Applicant Information

• Name of Applicant & Applicant’s Representative [If Applicable]: Spearbit
• Email Address: omar@spearbit.com
  *** Telegram Handle (if applicable):** oab_12
  *** LinkedIn Profile (if applicable):** Omar Bheda - Spearbit Labs | LinkedIn
  *** Role being applied for [1 Max]:** Security-Oriented Member

Background Information [Applicable to all]

Spearbit is a distributed network of industry-leading security researchers that have secured over 100B+ in TVL from tackling the most complex and mission-critical protocols across web3. With access to an expansive array of security talent exclusive to, top protocols choose Spearbit consistently for their end-to-end security services. Premier protocols and projects we work with include but are not limited to:

• Optimism
• OpenSea
• Polygon
• Coinbase
• zkSync
• Alchemy
• Blast

Spearbit is deeply-focused on broad ecosystem impact via providing the highest tier of security service quality and does so in the form of public goods such as the pro-bono security review of one of Arbitrum’s most utilized libraries, Solady, which aims to provide gas-optimized Solidity utilities.

Spearbit has incubated Cantina - an open and free marketplace leveraging a custom-built innovative code review platform, Cantina Code, to provide dynamic security services such as competitions, bug bounties, and quality-gated solo as well as team reviews from our extensive network of security researchers. We’ve recently just kicked off the largest Web3 security competition in history with Blast. Cantina also enables a diverse array of security providers in adjacent yet equally as important lanes such as traditional Web2 pen-testing and OpSec to provide protocols with a truly comprehensive approach to their security posture.

Through Spearbit and Cantina, we can provide truly comprehensive end-to-end security coverage for protocols via:

• vCISO Advisory: Your very own security leader advising on high-level technical guidance, smart contract best practices, architectural review, and development framework during your development lifecycle.
• Protocol and Smart Contract Security: A comprehensive review of your protocol’s security posture, including the smart contracts, the architecture, and the development framework.
• Crowdsourced Security Competitions: Competitions are crowdsourced security reviews designed to be efficient, high-signal, and comprehensive to provide maximum code coverage.
• Web2 Security: Endpoint security, application security, penetration testing, OpSec, as well as comprehensive threat modeling to evaluate your protocol’s Web2 security posture and safeguard against significant financial or reputation harm.
• Incident Response and Monitoring: Incident response services offer real-time monitoring and threat mitigation in web3 ecosystems using advanced analytics and blockchain expertise.
• Bug Bounty: Bug Bounties enable protocols in the Arbitrum ecosystem to tap into a rich network of the best security researchers Web3 has to offer in order to uncover and report bugs over a prolonged period of time.

Please provide a brief overview of your experience in the digital asset industry and, more specifically, Ethereum & Arbitrum Ecosystems. Include any relevant projects, contributions, or roles within the ArbitrumDAO, if applicable. (400 words max)

Spearbit / Cantina have worked extensively within the Ethereum and Arbitrum ecosystems to provide comprehensive smart contract security services by curated teams of industry-leading security researchers. Since inception, we have protected over $100B in TVL across the Ethereum ecosystem. Spearbit / Cantina was founded by the Ethereum Foundation development leads, Alex Beregszaszi and Hari Mulackal, who led the development of the Solidity language and its compiler. We are incredibly interwoven into the Ethereum ecosystem by the nature of the expertise possessed by our founders and the principles that trickle top-down from them. As a result, Spearbit / Cantina holds a very high standard for all security researchers who perform smart contract security audits and we are very intentional regarding quality control, talent selection, and scoping to maximize reviewing every nook and cranny of a protocol’s attack surface.

Below are some of the notable projects that have worked with us that also participate in the Arbitrum ecosystem as well as projects that participate in the Ethereum ecosystem but not necessarily Arbitrum’s:

Arbitrum

• OpenSea
• HMX
• Frame
• Flood
• Uniswap
• Alchemy
• Badger Dao
• Connext
• Centrifuge
• Morpho Labs
• Solady

Ethereum-specific

• BASE
• Optimism
• Polygon
• zkSync
• Blast

Specify the subject-matter area(s) you are interested in contributing to within ARDC (e.g., Research, Framework Development, Risk Assessment, etc.). Explain why you believe your skills align with the chosen area(s). (500 words max)

We are interested in contributing primarily as a security-focused member to provide comprehensive security services for key Arbitrum builders. We believe that our skills align with this position for the following key reasons:

1. Industry Leading Talent
2. Curated Team Selection
3. Track Record of Excellence
4. True End-to-End Security

Industry Leading Talent
Nearly every security researcher who has ranked across the Top 50 in placements of any competitive audit platform works with us. We harness the power of provisioning the best security talent in the industry with the best flexibility, compensation, and opportunities to create a talent moat where the best talent wants to work with us over and over. One example of this is Christoph Michel, The #1 ranked smart contract auditor across any competition platform, who works exclusively for Spearbit, rather than any other firm. Our brand loyalty and strict quality control ensure you truly get the absolute best of the best when working with us.

