[Election & Application Thread] V2 Arbitrum Research & Development Collective

Trail of Bits has been a recognized leader in software security for the twelve years of our existence. We combine high-end security research with a real-world attacker mentality to reduce risk and fortify code.

We have a long track record of successful collaboration, available on our Publications repository, including our extensive work performed for the Arbitrum ecosystem. We have performed over 200+ engineer-weeks of security review of Arbitrum through Offchain Labs, including focused assessments of essential components such as Nitro, Timeboost Auction, Stylus, BoLD and most of the upgrades of ArbOS that were voted on by the Arbitrum DAO itself. We also helped with the recent ArbOS emergency upgrade, auditing the affected code and the proposed fix.

Through this work, we have developed an in-depth understanding of Arbitrum internals and risks.

Additionally, we produced a number of educational materials and resources directly or indirectly related with Arbitrum rollups security and internals:

• Out-of-order vulnerability due to retryable tickets When try, try, try again leads to out-of-order execution bugs | Trail of Bits BlogmaxFeePerGasTooLowmaxFeePerGasTooLow
• An ArbOS code walkthrough : https://www.youtube.com/watch?v=pKM9fIx3HEQ
• Smart contract security tooling tutorials and our 10 hours workshop on fuzzing.

Many firms in DeFi, including Optimism, Balancer, Uniswap, and Compound trust our expertise to help secure their code, and you can find many more in our Publications repository, which includes security assessments of some of the most bleeding edge technical products and protocols ranging from but not limited to bridges, DEX’s, AMM’s, oracles, smart contracts, Layer 1’s, and Layer 2’s.

We’re relentless about raising the baseline in the communities we work, and have developed and made freely available some of the most-used security tools, reference guides, and security research in the industry, including:

• Slither, a static analyzer that detects common mistakes such as bugs in reentrancy, incorrect access controls, and more.
• Medusa and Echidna, our state-of-the-art smart fuzzers that targets EVM bytecode.
• solc-select, a tool to quickly switch between Solidity compiler versions.

As a Security-Oriented Member of the ARDC, we intend provide services to help secure projects in the ecosystem at different stages in their development lifecycle by performing design reviews, threat models, white box security reviews, invariant development, and automated tooling.

Trail of Bits has performed over 300 blockchain security reviews, worth 30 engineer years of effort. Among that, 200+ engineer weeks were solely dedicated to reviewing Arbitrum components with Offchain Labs. This puts us in a unique position to fulfill the review of on chain proposal code updates with an extensive pre-existing familiarity with the protocol itself and offer security consultation and guidance to the Arbitrum ecosystem.

Trail of Bits has strong expertise in the realm of program analysis and tooling, as demonstrated by our numerous open-source projects (Slither, Echidna, Medusa, etc). We combine a pragmatic approach and fundamental knowledge to create tools that provide values to their users. Trail of Bits engineers (~10% of whom hold PhDs) frequently present our tools at both industrial and academic conferences. This makes us a perfect fit for the Tooling Creation and Enhancement category, as a partner to drive more advanced testing methodologies and security practices throughout the ecosystem.

Uniquely among security consulting firms, Trail of Bits maintains an entire division dedicated to Research & Engineering. We attempt to apply the latest research in every project and our clients value our evidence and test-driven approach.

As the main security partner of Offchain Labs, we are committed to ensuring the greater security of the Arbitrum ecosystem. Since our inception, our goal has been to improve the security practice and awareness of the blockchain ecosystem as a whole. This is why we have dedicated significant resources to our open-source tools and public research, to elevate the security standards and allow developers to build more secure code in the long term. Working with Offchain Labs extensively over the past couple years, we have built an incredible level of knowledge and expertise of the Arbitrum ecosystem, which we feel we would be able to apply more effectively as a working member of the ArbitrumDAO.

Trail of Bits has years of expertise reviewing smart contracts and L2 related code, including on-chain upgrade proposals, including the design and specification of the proposal through whitebox source code techniques. This is particularly important given the prevalence of governance attacks, as seen with Tornado Cash. Trail of Bits can also focus on building content to help review further proposals, including tools (dedicated Slither detectors, fuzzing harness, proposal state diff visualizer, etc. ) and educational material (tutorial, checklist, code walkthrough, etc.) to promote overall security and integrity of the Arbitrum ecosystem.

In addition, by working with Offchain Labs and reviewing major Arbitrum components since 2021. During the past year, we reviewed pivotal features of Arbitrum chains such as BoLD, Stylus and many ArbOS upgrades. Trail of Bits is uniquely positioned to understand and review the impact of on chain proposal code updates.

We pride ourselves on our open-communication model, and our project managers ensure we live up to this expectation. Each security assessment performed by Trail of Bits is assigned a dedicated project manager with a “client-first” mind-set. Trail of Bits Project Managers manages client-facing projects throughout our four practice areas: cryptography, blockchain, ML/AI, and application security.

