Ethereum Protocol Attackathon Sponsorship

Non-Constitutional

Abstract

This proposal seeks funding from the Arbitrum DAO to support an “Attackathon,” a large-scale security audit event organized by the Ethereum Foundation and hosted on the Immunefi platform. The Attackathon will focus on enhancing the security of the Ethereum protocol through three phases: education, active code hunting, and result evaluation. The initiative aims to raise over $2 million, with $500,000 already committed from the Ethereum Foundation. This effort is crucial for ensuring the stability and security of Ethereum, which is vital for maintaining the reliability of projects on Arbitrum.

Motivation

As a Layer 2 on Ethereum, Arbitrum relies heavily on the security of the Ethereum protocol. Given Arbitrum’s EVM compatibility, vulnerabilities in Ethereum could potentially impact Arbitrum as well. Conducting a comprehensive security audit contest at this time is critical due to the recent major hard forks that have introduced significant changes to Ethereum.

A key component of this Attackathon is the development of educational materials that cater to all levels of security knowledge. This educational program will feature live technical walkthroughs and detailed documentation developed by the Ethereum Foundation, client teams, Solidity developers, and Immunefi, covering a broad scope that includes client, specification, and solidity compiler bugs. By educating security researchers, the Attackathon will cultivate a community of researchers capable of identifying and mitigating vulnerabilities across the Ethereum and Arbitrum ecosystems. This increased awareness and participation in Ethereum’s security ultimately benefits the Arbitrum community by ensuring the continued reliability and safety of the underlying blockchain infrastructure.

Rationale

The Attackathon aligns with the Arbitrum community’s mission to promote a secure and scalable Ethereum ecosystem. By investing in this initiative, Arbitrum will help Ethereum’s security, which directly impacts Arbitrum’s scalability and user trust. Moreover, the educational component of the Attackathon will benefit Arbitrum by upskilling security researchers, providing them with the knowledge and tools needed to conduct thorough audits and improve security across the network.

Additionally, Arbitrum can benefit from the collaborative efforts of the Ethereum Foundation and Immunefi, positioning itself as a proactive leader in the Ethereum community. Participation in the Attackathon provides Arbitrum with the opportunity to engage with top security researchers and improve its security posture. As a sponsor, Arbitrum will gain visibility and credibility among developers and users, further solidifying its reputation as a secure and forward-thinking.

Key Terms

• Attackathon: A comprehensive and time boxed security audit event involving education, active vulnerability hunting, and result evaluation phases.
• Immunefi: A leading bug bounty platform specializing in blockchain and smart contract security.
• Hard Fork: Significant upgrades or changes to the protocol that may introduce new code and, potentially, new vulnerabilities.
• Solidity Compiler: The tool used to compile Ethereum smart contracts written in Solidity into bytecode, which is executed on the Ethereum Virtual Machine.

Specifications

Platforms and Technologies:

• Ethereum Protocol: The primary focus of the security audit, with an emphasis on identifying vulnerabilities in core protocol code, client software, and the Solidity compiler.
• Immunefi: The platform hosting the Attackathon, responsible for managing submissions, triaging bug reports, and distributing rewards.
• Ethereum Foundation: Providing funding and oversight for the Attackathon, including contributions to the reward pool and logistical support.

Design Decisions:

• Scope: The contest will have a broad scope including specification bugs, client bugs, deposit contract bugs and Solidity compiler vulnerabilities.
• Inclusion of the Solidity Compiler: By including the Solidity compiler in the scope, the Attackathon directly addresses potential vulnerabilities in the primary programming language for Ethereum smart contracts, which is crucial for both Ethereum and Arbitrum.

Related Work:

• Ethereum Bug Bounty Program: The permanent bug bounty program has been effective but lacks visibility. The Attackathon aims to increase participation and awareness through a focused, large-scale event.

Steps to Implement

The primary role of the Arbitrum DAO in this initiative is to provide funding support for the Attackathon. By contributing to the reward pool, Arbitrum will ensure that the event attracts top-tier security researchers and maximizes its impact on the security of the Ethereum protocol. Additionally, the Arbitrum community can assist in promoting the Attackathon to raise awareness and encourage participation.

Estimated Timeline

• July 8-11: EthCC program announcement
• Aug 19th: Detailed program announcement and education kickoff
• September 2nd: Attackathon hunting begins
• October 27th: Attackathon concludes, and results compilation begins
• October 28th: Review period begins
• Early January: Results announced

Overall Cost

The Arbitrum DAO has two options for sponsoring the Attackathon:

Unicorn Partners (+75 ETH Commitment) (limited to two sponsors)

• 1x Unique NFT with leaderboard rank
• Participation in Attackathon Kick-off Twitter Space as a partner speaker
• Leaderboard Placement on Sponsor page
• Top-tier logo placement on Sponsor and Program Landing Page
• Top-tier logo placement on the Program Education page and program report
• Call out in Press Releases and EF and Immunefi Program Announcement Blogs
• Digital Logo Placement in the results announcement at Devcon or a dedicated virtual event
• An Arbitrum Boost (Audit Contest) on Immunefi with up to a $100K rewards pool at 100% Immunefi Discount within 180 days of the conclusion of the Ethereum program
• 1x Dedicated Twitter post announcing sponsorship from Immunefi Twitter handle

Panda Partners (+30 ETH Commitment)

• 1x Unique NFT with leaderboard rank
• