[Election & Application Thread] V2 Arbitrum Research & Development Collective

OpenZeppelin has been a foundational security provider in the blockchain ecosystem since 2016, with deep expertise across decentralized finance (DeFi), governance frameworks, and Ethereum-based smart contracts. Our open-source OpenZeppelin Contracts library is widely trusted and serves as the core infrastructure for secure smart contract development across the blockchain space. Our security services are well recognized for setting industry standards in smart contract security auditing and threat prevention.

Our comprehensive approach to security includes static analysis, fuzzing, and rigorous manual review that address vulnerabilities from multiple angles. Additionally, OpenZeppelin developed the Defender platform, which integrates monitoring and secure operations for managing blockchain deployments, helping protocols proactively address security needs. This extensive background enables us to implement security best practices and address governance security challenges for DAOs and DeFi protocols effectively.

At OpenZeppelin, our mission is to build technology that empowers people and brings freedom to the world through secure, transparent, and resilient decentralized systems. This mission drives our commitment to advancing the security and governance frameworks within the Arbitrum ecosystem, where we’ve made significant contributions to support safe and scalable decentralized operations. Our active roles within Arbitrum include serving on the Security Council, where we help uphold the protocol’s security integrity, and developing the open-source OpenZeppelin Governor contracts, which provide a robust governance framework used by the Arbitrum DAO.

In ARDC V1, we expanded our commitment by contributing to Arbitrum DAO’s foundational security measures, including:

• Security Reviews/Audits of governance upgrades such as Arbitrum Governor V2 and Event Horizon Franchiser Contract
• Assessing security risks and correctness for on-chain proposals such as the ArbOS 31 Upgrade and Security Council Improvement Proposals
• Performing initial security design assessments for critical projects like Timeboost and BOLD.
• Providing security feedback for early proposals and assisting the authors with strategies to mitigate potential risks such as the RARI Multichain and Event Horizon

You can review a complete list of our 15 ARDC V1 deliverables here.

In addition to ARDC deliverables, our work on the Stylus Contracts Library and our audit of the Stylus SDK have helped strengthen Arbitrum’s developer ecosystem, providing secure, reliable tools that enable developers to build confidently within the Rust-based Stylus environment. These contributions reflect our dedication to building essential, resilient infrastructure that enhances the Arbitrum ecosystem’s security and functionality.

As we look to ARDC V2, we are prepared to further strengthen Arbitrum’s governance, ensuring that it remains secure, transparent, and well-positioned to foster freedom within the decentralized space. Building on the experience and insights we gained from ARDC V1, OpenZeppelin is well-equipped to support and enhance the DAO’s security processes, establishing governance structures that empower the community to navigate complex challenges with confidence.

OpenZeppelin has a strong track record of security partnerships with leading DAOs, with a particularly impactful role in securing the Compound DAO. Our collaboration with Compound has involved implementing proactive security measures, developing response strategies, and continuously enhancing Compound’s security frameworks. In a recent instance, we identified an error in a proposal that prevented a potential $120,000 loss of funds. Our team was also instrumental in issuing early warnings during the Humpy governance takeover attempt, assisting in the response and recommending protective measures to implement following the incident to guard against similar threats in the future.

In partnership with the Security Alliance, OpenZeppelin participated in one of the first wargame simulations for Compound, rigorously testing the DAO’s emergency response to oracle risks which included OpenZeppelin’s monitoring catching the live issue as part of the scenario. This exercise highlighted vulnerabilities and strengthened Compound’s defenses in high-stakes scenarios. We also spearheaded improvements in Compound’s bug bounty program, facilitating the recent onboarding of Immunefi as a direct DAO bug bounty provider. This program now benefits from Safe Harbor, an initiative led by the Security Alliance that we’ve helped support from its early days, which provides legal assurances for responsible whitehat recoveries. Through these initiatives, OpenZeppelin has demonstrated a proactive, hands-on approach to DAO security, delivering robust, scalable security practices that extend beyond traditional audits.

OpenZeppelin has worked closely with the Arbitrum DAO on key governance and security initiatives as part of ARDC V1 that include reviews of governance upgrades, verification of proposal correctness, and security design evaluations which can all be viewed in the ARDC forum. We’ve also participated in reviewing and approving the ArbOS 32 emergency action as part of the Security Council. These efforts reflect our commitment to upholding the security and integrity of the Arbitrum ecosystem and governance.

