risks and enhancing the overall security culture within the Arbitrum ecosystem. These courses are now available in 8 different languages to increase the adoption of blockchain technology worldwide. The main reason for providing security consultations on DAO proposals is to educate the broader community to help them make informed decisions. Given our expertise and proven track record in delivering world-class educational content, we are uniquely positioned to support the ARDC with this.

Framework Development: We will use our auditing experience to develop a comprehensive security framework tailored for the Arbitrum ecosystem. This framework will guide developers and protocols, outlining best practices, common vulnerabilities, and strategies to pre-empt potential security issues. We aim to ensure that the Arbitrum ecosystem remains at the forefront of blockchain security by continuously updating this framework in response to emerging threats and trends.

Motivations

Cyfrin’s motivation to join the Arbitrum Research & Development Collective (ARDC) stems from our mission statement to advance security within the blockchain ecosystem.

Our objectives are twofold.

Firstly, we want to enhance the security of Arbitrum protocols and its infrastructure to support its growing user base. This effort is crucial for building trust among developers and increasing the active user base.

Secondly, we have vested efforts in contributing to the ARDC’s educational initiatives - empowering developers with the security knowledge required and best practices essential to promoting a security-first culture. Building a safer blockchain industry is Cyfrin’s primary mission.

Ultimately, our participation in the ARDC is about mitigating risks and actively contributing to creating a more secure, innovative, and resilient industry for all.

Primary Mandate

Cyfrin’s commitment to the Arbitrum Research & Development Collective (ARDC) is to leverage our blockchain security expertise to analyze ArbitrumDAO proposals and forum discussions to grow a safer Arbitrum ecosystem.

By leveraging the tools and skill sets we use daily to audit protocols and build code, Cyfrin will direct our unique capabilities to evaluate every code update, governance contract, and proposal transaction. Cyfrin’s presence in the Arbitrum ecosystem will increase the number of secure proposals while maintaining the ecosystem’s trustworthiness.

We aim to expedite the governance decision-making process by offering actionable insights and recommendations, enabling the community to make informed, swift decisions that enhance the ecosystem’s security and functionality.

Cyfrin is dedicated to creating educational materials that break down security practices for the Arbitrum community. This initiative raises awareness and increases security measures for the Arbitrum DAO, further strengthening the ecosystem’s resilience and long-term sustainability.

Relevant Security Experience

Cyfrin has conducted smart contract security audits, both competitive and private, for a wide range of projects across chains. This deep expertise in smart contracts has given us the skills to succeed at ARDC.

In the first 30 days of 2024, Cyfrin has been tasked with auditing over $27 billion worth of DeFi TVL by some of the most prominent protocols in the Ethereum ecosystem. This work ranges across several verticals, including stablecoins, liquid staking, bridges, etc. This diverse and complex range of protocols, coupled with extremely high TVL at stake, has earned us the experience needed for a successful Arbitrum Research & Development Collective.

Our audits have helped identify critical vulnerabilities, safeguarding the integrity of protocols and protecting them and their users from potential exploits. Furthermore, our long-held commitment to enhancing the security of the Arbitrum and Ethereum ecosystems is showcased in our innovative educational initiatives for engineers and auditors - which are, in large part, taught for developers building in the Arbitrum chain.

By providing clear guidelines and best practices, we have fostered a safer development environment that encourages innovation while minimizing risk.

In summary, Cyfrin’s mix of security auditing expertise and educational outreach positions us as a highly valuable contributor to the ARDC.

Proposal Review and Experience

Each proposal is unique, and assistance may come in various forms, including but not limited to:

  • Security assessments on the proposed code
  • Proof of concepts for vulnerabilities
  • Feedback on testing, code maturity, or overall architecture of proposals
  • Working through previous cases where similar proposals have been tested
  • Running simulations to evaluate whether a proposal should be accepted
  • Providing feedback on the architecture or makeup of the proposal

We aim to ensure that everyone involved in the proposal process understands the security implications of any successful proposal. Our team will do everything possible to provide assistance and ensure a secure environment.

