[DAO Discussion] Governance Security: blockful’s Stress Test Using LobbyFi in the Security Council Election

Summary

We are all aware of some possible governance risks, but they seem quite theoretical until someone takes action. Today we are taking action to show how feasible it is. Another day it can be a malicious actor, and then it’s too late for Arbitrum to take action.

If elected, blockful would by default resign the seat. We could stay if the DAO wishes through a DAO vote, but we’d prefer not to. We hope this starts a larger conversation to address security and economic resilience in governance.

We need to prioritize user funds and safety above all!

What Happened?

After chatting with some stakeholders within Arbitrum, it became clear that using LobbyFi in the Security Council election was perceived as a potential risk that had been largely overlooked.

blockful purchased votes in the Security Council elections, something that was offered by the LobbyFi team.

LobbyFi forces Arbitrum DAO to think more about its security and raise the bar. Fortunately, their team is well-intentioned.

Why It Was Done

We care about Ethereum and its security; therefore, we care about Arbitrum being secure. Our expertise lies in analyzing, preventing, and acting to increase capture resilience in governance.

The Security Council is the most important piece of Arbitrum:

• Protecting users and the protocol with emergency upgrades
• Being able to veto DAO proposals, protecting from governance attacks

We need to test not only the code but also the social, economic, and governance layers.

This action has no downside, since it doesn’t actually bring risks. Since it’s a 9/12 multisig, an attack on the election can only be harmful if you control 4 of the keys (to veto an emergency upgrade, for example).

If elected, blockful would by default resign the seat. We could stay if the DAO wishes through a DAO vote, but we’d prefer not to.

The best outcome for the DAO is being able to coordinate and not let blockful get the seat through the election.

There are a lot of other scenarios to consider. What if:

• the governance frontend gets compromised? There is only one being used.
• an exchange holding ARB gets hacked? How many ARB tokens could end up in the wrong hands, and would the DAO still be resilient?
• a set of new wallets holding a large amount of delegated voting power appears right before elections?

We need more discussions about security to happen — and actually be executed. Now, with DVP lowering the quorum even more, it doesn’t look like it’s being treated as a priority.

Our goal is to raise awareness, initiate reform, and protect the DAO/Arbitrum users from potential risks and governance attacks.

Next Steps

A deeper research effort needs to be conducted from our side to produce a detailed report of risks, scenarios, and preventive actions.

The main problem we want to address is the constant decrease in delegation — that’s the core issue. By increasing the delegation of active voters (without considering LobbyFi), the economic resilience can increase and dilute LobbyFi’s influence as well.

We hope delegates and the AF see this as a push to improve security and realize we’re on the same team — Ethereum’s team.

We encourage an open-minded and honest discussion to navigate this situation and create a positive outcome.

…and will you ask for your money (1.4 ETH) back, from the DAO?

My understanding is that this sale was opened immediately before you purchased the votes, did you negotiate this directly with the LobbyFi team?

I think that’s what happened as well, last time the @lobbyfi vote was bought:

We’re joining a Twitter Spaces in a few minutes to discuss blockful’s stress test using LobbyFi in the Security Council election. It can be a great and transparent discussion.

To be clear, we are not acting against Arbitrum, our goal is to work with the DAO to strengthen its structures and improve governance security at the mechanism-design level.

https://x.com/i/spaces/1ypJdqPQNNyxW

My vote will be that you keep the seat.

This is exactly why I would love to see you guys on the Security Council, the governance attack surface area needs security expertise too.

Putting aside for a moment the broader questions this situations brings up — which I do think are valuable questions to publicly discuss — I’d like to point out that even if blockful’s intention is to renounce their seat upon winning, this itself introduces risk and complications into the Security Council’s operations. Depending on how exactly this renunciation is carried out, we will (if blockful initially wins the seat) have some combination of the following circumstances:

• The Security Council temporarily has 11 signers (instead of 12).
• The Security Council has to take an on-chain action to updated its signers.
• Blockful will temporarily be a signer on the Security Council before they are replaced by a new member (~ a few weeks into the term, say, when a DAO vote to replace them effectuates).

Even small risks / operational overhead complications like this are a big deal given the amount of value the Security Council is responsible for protecting. Again, all else aside, I believe we really shouldn’t encourage these sorts of “mess around on mainnet to prove a point” experiments when they have actual consequences on security-critical parts of the system, especially anything involving the Security Council’s operations.

As previously mentioned, we’ve had an excellent experience working with @blockful across several DAOs, including ENS and Uniswap. This governance security stress test further demonstrates their dedication to safeguarding the Ethereum and Arbitrum ecosystems — consistently going the extra mile. It’s precisely this level of rigour and commitment that makes us confident they would bring significant value to the Arbitrum Security Council.

Regarding the experiment itself, it’s worth noting that the quorum has been adjusted downward twice this year. In both instances, we raised concerns about potential governance attacks, and while those were addressed at the time, this experiment clearly illustrates that the risk is very real. We fully agree with Blockful that governance security deserves deeper attention and continued discussion within the community.

Finally, should Blockful decide to renounce its seat on the Security Council, we strongly encourage delegates and the Arbitrum Foundation to engage with it on a dedicated initiative to improve security practices within Arbitrum Governance. They have successfully led similar efforts for Uniswap Governance, supported by the Uniswap Foundation’s governance security review grant.

We are generally supportive of this initiative.
Blockful has consistently contributed to governance and security analyses across multiple DAOs, and while concerns about exploitability have been raised, we believe that trusting their integrity is reasonable given their prior work.

