Arbitrum Research & Development Collective: Elections & Applications

Arbitrum Research & Development Committee (ARDC)
7

Applicant Information

  • Name of Applicant & Applicant’s Representative: Trail of Bits
  • Email Address: sales@trailofbits.com
  • Telegram Handle (if applicable): @montyly or @TrailofBits_Ken
  • LinkedIn Profile (if applicable): Trail of Bits | LinkedIn
  • Role being applied for Security-Oriented Member

Background Information

Since 2012, Trail of Bits has helped secure some of the world’s most targeted organizations and devices. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

We have worked extensively with Offchain Labs and performed over 180 engineer weeks of security review of Arbitrum through four focused engagements, including ArbOS, Nitro, and Stylus. This led us to develop an in-depth understanding of Arbitrum internals and risks.

Many firms in DeFi, including Optimism, Balancer, Uniswap, and Compound trust our expertise to help secure their code, and you can find many more in our Publications repository, which includes security assessments of some of the most bleeding edge technical products and protocols ranging from but not limited to bridges, DEX’s, AMM’s, oracles, smart contracts, Layer 1’s, and Layer 2’s.

At Trail of Bits, we do more than just understand blockchain security; we build industry-leading tools to identify and rectify vulnerabilities. We have authored numerous industry leading tools, which include:

  • Slither, a static analyzer that detects common mistakes such as bugs in reentrancy, incorrect access controls, and more.
  • Echidna and Medusa, which are next-generation smart fuzzers that target EVM bytecode.
  • Tealer, a static analyzer that targets Teal code (Algorand).
  • Caracal, a static analyzer that targets Starknet/Cairo contracts.
  • solc-select, a tool to quickly switch between Solidity compiler versions.

We also publish reference guides, along with pushing academic and general research. We are also one of the funding member of the Security Alliance (SEAL), which aims to improve the security of the ecosystem.

As a Security-Oriented Member of the ARDC, we can provide services to help secure projects in the ecosystem at different stages in their development lifecycle by performing design reviews, threat models, white box security reviews, invariant development, and automated tooling.

Objectives & Motivation

As the main security partner of Offchain Labs, we are committed to ensuring the greater security of the Arbitrum ecosystem. Since day 1, our goal is to improve the security practice and awareness of the blockchain ecosystem as a whole. This is why we have dedicated significant ressources to our open-source tools and public research, to elevate the security standards and allow developers to build more secure code in the long term.

As a proof of this dedication, we were the author of the first proposal for which the ARDC is built upon.

Skills and Experience

Trail of Bits has performed over 300 blockchain security reviews, worth 30 engineer years of effort. Among that, 180+ engineer weeks were solely dedicated to reviewing Arbitrum components. This puts us in a unique position to fulfill the review of on chain proposal code updates with an extensive pre-existing familiarity with the protocol itself.

Trail of Bits has strong expertise in the realm of program analysis and tooling, as demonstrated by our numerous open-source projects (Slither, Echidna, Medusa, etc). We combine a pragmatic approach and fundamental knowledge to create tools that provide values to their users. Trail of Bits engineers (~10% of whom hold PhDs) frequently present our tools at both industrial and academic conferences. This makes us a perfect fit for the Tooling Creation and Enhancement category.

In addition, Trail of Bits has strong expertise in traditional application security cloud native application, and cryptography, allowing to leverage dedicated expertise when needed.

To demonstrate our unique expertise and understanding of Arbitrum, we recently released:

Proposal Review & Assistance

Trail of Bits excels in providing white box security review of source code through a combination of manual and automated review, which may include a review of the proposal for design flaws and identifying security and correctness properties. We can also develop and enhance tooling to enhance the security of the Arbitrum ecosystem and its proposals. This may include specific static analysis bug detectors targeting code update, developing fuzzing capabilities to test the validity of the new upgrade states and verify that the state changing will not break any invariant, visualizing the state of the governance contracts (in particular, the state of previous proposals, current emitted and delegates votes, how the tokens are delegated), and visualizing and verifying correct encoding of values used in the governance contracts and the action contracts.

Review on Chain Proposal Code Updates

Trail of Bits has years of expertise reviewing on chain upgrade proposals to ensure that they align with the design and specification of the proposal through whitebox source code reviews. This is particularly important given the prevalence of governance attacks, as seen with Tornado Cash. Trail of Bits can also focus on building content to help review further proposals, including tools (dedicated Slither detectors, fuzzing harness, proposal state diff visualizer, etc. ) and educational material (tutorial, checklist, code walkthrough, etc.) to promote overall security and integrity of the Arbitrum ecosystem.

In addition, by working with Offchain Labs and reviewing Arbitrum components since 2021, Trail of Bits is uniquely positioned to understand and review the impact of on chain proposal code updates.

