Audit Committee Technical Expert Elections

Non-Constitutional

Abstract

Following the approval of the Arbitrum Audit Program, and the technical expert application and shortlisting process, the Arbitrum Foundation has shortlisted two candidates for the Technical Expert seat of the Audit Committee. The elections will follow the shielded voting standards described here.

Motivation

As part of the approved process, an election should be conducted for the DAO to fill the Technical Expert role, who will play a significant role in operationalizing the Audit Program. The role is a paid position ($5k per month) and the expected workload is estimated at ~1-2 days per week.

The Technical Expert will be responsible for:

• Reviewing audit reports submitted by external auditors, assessing the validity and accuracy of their findings.
• Providing technical guidance and support to the Audit Committee in reviewing the applicants and the audit firms.
• Assessing the complexity of the audits and helping in the matching between applicants and audit firms.

The following criteria were used to evaluate and shortlist the candidates:

• Strong Solidity knowledge with a nice-to-have on Viper, Stylus, and/or Rust knowledge.
• Deep understanding of blockchain security principles and common vulnerability patterns.
• Excellent communication skills, with the ability to clearly articulate technical findings to both technical and non-technical audiences.
• Familiarity with the Arbitrum ecosystem, including its architecture and tooling.

Specifications

The Arbitrum Foundation, acting in its capacity as chair of the Audit Committee, has shortlisted the following two candidates out of 68 candidates for the technical expert position, Gustavo Grieco and Andrei Andonov, alongside candidate-provided bios.

Gustavo Grieco

Introduction
Hi, I’m Gustavo Grieco (GitHub), a freelance blockchain security engineer. I spent about eight years at Trail of Bits (TOB) working on a wide range of blockchain security projects, dedicating a significant portion of that time to reviewing the Arbitrum stack.

Background
This included deep technical audits across several versions of the protocol, from the original Arbitrum Classic to Nitro and, more recently, Stylus. Alongside Arbitrum, I also audited various DeFi applications such as stablecoins, lending platforms, decentralized exchanges, wallets, and other core blockchain infrastructure.

Experience
I tend to keep a low profile and focus on the technical side, but I place a strong emphasis on clear communication, especially in audit reports. As a Principal Security Engineer at TOB, I was involved not only in hands-on code reviews but also in audit planning. This included defining scopes, estimating effort, selecting tools, and ensuring findings were presented with the right balance of technical depth and clarity for non-technical readers. I also participated in early-stage client discussions, which gave me a solid understanding of how audit needs evolve throughout a project’s lifecycle.

Role at Arbitrum Audit Program
For this role, I will bring:

• Thorough evaluation of audit reports submitted by external auditors to verify the accuracy and relevance of their findings
• Practical and transparent guidelines for evaluating and ranking companies, individuals, or projects applying to the Arbitrum Audit Program
• A strong commitment to operational security to protect the integrity and confidentiality of the process
• To maintain independence and continuously improve my skills, I am currently unaffiliated with any company or organization and am focusing on advancing smart contract security tools, particularly in fuzzing and symbolic execution.

Andrei Andonov

Introduction
Hey everyone, I’m Andrei (@iamandreiski), and I have been part of the crypto space since 2017, and professionally since 2020. After various non-tech crypto roles, I pivoted to smart contract security in late 2023, working on keeping the Ethereum ecosystem safe — as my fundamental belief is that security is crucial for crypto’s future and the onboarding of new users and capital.

Background
I bring a strong public track record as a Security Researcher, with 10+ Top-5 finishes in public audit contests, and 50+ audits. Prior to the current role, I led teams, processes and operations as a Head of Knowledge Management at Crypto .com, as well as other project management engagements.

Experience
In the spirit of transparency and showcasing my technical and research skills, as well as contributing towards ecosystem security, I’ve competed in numerous public audit contests. My public portfolio encompasses:

• 100+ Critical/High/Medium vulnerabilities
• 2 x first places, with 10+ top-5 placements
• Numerous types of projects including, but not limited to: Stablecoins, Cross-Chain integrations, Liquid staking protocols, AMMs, Bridges, L2s, etc.
• More information regarding contest highlights can be found on my Github, as well as links to my profiles on platforms such as Sherlock, Cantina, CodeHawks, etc.

