Applicant Information
Name of Applicant: Stephen Tong (CEO and Co-Founder, Zellic); Neville Grech (Director and Co-Founder, Dedaub)
Email Address: stephen@zellic.io; neville@dedaub.com
Role being applied for: Security-Oriented Member
Background Information
Zellic and Dedaub, leaders in smart contract security, are joining forces for this proposal in an effort to leverage each company’s unique strengths and apply them towards the security of the Arbitrum ecosystem.
Example strengths include: ensuring secure asset handling for delegates, stakers, and community members; development of pre-audited contract templates for Arbitrum Stylus; security-oriented competitions for developers (competitive hacking and security research–an area of excellence for Zellic); technology for reverse-engineering and building analysis tools (an area of excellence for Dedaub); security auditing for protocols and governance proposals (a strength of both organizations).
Security providers have historically sought large amounts of funding from DAOs and other public goods organizations for work of dubious value to token holders. Meanwhile, projects often spend a third of their budget on security. We believe this prescriptive, extractive approach is fundamentally misaligned with the long-term interests of the crypto community and Web3 industry.
Counter to this trend, Zellic and Dedaub propose a radially-aligned “pay for what you get” model. In this model, we will only be compensated for the deliverables that token holders actually want and find useful. Meanwhile, we propose deliverables that directly minimize the amount of security spend needed by developers in the Arbitrum ecosystem to ship and deploy code.
Beyond fees and payment structure, we directly prove and enforce our alignment to Arbitrum token holders financially:
- Voluntary token bond. If Zellic and Dedaub are selected for the ARDC, we will at our own expense post a $100,000 USD bond (each firm posting $50,000) to be locked up in staked ARB tokens during the performance of this proposal.
- Vesting. We also voluntarily request that all payments for services under this proposal vest over a predetermined period. These terms ensure that Zellic and Dedaub will remain fully committed and faithful to ARB token holders first and foremost.
About Us
Zellic
Zellic is a vulnerability research firm with deep expertise in blockchain security. We specialize in EVM, ZK, Cosmos, as well as Move (Aptos and Sui) and Solana. We identify complex vulnerabilities and prevent catastrophic security events.
Among others, LayerZero, StarkWare, SushiSwap, and the Solana Foundation trust Zellic to secure their future. We review L1s and L2s, cross-chain protocols, wallets and applied cryptography, web applications, and more. We also have a dedicated zero-knowledge cryptography team, and work closely with projects like Scroll, Axiom, and Succinct Labs.
We have audited and/or have on retainer several leading protocols on Arbitrum, including Hyperliquid, Timeless, Perennial Finance, Y2K, and Premia.
Outside of a formal security review, one of Zellic’s security researchers also discovered a critical vulnerability ‘in the wild’ in Premia, one of Arbitrum’s leading options protocols. An allowance check issue would equip any user to grant allowance to themself to arbitrarily cause cross-chain transfers of other users’ tokens to an arbitrary address i.e. any user can steal any other user’s funds using cross-chain transfers.
Zellic is led by Stephen Tong and Jasraj Bedi, who previously founded the #1 CTF team worldwide in 2020 and 2021. Our engineers bring a rich set of skills and backgrounds, including cryptography, web security, mobile security, low-level exploitation, and finance. We’re also a founding member of the Security Alliance (SEAL) led by samczsun, an industry effort to raise the bar for blockchain security.
Dedaub
Dedaub is a Web3 security vendor servicing a number of mainstream project teams, including the Ethereum Foundation, Coinbase, Chainlink, Oasis, GMX, Eigenlayer, & Lido. Over the past few years, the Dedaub team has been instrumental in the successful evolution of both the Ethereum and Arbitrum Ecosystems via tooling, security R&D studies, and security audits of some of the best-known protocols running on these chains.
In addition to auditing engagements, Dedaub has developed high-fidelity static analysis and formal verification tools that have contributed towards the security of smart contract ecosystems, both independently and through their use by our white-hat hacking teams. For instance, our static analysis toolchain has found 10 high-impact vulnerabilities in large protocols (including in Uniswap, Primitive Finance, Harvest Finance, Multichain & Fantom).