Moreover, OpenZeppelin was the ONLY external security provider to identify a critical vulnerability in the protocol as part of our Uniswap V4 Audit, showcasing our advanced capability in vulnerability discovery compared to top competitors. Our experience with high-stakes protocols like Compound and Uniswap underscores our hands-on, proactive approach, which we look forward to bringing to ARDC V2 in support of the Arbitrum DAO.

OpenZeppelin’s project management practices are adaptable to client needs and structured for security efficiency. We have a dedicated project manager with prior experience working with DAO communities both in ARDC V1 and Compound DAO. For ARDC V2, we will provide monthly reports and participate in community calls, ensuring transparency and communication with Arbitrum DAO stakeholders. Our team is prepared to respond flexibly to ad-hoc security requests and manage these efficiently in alignment with ARDC’s evolving needs.

Our work in ARDC V1 underscored the impact of effective collaboration and early security guidance on proposal quality and safety. In one of our initial engagements, the Event Horizon proposal, we encountered challenges that highlighted areas for refining our process. The Event Horizon team’s feedback to us emphasized the value of checking in briefly before publishing initial findings, which would have helped avoid some early misunderstandings. By adopting this approach, we have strengthened our communication practices to ensure a smoother collaboration. This experience underscored the importance of continuous, transparent engagement with proposal authors, allowing us to identify and address risks effectively before proposals reach the on-chain stage. More about our technical project management process can be seen in our ARDC V1 application.

Furthermore, OpenZeppelin pioneered the Aera vault solution with Gauntlet for Compound DAO’s vendor payments, providing stability in vendor compensation while minimizing price impact. This model, which we recommended for implementation in ARDC V2, offers efficient and low-risk vendor payments, aligning with ARDC’s goals for operational improvement and financial stability. This shows how OpenZeppelin is capable of going above and beyond to collaborate with decentralized communities in improving the processes in which we operate rather than just being a passive participant.

This section has been updated to include suggestions published by the Arbitrum Foundation.

Deliverables for first two-months

Specific work that we expect to complete within the first two months of the ARDC V2 program. Please note that some of these deliverables are time-dependent on the proposal details being ready for our security feedback within the 2-month time period.

1. Security Council Improvement Suggestions: OpenZeppelin will contribute recommendations for enhancing the Arbitrum Security Council’s functionality, such as enabling multi-sig support for company entities to streamline operations. We will also propose setting technical requirements to ensure at least 9 of the 12 council members possess the technical skills to independently verify emergency upgrades. We’ve already seen forum requests for testing the technical expertise of Council candidates and additional suggestions from the Arbitrum Foundation that we plan to address.

2. Technical Upgrade Security Feedback & Proposal Reviews on Timeboost, Bold, Orbit Chains and Fast Withdrawals: Following up on our prior Security Analyses for BOLD and Timeboost, we expect to review the implementations of these mechanisms for security risks before submission on-chain and provide executive summaries of their impact. We also anticipate reviews of fast withdrawals and Orbit chain proposals that line up with the Arbitrum Foundation’s recommendations.

3. Suggestions to Improve the DAO’s Technical Decision-Making Process: We’ll explore and recommend a technical decision-making framework to improve the DAO’s current process of debating technical trade-offs when implementing upcoming proposals. We’ll especially take the experiences learned from the Arbitrum Governor V2 Upgrade discussion on whether to perform a migration upgrade or direct proxy upgrade.

4. Definition and Security Risk Analysis of a Governance Attack: We’ll examine Arbitrum’s current governance system to identify the potential risks of a governance attack similar to Humpy’s earlier attempt on Compound this year, to better safeguard the DAO. This includes defining the difference between a controversial/contentious proposal and an outright governance attack from an outside entity accumulating tokens and manipulating votes in a manner that warrants a security response. This includes answering questions raised by the Arbitrum Foundation here.

Ongoing Scope of Work

Work that we expect to be ongoing depending on the current proposals and requests made to us throughout our ARDC term.