Review on Chain Proposal Code Updates

With extensive experience conducting security reviews and smart contract engineering for critical protocols such as Chainlink, Compound, and GMX, Cyfrin’s background places us in a unique position to enhance the security and integrity of the Arbitrum ecosystem. Our expertise encompasses the hands-on development and auditing of smart contracts and the creation of cutting-edge tooling designed to identify and mitigate security risks internally within organizations and externally in the broader Web3 space. Moreover, Cyfrin Updraft’s world-class Web3 education initiatives have equipped our team with the skills to understand complex security concepts easily.

Security Reviews: Leveraging our security review experience, we will thoroughly examine Arbitrum’s smart contracts and associated codebases. By applying specific review methodologies, we will uncover vulnerabilities, suggest mitigations, and provide detailed reports to eradicate security issues within the ecosystem.

Threat Modeling: Effective security requires anticipation. Drawing on our background in threat modeling, we will help the Arbitrum ecosystem identify potential security threats before they happen. Cyfrin will guide proposals in understanding common and sophisticated attack vectors by understanding and modeling the adversary’s perspective.

Competitive Audits: With Cyfrin’s expertise in competitive audits, we are capable of managing and supervising audit competitions for the Arbitrum ecosystem. Such competitions are designed to engage external security experts to scrutinize and evaluate Arbitrum’s code, giving rise to diverse expert perspectives and unearthing any latent vulnerabilities. This process ultimately helps to bolster the ecosystem’s resilience.

Security Consultation: Offering security consultation services, we can provide ongoing support to Arbitrum developers and projects. This includes advising on best security practices, reviewing code changes for potential security implications, and helping to integrate security into the development lifecycle from the outset.

Engineering and Architecture Consultation: Beyond security, our experience in smart contract engineering allows us to consult on the overall engineering and architectural decisions within the Arbitrum ecosystem. This ensures that security considerations are baked into the design and architecture of projects, minimizing risks and vulnerabilities.

Educational Initiatives: Finally, leveraging our involvement in Web3 education, we can contribute to developing and delivering training programs and resources focused on security best practices for the Arbitrum community. Educating developers, auditors, and project teams can elevate the security knowledge base within the ecosystem, leading to more secure deployments and innovations.

Summary

Cyfrin’s comprehensive experience in security reviews, smart contract engineering, tool development, and education positions us to make a significant contribution. By applying an approach that includes rigorous audits, threat modeling, competitive analysis, and educational outreach, we aim to level up the Arbitrum ecosystem.

Project Management

Cyfrin has launched three brand-new products: Codehawks, Cyfrin Updraft, and Solodit. We’re a developer-first security firm and offer Private Audits tailored to yet-to-be-deployed and already-live protocols.

Each security assessment that we conduct is assigned a dedicated project manager. They prioritize the client’s needs and start with a welcome call to discuss the project’s timelines. We send them onboarding documentation to start their security engagement. Once the project is completed, we deliver the formal report and discuss the findings with the protocol.

We provide live updates and regular status calls to keep our clients informed about the project’s progress. Our project managers hold internal retrospective calls to document successful outcomes and achievements. This helps us obtain feedback on the client journey and identify improvement areas. Project Managers also have live closure calls with their client points of contact.

To ensure client success, we use a CRM tool to track project progress, stay within scope, and monitor budget considerations. Our Team Scheduling & Resource Planning Tool helps address schedule management and financial management considerations.

Through constant communication, the protocol’s engineering team can revise vulnerabilities as soon as they’re found. This ensures the team can start working on fixes immediately. We also provide architecture analysis, fuzz testing, improvement pull reviews, and specific knowledge like formal verification, code smells, testing feedback, etc.

Contribution to the purpose of ARDC mandate

Our goal will be to review Arbitrum DAO Forum proposals by applying our security-first mindset to evaluate their feasibility, security implications, and overall impact and risk on the Arbitrum ecosystem, its treasury, and its user base. This involves a detailed analysis of every technical portion of each proposal, identifying potential vulnerabilities and risks, and suggesting improvements that strengthen the ecosystem as a whole.

We will leverage our experience in smart contract security to provide comprehensive, objective assessments of proposals and their attached on-chain actions and take a detailed approach to analyze forum discussions within the Arbitrum DAO.

Furthermore, our contribution extends to active participation in DAO discussions, where our insights and recommendations will be rooted in a technical approach - always with the best interests of Arbitrum security in mind. As mentioned, Cyfrin has significantly contributed to growing the Arbitrum developer ecosystem through our technical education courses watched by hundreds of thousands of students worldwide and will continue providing an educational approach to our reporting mechanisms.