Direct Contributions to Arbitrum: Dedaub successfully audited GMX (specifically V2), the largest project on Arbitrum by TVL. Within this context, the deployment of GMX V2 on Arbitrum was only made possible through the development of low-latency oracles for derivatives projects by Chainlink. This is also another project that the Dedaub team has contributed in design and audited as a security partner of Chainlink. A number of other growing projects on Arbitrum that Dedaub has audited include: Rysk, Stella, Pendle & Gravita.
Direct Contributions to Ethereum: The Dedaub team has conducted a number of R&D security studies commissioned by the Ethereum Foundation, of EIPs that affect not only Ethereum but also its L2s. For instance, these include audits & studies for the new data structure that will soon underpin Ethereum state (Verkle trees), EIP-1884, EIP-3074, etc. In addition, our team has developed and maintained the most popular decompiler for EVM smart contracts, transaction simulation and monitoring tools.
Objectives and Motivations
Zellic and Dedaub want to empower DAO members to make good decisions, especially when they involve security and/or technical evaluation. Our objective is to increase Arbitrum’s TVL and developer adoption while protecting stakers and delegates’ assets. We will do this by providing useful deliverables that (1) make users more eager to use applications built on Arbitrum; (2) make it easier and cheaper for developers to build and ship those applications in the first place; and (3) provide the frameworks, guidance, and tools needed for delegates and community members to secure on-chain assets.
Arbitrum has almost $3B in TVL, but insufficient tools, processes, or advisory to ensure DAO governance and ecosystem development are secure. We want to bring in battle-tested best practices, tooling, and services to bolster the security posture of the Arbitrum ecosystem at-large. And most importantly, we want to do so in a way that is actually useful for token holders.
Skills and Experience
Please refer to our original proposals here (Zellic) and here (Dedaub) for details of our skills and experience.
Proposal Review & Assistance
Our joint proposal outlines a number of initiatives of varying complexity and application that we are confident to execute at the highest level. That being said, we do not want to be presumptuous or heavy-handed in what the community needs.
We will defer to governance participants to determine which of the initiatives is most appropriate for the community for the duration of our six-month tenure.
1. Arbitrum staking security design (Dedaub)
The goal of this project will be to protect staked ARB for validators, stakers, and delegates. Members of Arbitrum DAO have proposed enabling a staking mechanism for ARB token holders. Irrespective of the incentive parameters suggested by the community and the risk member, as a security member we propose researching the security design space of such a mechanism to ascertain that the mechanism is secure by design and that it will not pose security concerns to stakers. Notably, Dedaub has audited many prominent staking protocols, including Chainlink Staking, Lido on Avalanche, Nexus Mutual staking v2.
2. Template primitives for Arbitrum Stylus (Zellic)
The goal of this project will be to eliminate security spend by providing pre-audited contract templates for Arbitrum Stylus. Stylus has the potential to be a step-change in developer experience across all EVM chains. It allows developers to write smart contracts in programming languages that compile down to WASM, such as Rust, C, C++, and many others. Given its novelty, however, there are few resources or projects that demonstrate its robustness.
Zellic can build secure templatized primitives for Stylus–e.g., an ERC20 implementation–that can be leveraged to develop higher-order dApps like AMMs, perps DEXs, lending protocols, and more. These templates would be pre-audited by our security researchers. Our goal is to increase the baseline level of ecosystem security, even for permissionless deployments of long-tail assets and protocols.
3. Security tooling adapters for Arbitrum Stylus contracts (Dedaub)
In addition to pre-audited Arbitrum Stylus contracts, our teams propose building a simple framework to transpile Arbitrum Stylus contracts to a representation that can be analyzed by existing, mature, code security tools. This is a low-level engineering task but a significant enabler, with broad benefits to the entire Arbitrum Stylus development community. The work will permit a host of existing smart contract analysis technologies (such as tools like Slither and Gigahorse, and even mature Web2 code security tools) to apply to Arbitrum Stylus. Effectively, the technical work will build a translation bridge from WASM (the underlying intermediate language for Arbitrum Stylus) to intermediate languages that underlie EVM security tools (Yul and the TAC language of Dedaub tooling). This means that EVM security tools will not need to be engineered from scratch but merely adapted at the integration level, because the internal representation will be fully compatible.