Curated Team Selection
When evaluating which security researcher to place on an engagement we evaluate a multitude of different factors to assign the best candidate for your protocol. Furthermore, we ensure that every audit is comprised of a team of top security researchers who work together to tackle a codebase and cover every identifiable attack surface.

Track Record of Excellence
To date, we have secured over $100B in TVL working with the best protocols and projects across the ecosystem. There have been no reported exploits after any audit done by Spearbit since its inception in 2021. We owe this to our culture of absolute thoroughness and lofty expectations for our security researchers. We intend to provide the same level of scrutiny and thoroughness to protocols building on Arbitrum as a security member of the board.

True End-to-End Security
We believe that security is a continuous and expansive process beyond smart contract audits for Web3 protocols. To truly evaluate one’s security posture, we’ve developed an approach that we believe comprehensively provides a protocol with the ability to confidently say, “We’ve done everything we can”. We’ve outlined once again below for convenience how we provide comprehensive security coverage and will cover these in detail in the next section.

1. vCISO: Your very own security leader advising on high-level technical guidance, smart contract best practices, and architecture during your development lifecycle
2. Smart Contract Audit: A comprehensive review of your protocol’s security posture, including the smart contracts, the architecture, and the development framework.
3. Competition: Competitions are crowdsourced security reviews designed to be efficient, high-signal, and comprehensive to provide maximum code coverage for web3 protocols.
4. Web2 Security: A comprehensive strategy for your Web2 architecture’s attack surface including endpoint security, application security, and traditional penetration testing, to safeguard against significant financial or reputation harm for Web3 protocols.
5. Bug Bounty: Consistent exposure of your codebase by a network of industry-leading security researchers.
6. Incident Response and Monitoring: Real-time monitoring and threat mitigation in web3 ecosystems using advanced analytics and blockchain expertise.

Objectives & Motivation [Applicable to all]

What motivates you to join ARDC, and what do you hope to achieve as a member? (300 words max)

The core motivation and purpose for driving comprehensive bug coverage and security services beyond basic smart contract security audits is to position protocols building on Arbitrum for operational excellence and rapid scale.

We’ve highlighted these areas below which we believe will enable the Arbitrum ecosystem to scale far more quickly and efficiently with even further trust and transparency.

vCISO Secure Development Advisory Services: We will provide protocols and projects building on Arbitrum with ​​subject matter experts in secure web3 development lifecycles in the form of a virtual CISO or external consultant that can focus on system architecture and guide development teams towards security best practices.

Smart Contract Security Audits: Spearbit and Cantina are home to many of the top Web3 security professionals in the ecosystem and are ready at a moment’s notice to employ the absolute best talent available to secure mission-critical protocols building on Arbitrum.

Web2 Security Reviews / Penetration Testing: With the advent of numerous protocols and projects being exploited by traditional attack vectors, it has become evident and increasingly clear that there is a pressing need to address the security concerns inherent in the traditional web2 frameworks that protocols are utilizing within the web3 ecosystem.

Incident Response and Monitoring: We will provide real-time surveillance and threat mitigation as needed for protocols building on Arbitrum to proactively prevent severe financial or reputation damage in the event of an anomaly or breach via swift incident response measures.

Crowdsourced Security Competitions: Through Cantina, a web3 security platform incubated by Spearbit, we will conduct crowdsourced security competitions to maximize code review coverage while maintaining high-signal submissions and less spam via our custom code review platform, Cantina Code.

Bug Bounty Programs: We will provide bug bounty programs to ensure continuous exposure of key protocols building on Arbitrum to world-renowned white hats.

Skills and Experience [Applicable to all]

Provide details about your relevant skills and experience, including any previous work or contributions related to the subject-matter area(s) you are interested in within ARDC. (300 words max)

We have extensive experience in providing security services to large L2 ecosystems and have served as the core security providers for protocols such as Frame, Optimism, zkSync, Polygon, and Blast. Combined with our deep expertise within the broader ecosystem, we believe Spearbit / Cantina can significantly benefit the Arbitrum ecosystem in ameliorating its security posture.