Our team begins every engagement with a welcome call to discuss logistics, provide early design guidance on security, and to begin thinking about security capabilities and maturity in preparation for the security review. A Shared Chat Channel is created to ensure open communication before, during and after the assessment. Our project managers and engineers also host a kickoff call prior to the engagement to get up to speed quickly on the product in scope. We will reiterate the goals and expectations of the engagement, the current development status of the product, focus areas to prioritize during the engagement, and nightmare situations that Client is trying to avoid. Weekly calls are held throughout the assessment to discuss progress and priorities. Project closure calls cover findings identified during the assessment in-depth and offer guidance on structuring remediation efforts and more effective security testing.

Our project managers coordinate fix reviews after the engagement, as well as discuss next steps for any future assessments recommended by our team.

For the initial two months of the 6-month term, our services will include one or more of the following tasks, according to the priorities and needs of the ArbitrumDAO:

• Review on-chain proposal code updates
  • White-box security review of source code through a combination of manual and automated review, which may include a review the proposal for design flaws and identifying security and correctness properties
  • Reviews do not include proposals that are initiated by Offchain Labs and the Arbitrum Foundation. These proposals are already going through security reviews (including by Trail of Bits)
  • If 12 engineer-weeks are not enough to review all the on-going proposals in a quarter (or 24 in the 6 months period), Trail of Bits will either perform a review of some of the proposals, or a best effort of as many as possible. Trail of Bits will agree with the Arbitrum coalition and its Advocate to determine the priorities.
  • Deliverables are full security reports with technical information regarding findings and appendices as needed. A typical report follows the outline below:
    • Executive Summary (short description of what was tested and an analysis of overall security risk based on the findings and brief summary of the recommendations)
    • Code Maturity Evaluation (holistic evaluation of the codebase and overall approach to software development and security, as well as recommendations intended to inform medium- and long-term strategy for improving software development and resilience to future security incidents)
    • Comprehensive List of Vulnerabilities (detailed explanations sufficient to identify and/or reproduce the vulnerability, attack and exploit scenario to provide context for the vulnerability, and recommended short- and long-term mitigation steps)
    • Trail of Bits has a discrete team of Technical Editors that reviews every client deliverable we write and an extensive, internally developed style guide that engineers are trained against.
• Invariants development
  • Creation of invariants targeting components for future upgrades. The invariants will help developers of upgrade to ensure the correctness of their addition
  • Activities may include but are not limited to:
    • Identify security and correctness at the function or system level
    • Write invariants to test them with state-of-the-art fuzzers (Echidna, Medusa, foundry fuzzer)
    • Documentation and guidance to help the community contribute to the invariants
  • Deliverables are the code for the security invariants produced, in runnable state including any documentation and tool instructions.
• Tooling Creation and Enhancement
  • Develop and enhance tooling to enhance the security of the Arbitrum ecosystem and its proposals, including:
    • Specific static analysis bug detectors targeting code update.
    • Visualize the state of the governance contracts, in particular: the state of previous proposals, current emitted and delegates votes, how the tokens are delegated,
    • Visualize and verify correct encoding of values used in the governance contracts and the action contracts.
  • Deliverable are specific features in isolated open-source PRs in the repository of each tool with a small description of the impact on the Arbitrum DAO goals.
• Office hours
• Security consultation
• Incident response/disaster recovery
• Additional services, based on the ARDC needs, which can include:
  • Design review
  • Threat modeling
  • Blogpost or public presentation
  • Appsec or cryptography review
  • Guidance on incident response plan or monitoring

Trail of Bits has a robust, adaptive approach to executing projects, and our history of providing high-caliber security research and engineering solutions equips us well for managing ad hoc or flexible tasks, as requested by the Supervisory Council.

Dedicated Expertise & Cross-Functional Collaboration: We have a diverse team of experts across multiple domains — including reverse engineering, cryptography, malware analysis, and software exploits. Each of these experts brings specialized knowledge that can be rapidly deployed on emerging tasks. In addition to these specialists, our project management team ensures seamless coordination across departments to maintain focus on client needs while managing time-sensitive requirements.

Proven Flexibility: Throughout our years of operation, we’ve developed an agile project management methodology, allowing us to allocate resources dynamically. We have worked with high-profile clients, such as Facebook and DARPA, where adaptability to new priorities and tasks has been essential. For example, if a new security gap or urgent issue arises, we can quickly pivot existing resources or deploy new ones to address that need without significant delays.

Real-World Attacker Mentality: Our approach is rooted in the mindset of real-world adversaries, allowing us to prioritize security tasks based on emerging threats and the highest risk factors. This strategic alignment with current threat landscapes gives us an edge in addressing ad hoc tasks that require immediate attention or flexibility in response to an unpredictable, evolving security environment.

N/A

Our experience and expertise in static analysis tooling, fuzzing capabilities, performing whitebox security review, design reviews, and threat models to ensure security and correctness properties in on-chain upgrade proposals is evident by our successful track record of working with Arbitrum and similar projects, which can be found on our publications page GitHub - trailofbits/publications: Publications from Trail of Bits.

We believe the combined skills and reputations of the members of Trail of Bits’ project team will provide the best assessment and research capabilities in our industry, and have a massive impact in improving the security assurance of Arbitrum projects. Our team’s strong industry reputation will lend credibility to the result of the project in the form of referenceable public documents on the security of Arbitrum projects.