The development of security tooling adapters for Arbitrum Stylus contracts significantly enhances platform security and lowers the barrier to entry for developers, making it a more accessible and attractive option. By ensuring compatibility with mature development tools, this initiative can attract existing projects using other technologies to migrate to Arbitrum, leveraging their established codebases and communities.
4. Arbitrum CTF competitions (Zellic)
Capture The Flag competitions are the epicenter of security research. They consist of a set of computer security puzzles involving reverse-engineering, memory corruption, cryptography, web technologies, and more. CTFs and similar code competitions are a verified go-to-market strategy to attract high-quality developers to a new ecosystem. Curta competitions, for instance, have discovered some of the best protocol engineers via their programming competition platform on EVM. We have designed several Curta challenges. Some other recent Web3 efforts of ours include MoveCTF, Ingonyama ZK CTF, and Paradigm CTF.
We’ve led the #1 ranked CTF team worldwide in 2020, 2021, and 2023, and have won some of the most prestigious competitions including GoogleCTF, Real World CTF, PlaidCTF, and DEF CON Quals. With the rapid growth of rollups and sovereign blockchains, Arbitrum-specific CTFs—which are operationally complex with high technical barriers to organize—will be a strategic way to identify and attract top developer talent to the ecosystem.
5. Guidelines and frameworks for AIPs (Zellic & Dedaub)
AIPs are often well-intentioned but poorly drafted because there are no standard guidelines. Alongside other ARDC members, we will develop a set of standards and best practices for AIPs so that proposers and evaluators have the necessary information to make an informed decision. Specifically, a lot of proposals fail to account for overall ecosystem impact that even minor changes can have.
For every governance proposal that relates to our security expertise and/or proposes to spend DAO budgets on audits, we will contribute a forum post outlining security considerations for that project for the community’s benefit in decision-making. For instance, we will contribute input on ways proposed audit costs could be minimized.
6. Security primers on Arbitrum (Zellic)
Zellic will write security primers, case studies, PSAs, and other analysis for the community’s benefit. We will write these in the style of our previous educational blog posts. Similar security primers that we’ve written for other ecosystems include: Aptos; Sui; Cairo; ZK.
In addition to our work for clients, Zellic closely follows all ongoing critical exploits and hacks in the crypto ecosystem. On multiple occasions, our security researchers have successfully reverse-engineered several major attacks as they were ongoing. For example, collaborating with samczsun, Zellic was the first team to triage and reverse engineer the $325,000,000 attack on the Wormhole bridge in February 2022.
During these times of crisis, our auditors regularly publish long-form Twitter threads to help raise the crypto ecosystem’s awareness and education regarding security. Public education and community engagement are important pillars of Zellic’s ethos. Below are select Twitter threads that received the highest user engagement and impressions this year, and we envision publishing similar threads and additional PSAs for Arbitrum DAO: Ledger wallet drain; Nomad $190M bridge hack; Slope wallets hack; meta-analysis of cross-chain bridge exploits.
7. Governance incident response (Zellic & Dedaub)
In addition to reviewing on-chain governance proposals, we will run governance attack simulations to ensure that key stakeholders within the DAO are well-prepared for emergency situations–low probability but critical impact incidents. Bad actors can pass malicious proposals (e.g. Tornado Cash governance), even in forums with a wide range of active participants.
In such scenarios, key governance delegates must move swiftly and with a clear operating procedure to reverse the malicious proposal and/or its impact. We will design an Arbitrum DAO-specific playbook for this. Our experience as a founding member of SEAL is testament to our commitment to incident preparedness and response.
8. Arbitrum Drift Tracker (Zellic)
Zellic has built a tool called the Audit Drift Tracker, which tracks what code is audited and unaudited for the biggest DeFi protocols. ‘Drift’ specifically refers to the difference between code that is audited and code that is deployed. To the best of our knowledge, no one is tracking the on-chain audit drift of popular DeFi and Web3 protocols. Audit drift was at the heart of the $190M Nomad bridge exploit.