1. Proposer Assistance and Payload Preparation: Upon request from a proposal that has passed a snapshot, OpenZeppelin will support non-technical proposal authors in preparing their proposals, guiding them through best practices in proposal construction to meet the Arbitrum DAO’s technical and security requirements. We will offer security insights throughout the drafting process to preemptively address any potential vulnerabilities, helping authors create secure and well-structured proposals. This item comes directly from delegate feedback we received following ARDC V1.
2. Proposal Security Review Process: OpenZeppelin will conduct security reviews of proposal payloads submitted to Tally (ideally in draft form prior to submission), ensuring their integrity and alignment with the intended governance actions. We will provide a final security check to verify that the proposal’s on-chain deployment matches the reviewed content along with an executive summary explaining the proposal’s impact for non-technical readers. This process will include manual security checks, supplemented by automated tools where possible, to ensure robustness and accuracy. Our forum reports on proposal safety will foster transparency and community engagement with proposal security.
3. Governance Upgrade Audits: As the primary auditor for governance upgrades, OpenZeppelin will collaborate closely with Tally and Scopelift to ensure future upgrades are secure and aligned with the Arbitrum DAO’s roadmap. Through this collaboration, we’ll also explore integration opportunities with OpenZeppelin Governor, identifying feature enhancements that could serve both Arbitrum DAO and the broader ecosystem as part of the OpenZeppelin Governor Working Group that we’ve recently launched alongside Tally, ScopeLift and Agora.
4. Additional Security Audits: While we’ve explicitly proposed that the Security Member serves as the primary auditor for governance upgrades, we are also happy to conduct security audits for other smart contracts wherever the Supervisory Council considers them to be in-scope for the ARDC. This could include any smart contracts to be utilized in a governance proposal such as the Franchiser Contracts used by Event Horizon that we audited in ARDC V1.

These deliverables address critical security needs and emphasize proactive upgrades and enhanced security governance. OpenZeppelin’s approach allows flexibility in addressing additional security tasks as ARDC’s term progresses. We are also open to additional feedback from other delegates and the guidance of the Supervisory Council, once elected.

Please note that the new ARDC V2 Retainer model will require a dependency on the Supervisory Council to proactively approve budget and timeline for our deliverables in a timely manner. If the Supervisory Council does not wish to engage our team in a continuous manner, we will need to receive advance notice several weeks ahead of time for starting new deliverables in an ad-hoc manner. We do feel confident that this challenge can be mitigated with proactive planning and maintaining a healthy backlog of work tracked in coordination with the Supervisory Council. We will be comfortable continuing work in this manner should the ARDC be renewed for an additional 6 months.

Finally, we will work with the Supervisory Council to define a process that determines the appropriate stages at which to engage proposal authors for security feedback, proposal creation assistance, and final security review. For example, we would only recommend providing resources to prepare and review an on-chain proposal payload after it has already passed a community snapshot vote.

OpenZeppelin is fully committed to upholding the highest standards of transparency, impartiality, and integrity in our work with the Arbitrum DAO. We do not anticipate any conflicts of interest in our role as Security Working Member and remain dedicated to prioritizing the security and governance excellence of the DAO.

To maintain complete transparency, we provide details of our other engagements within the Arbitrum ecosystem, which we believe do not present conflicts but are disclosed here to clarify our involvement:

• Stylus Contracts Library Development: OpenZeppelin collaborates with the Arbitrum Foundation on the development of the Stylus Contracts Library, which aims to provide secure, accessible resources for smart contract developers.
• Arbitrum Security Council Membership: OpenZeppelin serves on the Arbitrum Security Council, with the current term set to expire in March 2025. This position enhances our understanding of Arbitrum’s security needs and informs our contributions to governance stability.
• Stylus Sprint Grant Committee Participation: Two OpenZeppelin team members actively participate in the Stylus Sprint Program grant committee, which supports innovation and development within the Arbitrum ecosystem.

These roles support our mission to contribute positively to the broader Arbitrum ecosystem. OpenZeppelin will continue to operate with transparency and impartiality, ensuring that any potential conflicts are managed and disclosed promptly.

OpenZeppelin brings unmatched expertise and hands-on experience to the Security Working Member role in ARDC V2. Having already contributed to ARDC V1, we’ve gained a nuanced understanding of Arbitrum’s governance and security needs, which positions us uniquely to excel in this role. Our previous work with Arbitrum includes evaluating key governance upgrades, verifying proposal correctness, and conducting security design assessments for projects like Timeboost and BOLD. Additionally, our in-depth involvement with the Stylus SDK and our contributions to the Stylus Contracts Library have given us a strong foundation in the Arbitrum ecosystem, especially with Arbitrum’s Stylus runtime.

As we transition to ARDC V2, our existing knowledge and established relationships in the Arbitrum DAO enable us to provide refined, impactful support that new entrants may struggle to match. Our proposed Scope of Work addresses key areas: helping proposers prepare secure, technically sound proposals; performing final security checks to ensure on-chain accuracy; auditing governance upgrades; and enhancing Security Council operations. With our extensive background and commitment to the Arbitrum DAO’s goals, OpenZeppelin is prepared to elevate the DAO’s security and governance standards even further in ARDC V2.