Please see below for additional details on our experience with approaching security for large L2 protocols:

Optimism

• Drippie Security Review (OP’s native trust-minimized conditional transaction system)
• Optimism’s RLP Implementation
• Advisory and Review of “The Bedrock” upgrade

zkSync

• Lido Bridge Security Review

Polygon

• zkEVM Security Review (Public)

Blast

• Blast L2 Audit (Not Public)
• Blast L2 Competition (Ongoing)

Frame

• Palette Protocol Audit (Not Public)
• General Security Advisory Services

Proposal Review & Assistance [Applicable to all]

Share what approach you would implement to conducting objective research and providing assistance to proposers to enhance their proposals. (300 words max)

To conduct objective research and provide assistance to proposers to enhance their proposals, we leverage our extensive expertise in reviewing the quality of projects applying for ecosystem grants across various Layer 2 (L2) solutions. Our approach is rooted in our deep bench of talent with industry-leading subject matter expertise in every streamline of blockchain development and security.

This diverse expertise enables us to offer comprehensive architecture guidance through services such as our vCISO engagements, which aim to bolster the security posture of projects from the ground up. We would pair proposers or provide them with subject matter experts in order to ensure that the proposal from the ground-up has adequate security considerations in mind as well as structurally sound from a development or architecture perspective. We intend to provide proposers with continuous support beyond just a cursory or initial glance of the proposal and provide iterative feedback based on curated subject matter experts applicable to the proposal itself.

Review on Chain Proposal Code Updates [Only applicable to Security]

Describe your experience in conducting code reviews and assessing security risks. How can you contribute to enhancing the security and integrity of the Arbitrum ecosystem? (500 words max)

We have significant experience in reviewing on-chain proposal code updates specifically for large premier L2s. We provisioned Optimism with our pre-deployment advisory services which paired them with a subject matter expert for evaluating the Bedrock upgrade, an upgrade geared towards introducing a series of performance improvements from its existing rollup architecture design.

We deployed a team of two vCISOs who worked alongside Optimism’s developer team to critically think through best practices and understand the design architecture to ensure a successful implementation of the proposed upgrade including but not limited to:

• Provisioning technical guidance on smart contract upgrades, emphasizing the importance of only making necessary updates to minimize security risks.
• Advised on compiler version selection, emphasizing the need to carefully review release notes and bug fixes to determine the safest option.
• Risk evaluation of user funds loss during smart contract upgrades.
• Threat modeling and risk vector mapping to minimize user confusion and promote overall security awareness.

We also work very closely with the BASE team to provision continuous support in reviewing on-chain proposal code updates specifically centered around upgrades. We do so to evaluate that no security concerns arise and that the proposer and relevant stakeholders have complete backing and support from subject matter experts to ensure proper implementation without unforeseen risks.

Project Management [Applicable to all]

Describe your project management experience. (250 words max)

We are well-versed in project management as we maintain strict quality control in terms of technical execution, client experience, and report quality for 8-10 security reviews on a weekly basis across our talent pool of over 100+ vetted security researchers. We document and coordinate the expertise of each individual at a very granular level in order to maximize output per protocol as well as aligning with the security researcher’s interests. Managing these security reviews operationally is only one side of the coin, however, as we also manage each review to ensure proper scoping, technical depth, and communication per client meets our standard. Compounded with the complexity and various different scopes or types of protocols in the pipeline at one time, we believe we are more than capable of handling many projects at one time.

Purpose/Mandate of the ARDC [Applicable to all]

How do you intend to objectively contribute to achieving the purposes/mandate of the ARDC? (500 words max)

Our core focus is to operate within the ARDC as the core security contributor to ensure that the andy proposals are comprehensively reviewed both from a structural and security standpoint as well as provide the absolute best security talent available in the industry to provide security services to Arbitrum as well as any protocols building upon it.

We will break our plan of action for the following to do so below:

1. Continuous Proposal Support
2. Comprehensive Review Roadmap

Continuous Proposal Support
We will allocate a team of lead security researchers that are subject matter experts in a variety of fields pertaining to blockchain security, development, governance, and design/architecture. These lead security researchers will form a general advisory team in order to provide any proposer with a 1:1 pipeline to an expert regarding any questions or concerns they may encounter to enhance their proposal. These lead security researchers will also provide regular and iterative reviews of proposals in order to ensure that they meet pre-ordained quality standards in terms of writing, impact, technical depth, and that any implementation or security concerns are addressed beforehand.

Comprehensive Review Roadmap
As a security-focused member of the ARDC we will provide our deep subject matter expertise on L2 security and architecture to provide Arbitrum and key protocols building upon it with the best security talent available in the ecosystem as well as the most comprehensive security approach currently available across Web3. We’ve provided a visual of our intended approach as a member of the ARDC:

The above illustrates a 6-pronged approach that diligently assesses every attack surface for Web3 protocols. We intend to be very dynamic and curated in our approach to how comprehensive certain protocols would like to take their approach. Nonetheless, we think it is vital for a security provider to be able to to provision each of these services at the highest level possible. We will allocate our deep bench of security talent after scoping each protocol or project in order to provision and recommend to them their own curated approach to maximizing their security posture.