Given the pace of development in the ecosystem, we want to devote resources for an exclusive platform to track audit drift in leading Arbitrum projects. TVL security is among the highest priorities for any chain, and Drift Tracker offers both developers and users an accessible tool to make security-informed decisions and hold protocols accountable. We expect this should have a meaningful impact on growing TVL within the ecosystem as users feel more equipped to better diligence their counterparties on-chain.
9. Protocol Forks Identifier (Zellic & Dedaub)
Forky is a tool that presents the smart contract differences between a fork of a protocol and a base (parent) protocol. For example: PancakeSwap is a fork of Uniswap v3. This tool would allow you to easily view the differences between both codebases and their corresponding risk considerations.
DeFi protocols are particularly susceptible to fork-related exploits. Users often assume that forks carry the same security assumptions of its parent protocol, without checking and/or understanding the changes that can be made. Forky highlights in plain English the scope of changes as well as its intended effect, like changes in permissions, admin functions, use of standards, etc.
We will build an Arbitrum-focused Forky that allows users to input the source code of any new protocol on Arbitrum and compare it to the most-forked protocols on Ethereum–like Uniswap, Aave, Compound, etc.
10. DAO Contracts Verification Tools (Dedaub)
Although many of the recent DAO proposals have been simple in nature, this overlooks the fact that security issues can arise from time-to-time due to ecosystem level threats and novel security vectors. In view of this, the Arbitrum DAO would benefit from rapid-reaction automated push button analysis operated by the ARDC. For this we propose building and deploying static analysis tooling to the DAO contracts. Although the DAO contracts have been previously audited, whenever a novel vulnerability vector is discovered we can update our verification tools accordingly and rescan the DAO smart contracts to determine the blast radius. The tools will benefit from a number of competitive advantages compared to existing tools:
- The method by which we intend to verify the smart contracts is through a novel technique called static-symbolic value-flow (“Symvalic”) analysis. This models program behavior with high precision, e.g., full path sensitivity.
- Furthermore, we combine this technique with “learned” invariants from past corpuses of smart contracts (using statistical techniques) to determine unusual lack of invariants in new smart contracts. The latter corpus will include past Arbitrum smart contracts.
11. End-user security tooling (Zellic & Dedaub)
There have been several known cases where Arbitrum end-users lost funds due to simple mistakes. Some of these can be fairly simple, such as sending Airdropped ARB tokens to the token contract itself. This one specific mistake has already led to almost $10m being lost and delegates are looking to refund these users out of the treasury’s pocket. In addition to direct financial losses, these mistakes can cause many users to feel helpless and ultimately abandon the ecosystem. Although security extensions for wallets already exist, these have so far mainly focussed on preventing scams and hacks. They have not however targeted end-user mistakes, some of which can be domain-specific (Arbitrum-specific).
We propose building or extending existing open-source Metamask Snaps that can prevent these kinds of low-hanging fruit issues that partly arise due to difficult UX. The Dedaub team has already developed a popular Snap that targets security, while the Zellic team can audit Metamask Snaps.
Review On Chain Proposal Code Updates
Our commitment to security research extends to governance support. Zellic is a member of Uniswap’s Bridge Assessment Committee. In February 2023, the Uniswap Foundation convened this committee to evaluate cross-chain bridges in DAO governance. We evaluated six bridges and approved two for the DAO’s cross-chain governance use case, and determined that a multi-bridge architecture was likely the best option for Uniswap. Beyond this experience, we highlight our Arbitrum-specific experience above, under the “About Us” heading.
For Arbitrum DAO in particular, security considerations for governance proposals are two-fold:
- Are the proposed changes secure? Zellic’s and Dedaub’s deep expertise across the full stack of blockchain systems will allow us to perform a thorough manual review of every change.
- Do the changes introduce new vulnerabilities and/or attack vectors? I.e., are there dormant backdoors in the proposal? Zellic will develop threat models for all relevant governance proposals to ensure that proposed changes are secure and do not implement soft-backdoors that can be activated at a later date. An important example here was the self-granting of 1.2M votes on Tornado Cash by a malicious actor.