Engaging in active community discussions fosters a culture of security awareness among other thought leaders and the broader community, continuously emphasizing the importance of security considerations in the governance process.

We will expedite governance decision-making by providing clear, concise, and actionable proposal feedback. This feedback will be based on rigorous analysis and our vast experience in the security space, offering ArbitrumDAO the ability to make informed decisions.

In summary, Cyfrin’s contribution to the ARDC’s mandate will be shown in our commitment to enhancing the security and integrity of the Arbitrum ecosystem. Through objective assessments, proactive community engagement, and a focus on security education, we aim to support the ARDC in making the ArbitrumDAO’s governance process more efficient, informed, and secure.

Security Tools

We have designed, developed, and launched several security tools in the last year:

  • Solodit is the world’s most extensive library of smart contract vulnerabilities, free for all smart contract researchers to leverage daily.
  • Aderyn is a Rust-based Solidity AST analyzer. It is designed to enable and empower automation experts to build the most advanced open-source vulnerability detectors in Web3.
  • CodeHawks is a competitive auditing platform that incentivizes security researchers to find vulnerabilities in open contests based on impact and uniqueness.
  • Keepmesafe is an npm package ensuring developers never push their private key to a public repository - this was the number one cause for hacks in 2023.

Building security tools that auditors and engineers can leverage at every development lifecycle is critical to the Cyfrin mission. All of the tools that we have created are compatible with Arbtirum.

Cost to the DAO

  • Total: 350,000 ARB (~52% of the 665,000 ARB dedicated to this initiative)
    • Full-Time Project Manager: 100,000 ARB - for the 6-month term, full-time dedication (1 $ARB = 1.93$).
    • Supporting Team Members: 250,000 ARB - Alongside the dedicated Security Expert, Cyfrin will allocate members of its team costing 20k per week for $480,000 at the current price of Arb (1 $ARB = 1.93$). The total ask is $673,000 for the six months at the current price of Arb (1 $ARB = 1.93$).

Summary

At Cyfrin, our core qualifications are in smart contract security research, technical education, and developing and deploying advanced security tooling. Our team brings experience conducting thorough security audits, with a portfolio of audit reports and published mitigation reports demonstrating our expertise in identifying, analyzing, and mitigating vulnerabilities in smart contracts. This background makes us uniquely equipped to contribute significantly to the Arbitrum Research & Development Collective (ARDC).

Our background in education allows us to break down complex security concepts into accessible knowledge, supporting developers within the Arbitrum ecosystem to adopt best practices in smart contract security. We have a track record of developing educational materials that raise awareness and understanding of security issues, fostering a culture of security-first development.

Cyfrin’s experience in smart contract security tooling is another area of expertise. We have developed and refined a suite of tools that automate the detection of vulnerabilities and assist in the secure development of smart contracts. This includes Aderyn, Keepmesafe, and Solodit. Soon, we are releasing a reusable CCIP testing framework, which can support protocols in the Abritrum and Ethereum ecosystems.

This experience directly applies to enhancing the Arbitrum DAO’s security posture, ensuring that proposals and implementations adhere to the highest security standards.

Our competitive audit platform, CodeHawks, can leverage community-driven security assessments to identify vulnerabilities within Arbitrum DAO proposals. This platform could serve as a mechanism to engage with the broader security research community, bringing in renowned experts to participate in contests designed to assess and improve the security of proposals. Such an approach elevates the security analysis of Arbitrum DAO projects and fosters a collaborative and competitive environment that drives innovation and excellence in smart contract security.

In summary, Cyfrin’s blend of deep technical expertise, a commitment to education, and innovative security tooling positions us as an ideal partner for the ARDC. Our contribution can significantly enhance the security, integrity, and resilience of the Arbitrum ecosystem, driving forward the collective goal of establishing Arbitrum as a secure and trusted platform for decentralized applications. Our vision is to work collaboratively with the ARDC to set new standards in blockchain security, leveraging our strengths to benefit the Arbitrum community and beyond.

Relevant Resources

Disclaimer: We are open to collaborating with other Security Firms and are not closed off to a joint proposal with reputable partners.

4 Likes