Scope of Services & Applicable Fees

[Detailed breakdown of fees including pricing model for the 6-month term] [Applicable to all except DAOAdvocate] [Must not exceed applicable cap]. Please provide a detailed breakdown of the scope of services through which you will be contributing. Include the pricing model implemented & a description of expected hours + hourly rate (if applicable) & manpower dedicated to the ARDC.

Cantina:

• Competitions: 200K ARB to provision crowdsource security reviews in the form of competitions for Arbitrum protocols. Cantina will conduct 4-6 security competitions to maximize bug coverage from our talent pool where protocols will have access to over a thousand quality security researchers reviewing the same codebase competing to identify vulnerabilities. The full 100K ARB will go towards the competitions, Cantina will not take any fee on top of this and the full amount will be allocated to the Arbitrum ecosystem.

• Bug Bounty: 100K ARB to provision robust bug-bounty services. This number is adjustable dependant on the needs of the Arbitrum ecosystem. The full 150K ARB will go towards the bug bounty, Cantina will not take any fee on top of this and the full amount will be allocated to the Arbitrum ecosystem.

• Web2 Security Penetration Testing and Reviews: 50K ARB will be allocated to provide comprehensive Web2 security reviews such as OpSec assessments, Web App / Network / Cloud penetration testing, and any other components involved within Arbitrum’s or the projects building upon it’s Web2 infrastructure.

• vCISO, Incident Response, and Monitoring: 65K ARB will be allocated to these services, which will be charged on a subsidized level where protocols will be paired with a Lead Security Researcher at an hourly subsidized rate of $325 an hour or roughly 162.5 ARB hourly. This results in 400 hours available for any pre-deployment advisory, proposal reviews, technical security guidance, architecture reviews, or proactive threat mitigation and analysis.

Spearbit:

• 200K ARB for providing a blended estimated rate based upon the Spearbit tiered security researcher rates:
  • Lead Security Researchers - $20,000 USD
  • Security Researchers - $12,500 USD
  • Associate Security Researchers - $6,250 USD
  • Junior Security Researchers - $3,000 USD
• Spearbit will allocate a minimum of 1 LSR to each smart contract security review along with other security researchers. Assuming Spearbit employs a team of 3-5 security researchers on security reviews, the weekly average security review cost from Spearbit in turn will fluctuate between 32.5K - 48K dependant on the team size and researcher team required:
  • LSR (Lead Security Researcher) - $20,000 USD Weekly
  • SR (Security Researcher)- $12,500 USD Weekly
  • ASR (Associate Security Researcher) - $6,250 USD Weekly
  • JSR (Junior Security Researcher) - $3,000 USD Weekly

We will therefore assume an average weekly cost of $40.25K USD for weekly review costs. We will subsidize the costs further by 10% to further push our commitment to securing the Arbitrum ecosystem. This will come to an average cost per week of smart contract security review at ~$36.2K per week or roughly ~18000 ARB (assuming a price of around $2 - calculated on 2/11/2024).

If we take the remaining 300K ARB after allocating to the services outlined above in the Cantina section, we can assume roughly 12 full weeks dedicated to comprehensive smart contract and protocol security reviews.

Summary [Applicable to all]

In summary, please highlight your key qualifications and what you believe you can bring to ARDC. (400 words max)

In summary, we believe we can bring not only the best security talent to the Arbitrum ecosystem but also the most comprehensive approach to Web3 security in the ecosystem. The breadth of our services and the stringent quality control measures we place on each solution from smart contract audits to full Web2 infrastructure penetration testing, gives us the extensibility as well as the security caliber that the Arbitrum ecosystem deserves.

Our extensive experience with large Layer 2 ecosystems, demonstrated through our work with Optimism, zkSync, Polygon, and Blast, positions us as a security leader and a valuable asset to the ARDC. Moreover, we believe our track record of safeguarding over $100B in total value locked (TVL) across some of the most significant protocols and platforms within the Web3 ecosystem without a single compromise - is a testament to the dedication of our security researchers to leave no stone unturned.

Ultimately, we want more than anything to further scale the Arbitrum ecosystem and seek to be an industry-leading security partner that is amenable, just, well-rounded, and extensible enough to encompass everything the Arbitrum ecosystem needs to optimize its security posture for onboarding the masses.

Feel free to attach any relevant documents, portfolios, or links to previous work or contributions.

Additional Resources

• Our Approach
  
• Our Portfolio
• Our Lead Security Researchers
• Spearbit
• Cantina
• Cantina Case Studies