If the stress test were to succeed, it would simply reveal that such a vulnerability already existed. Identifying and addressing it early, at minimal cost, is a necessary and responsible step for the DAO. Even a partial success would serve as an important signal to strengthen governance security.

Therefore, if Blockful’s post-test analysis report requires financial support from the DAO, we would be strongly in favor of that. While a single stress test may have its limits, we expect it to provide meaningful insights into parameters that can mitigate economic capture risks.

While the Security Council election is still ongoing, Entropy would like to provide further thoughts on Monday’s events. To be clear, our issues lie not with the existence of vote buying services or the ability to buy votes, but with the manner that these actions were amplified, how the delegate response was framed by involved parties, and willingness to risk Arbitrum’s credibility for spectacle.

Blockful has manufactured its own necessity by realizing the very risk it wishes to now claim a mandate to research further. We believe rewarding such actions creates a perverse incentive for future actors to cause controversy and emergencies to gain influence. If the goal all along was to propose a deeper research effort, this work could have been done without interfering in an active Security Council election. The methods in this case matter and they lead us to reject their necessity defense claims.

Additionally, this statement in particular displays a concerning lack of understanding for the Security Council’s procedures and the broader implications that this action could have had on Arbitrum’s credibility. As @dzack23 highlighted, even with the intentions to resign (a commitment made due to community pressure and after blockful was pushed outside of the top 6), had blockful successfully won a Security Council seat, the Council would’ve been forced to dedicate attention and resources to remedy the action.

Arbitrum’s brand and value is tied directly to its perceived level of security. If delegates with reserved voting power had not acted to solidly push blockful out of the top 6 candidates, the market/industry may have perceived this as a successful governance attack attempt and Arbitrum’s credibility could have been materially impacted. Our team has not worked with blockful previously, and while they appear be technically capable, taking an attack vector that was known, but still theoretical, and purposefully turning it into a reality without full consideration for the risks involved and its impact on the current election is in our mind immediately disqualifying as a Security Council candidate.

@Entropy, I agree that such an experiment is quite unpleasant for the Arbitrum and its credibility.
I don’t see any conclusions from @blockful regarding this experiment, despite the results already being in.

However, I would like to focus on the consequences and rules:

1. Does this violate any rules? Are there any specific points they violated?
2. This time, the delegate warned everyone, but the attacker may not have done so. What steps could be taken to prevent this?
   Obviously, we cannot control the open market for vote sales.

Replies

@mihal More details added in the updated post. Let us know if you have any further questions.

@paulofonseca We’re not expecting the DAO to reimburse this amount, though it would be helpful as we are a public goods company, open-source and bootstrapped — our intention is to help the DAO recognize the broader governance security issue and encourage deeper investment in addressing it.

@Griff @karpatkey @Tane We sincerely appreciate your support and recognition of our work. We care deeply about Ethereum and treat these governance challenges as if they were our own.

@dzack23 Thank you for your thoughtful engagement and for your work on the Security Council contracts.

We would coordinate to keep this period as short as possible.

We agree — minimizing on-chain operations for the Security Council is ideal. However, this particular operation is relatively simple compared to emergency upgrades and other actions the SC already performs.

We’re technically capable of fulfilling this role. Our team regularly performs calldata review for other DAOs and has also created the Security Council on ENS.

@Entropy We anticipated this action would spark discussion — and possibly be misunderstood by some stakeholders. Some of the statements in your message could use clarification, and we’re happy to provide more context.

If vote buying itself isn’t the issue, are you suggesting we should have avoided transparency and let the community remain unaware of what happened and why?

We actually tried months ago:

• Contacted the AF — explicitly mentioning LobbyFi and the Security Council risks.

  • The perceived risk seemed too low to justify funding or further exploration.
  • We were encouraged to apply through the DAO instead, but our grant request was unsuccessful.

• Contacted Entropy via Telegram DMs — without receiving a response.

Arbitrum is the largest DAO-governed L2 — governance security must be studied and discussed more deeply. It’s concerning that, even with the issue now visible, the response is still to dismiss the need for action.

Our expectation is that stakeholders should make sure the DAO is secure and not to have political bias on LobbyFi. Users are more important than anything.

Other actions that could be judged in the same way but are not:

• Candidates voting for themselves using their tokens. The only difference is the cost of acquiring that power — the mechanism is fundamentally the same.
• Candidates offering services or favors in exchange for votes — a known, ongoing practice.

That’s inaccurate — we made ourselves available to resign from the very start. You can verify this in the original version of the post, published just minutes after the on-chain vote purchase.

Being perceived as secure is important, but even more important is being factually secure. It’s better to address and test small issues now than to face a real exploit later.

The Balancer hack that happened today is just one more example of this bias. Just saying that it will not happen because it didn’t happen yet or that there are previous audits/research is not enough.

@Tane summarized it really well

More to consider

Blockful was not elected — which is the best possible outcome — but it’s still far from what a truly malicious actor could do, as @cp0x pointed out.

Some findings from our research team:

1. A guaranteed SC seat costs around 30M ARB (~$8.5M). Is the nomination phase and KYC alone sufficient protection?
2. Binance currently holds over 800M ARB. A single entity can remove SC members via the SecurityCouncilMemberRemovalGovernor. Removing enough SC members would disable the ability to veto governance attacks or emergency upgrades — directly endangering Arbitrum users.
3. Votes in the SC election cannot be changed once cast, and with only one governance frontend available, this represents another potential vector of risk.

Sorry on the delayed reply, we had long discussions about the topics above.

Thank you for your detailed response.
Perhaps this time, if you submit an application, DAO will approve a grant for more detailed research. This is important so that we understand not only the problem but also the possible solutions.