Project Management

Each security assessment performed by Trail of Bits is assigned a dedicated project manager with a “client-first” mind-set. In 2023 alone, Trail of Bits Project Managers managed over 200 client-facing projects throughout our four practice areas: cryptography, blockchain, ML/AI, and application security. Our engagements ranged from 1 calendar week to long-term projects lasting 30+ engineer-weeks. Our team begins every engagement with a welcome call to discuss timelines and security roadmap details, and closes out each engagement with a final readout call. Our Project Managers use a PM Workflow tool to manage the entire project lifecycle - based on each milestone and the associated activities to be accomplished.

Live updates are made, and weekly status calls with our engineers are provided to our clients.

To document successful outcomes and achievements, our project managers hold internal and external retrospective calls to document lessons learned, obtain feedback on the client journey, and to identify any improvement areas for growth. Project Managers also have live closure calls with their client points of contacts.

Trail of Bits uses a Project Management Software tool and CRM for client success. These tools allow us to track progress of a project, stay within scope, and monitor budget considerations. Our Team Scheduling & Resource Planning Tool helps successfully address schedule management, and financial management considerations.

Purpose/Mandate of the ARDC

As a member of the ARDC, our aim is to become the key security partner for the Arbitrum DAO. Our objectives are to secure the ecosystem and help developers to elevate their security posture.

We’re eager to continue working with Arbitrum to enhance ecosystem security through our threat modeling, design review, and white-box security reviews, with a level of rigor that’s unmatched. Our experience and track record for building tools and enhancing our client’s SDLC will bolster the integrity of the ecosystem. Our high-level of communication and dedicated project management team ensures efficient coordination between all parties involved.

Additional Contributions

We are a full-service security firm, with specialized expertise in blockchain, cryptographic, and application security reviews. Resources from across our internal security engineering, software engineering, and cryptography teams are available as needed during our assessments. Trail of Bits doesn’t just deliver a list of bugs, but guidance, continuous support, and custom tooling when necessary to enhance the security posture of each project’s intended use case. Our overall goal is to help secure the Arbitrum ecosystem by providing security assessments, educational materials, and tooling.

Scope of Services & Applicable Fees

Trail of Bits will allocate 24 engineer-week for the 6 months period, with a cost of 25k/eng/week, for a total of $600,000. At today’s price (1 $ARB = 1.93$), this is roughly equivalent to 50% of the total Security member allocation of 665,000 ARB.

Our services will include:

  • Review on chain proposal code updates
    • White box security review of source code through a combination of manual and automated review, which may include a review the proposal for design flaws and identifying security and correctness properties
    • Reviews do not include proposals that are initiated by Offchain Labs and the Arbitrum foundation. These proposals are already going through security reviews (including by Trail of Bits)
    • If 12 engineer weeks are not enough to review all the on-going proposals in a quarter (or 24 in the 6 months period), Trail of Bits will either perform a review of some of the proposals, or a best effort of as many as possible. Trail of Bits will agree with the Arbitrum coalition and its Advocate to determine the priorities.
  • Invariants development
    • Creation of invariants targeting components for future upgrades. The invariants will help developers of upgrade to ensure the correctness of their addition
    • Activities may include but are not limited to:
      • Identify security and correctness at the function or system level
      • Write invariants to test them with state-of-the-art fuzzers (Echidna, Medusa, foundry fuzzer)
      • Documentation and guidance to help the community contribute to the invariants
  • Tooling Creation and Enhancement
    • Develop and enhance tooling to enhance the security of the Arbitrum ecosystem and its proposals, including:
      • Specific static analysis bug detectors targeting code update.
      • Visualize the state of the governance contracts, in particular: the state of previous proposals, current emitted and delegates votes, how the tokens are delegated,
      • Visualize and verify correct encoding of values used in the governance contracts and the action contracts.
  • Public content creation
    • Blogpost, presentation, etc. This will allow Trail of Bits to share their unique expertise with the community and help growth the overall technical understanding of Arbitrum
  • Additional services, based on the ARDC needs, which can include:
    • Design review
    • Threat modeling
    • Appsec or cryptography review
    • Guidance on incident reponse plan or monitoring

Trail of Bits will aim to use 4 engineer weeks on a monthly basis, but might use more or less a given month, depending on the ARDC’s needs. The total number of engineer weeks for the 6 months period will be 24 engineer weeks; however Trail of Bits has the capability to increase this number if the ARDC has additional needs.

Summary

Our experience and expertise in static analysis tooling, fuzzing capabilities, performing whitebox security review, design reviews, and threat models to ensure security and correctness properties in on-chain upgrade proposals is evident by our successful track record of working with Arbitrum and similar projects, which can be found on our publications page GitHub - trailofbits/publications: Publications from Trail of Bits. By working continuously on Arbitrum components since 2021, we have an unique understanding of the L2’s technical stack, risks and assumptions.

We believe the combined skills and reputations of the members of Trail of Bits’ project team will provide the best assessment and research capabilities in our industry, and have a massive impact in improving the security assurance of Arbitrum projects. Our team’s strong industry reputation will lend credibility to the result of the project in the form of referenceable public documents on the security of Arbitrum projects.

Feel free to attach any relevant documents, portfolios, or links to previous work or contributions.

4 Likes