Role at Arbitrum Audit Program
I’ve spent time on both sides of the fence - scaling dev/operations teams and diving deep into security research - so I bring a unique perspective to the table.

My security research experience, coupled with overseeing many projects enables me to evaluate a codebase’s maturity, potential risks, audit findings, and the overall state of the project/product. And second, through my participation in audit contests and bug bounties, I’ve gained insights into various audit companies, practices, as well as how this market operates. With all of the above, I can ensure protocols are well-prepared for audits, optimizing resource use. I’m excited about the opportunity to contribute to the Arbitrum Audit Program and strengthen its ecosystem.

Timeline

1. June 19th: Proposal is posted to the forum.
2. June 24th (14:00-14:30 UTC): Both Technical Expert candidates presented themselves to the DAO on a community call.
3. June 26th: Proposal is posted for a Snapshot vote.
4. Early July: The elected Technical Expert is onboarded into the role by the Arbitrum Foundation.

Both Technical Expert candidates will introduce themselves to the DAO on the following Governance Call:

Audit Committee Technical Expert Candidate Introductions
Tuesday, June 24 · 2:00 – 2:30pm
Time zone: UTC
Video call link: https://meet.google.com/iag-zcsk-hss

Audit Committee Technical Expert Candidate Introductions call recording: https://drive.google.com/file/d/1-B_3amFy8nT8zE06QLfGgeMIXH8qMQhk/view?usp=sharing

After listening to both candidates and reviewing the links they shared (e.g., LinkedIn), I’ve come to the following conclusion:

I only have positive things to say about both of them. Unfortunately, that’s the hard part of making a critical decision. Ιt often means having to choose one great option over another. I will vote for Gustavo, while sincerely congratulating Andre for his impressive achievements and for the genuinely thoughtful and positive way he participated in the discussion.

Truly a difficult choice.

Conflict of Interest:

• Gustavo is affiliated with a specific company, which presents a direct conflict of interest if he were to evaluate the work of that same company.
• Andrei, on the other hand, is not affiliated with any organization, which is beneficial for the role.

Experience:

• Gustavo has extensive experience in audits and deep knowledge specifically related to Arbitrum, unlike Andrei.
• Andrei is undoubtedly a talented specialist, having ranked in the top 5 auditors more than 10 times.

Based on these key comparisons, I believe that independence should be the higher priority, especially given that the role is not about conducting audits, but about evaluating audits performed by others.

Therefore, I believe the vote should go to Andrei

Just to clarify, I’m not affiliated nor employed by any company. I’m an independent researcher at the moment.

Thanks for this information - it’s not obvious from your introduction.
Now I’ll think about possibly reconsidering my choice.

Thanks for sharing all the info about the candidates — it was super helpful. Both Gustavo and Andrei seem like great choices, each with strong experience and unique strengths. Having all this detail really helped me make a more confident and informed decision.

The following reflects the views of L2BEAT’s governance team, composed of @krst, @Sinkas, and @Manugotsuka, and it’s based on their combined research, fact-checking, and ideation.

We voted for Gustavo Grieco with 100% of our voting power.

After reviewing both applications and also attending the community call held on June 24th, we decided to vote in favor of Gustavo.

The decision was difficult, as both candidates are well-qualified and bring a strong background that is more than adequate for the role. Ultimately, we leaned toward Gustavo because of his extensive track record in security research and hands-on vulnerability triage across multiple blockchain stacks; we believe that his depth in protocol-level security will provide a valuable lens to the Council’s work.

We vote for Gustavo Grieco after weighing both nominees against five criteria;

• depth of Arbitrum knowledge
• breadth of audit experience
• independence
• communication skill
• readiness to shape committee operations

Gustavo has audited Arbitrum Classic, Nitro, and Stylus, and his eight years of hands-on audit practice give him the operational familiarity to grade audit difficulty and assign vendors immediately, an advantage Andrei would need months to match.
Although his prior Trail of Bits role might create a conflict of interest from some point of view, he now works independently and can recuse himself when necessary, so we regard this risk as smaller than the opportunity cost of a slower onboarding.

I voted for Andrei in this election. The DAO would be well-served by both candidates, and the choice was made by giving more weight to his career as an independent auditor.