Additional Contributions
Scope of Services and Applicable Fees
We take accountability seriously, and only expect the DAO to compensate for work that has been satisfactorily completed. We will define clear milestones for each initiative, and only request payment upon completion of a milestone. We are committed to the Arbitrum ecosystem for the long-term, and request that our ARB payment be locked up according to a predetermined schedule. We leave the decision of the vesting period up to you, the delegates, but suggest a minimum period of 6 months. Overall, we expect our contributions to positively impact the ecosystem and are confident that it will be reflected in the long-term value of $ARB.
The scope of services listed below is an outline of possible deliverables to expect from Zellic and Dedaub. We do not presume that all will be within scope or a priority to the DAO.
Rather than a prescriptive approach, we want you, the delegates, to pick and choose what you find useful.
| Description | Required time (engineer-weeks) | Cost (USD) | Cost (ARB) | Notes |
|---|---|---|---|---|
| Arbitrum staking security design | 6 | $120,000 | 59,113 | Study and engineering performed jointly by the Dedaub and Zellic teams. |
| Template Primitives for Arbitrum Stylus | 6 | $120,000 | 59,113 | An ERC20 implementation for Stylus will take ~3 eng weeks as a benchmark. We can build 2 templates based on the DAO’s priorities. |
| Security Tooling Adapters for Arbitrum Stylus | 10 | $200,000 | 98,522 | Developed by Dedaub’s engineering team. |
| Arbitrum CTF Competitions | 10 | $200,000 | 98,522 | Time includes writing challenges, managing infrastructure, and organizing the competition. |
| Guidelines and frameworks for AIPs | 8 | $160,000 | 78,817 | Two security researchers will work in tandem for four weeks. |
| Governance attack simulations | 6 | $120,000 | 59,113 | Two security researchers will work in tandem for three weeks. |
| Security primers on Arbitrum | 3 | $60,000 | 29,556 | We plan to write one primer every two months, based on the needs of the DAO. Each primer will take one engineer week. |
| Arbitrum Drift Tracker | 6 | $120,000 | 59,113 | Developed by Zellic’s engineering team. |
| Protocol Forks Identifier | 4 | $80,000 | 39,408 | Developed by Zellic’s engineering team. |
| DAO Contracts Verification Tools | 8 | $160,000 | 78,817 | An evolution, application, and deployment of Dedaub security technology, time is budgeted for engineers (not security researchers). |
| End-user security tooling | 8 | $160,000 | 78,817 | Adaptation and evolution of Dedaub security technology, time is budgeted for engineers (not security researchers). |
Again, we urge delegates to pick and choose only the components in this proposal that would be valuable to the goals of the ARDC.
Some qualifications on the pricing above:
- ARB price was calculated at $2.03 as of March 2, 2024.
- Our market rate for security reviews and advisory is $25,000 per engineer-week. Given our commitment to DAO security and Arbitrum-at-large, we are extending a flat 20% discount for services outlined above, at a rate of $20,000 per engineer week.
Voluntary Token Bond
If selected for the ARDC, Zellic and Dedaub will at our own expense post a $100,000 USD bond. This bond will be used to buy ARB tokens and will be staked for the full duration of the performance of this proposal, up to a maximum of 12 months. The ARB tokens will be returned to us after this period. Both firms will each post $50,000 USD.
Summary
In preparing and drafting this proposal, Zellic and Dedaub have been grateful for the openness and transparency of various Arbitrum DAO stakeholders on the subject of core protocol developments, security considerations, and ARDC priorities. As such, we have made considerable effort to be precise with our scope of work to address the specific needs of the Arbitrum ecosystem. Our conversations during ETH Denver and Arbitrum GovHack were instrumental in refining our proposal and presenting this joint offering.
Zellic’s and Dedaub’s commitment to blockchain security is deeply aligned with Arbitrum’s work as a forerunner in securely scaling Ethereum. Zellic appreciates the opportunity to submit a proposal for the Security Member in ARDC, and looks forward to a continuous partnership with the DAO and its delegates. We thank Arbitrum DAO for its consideration.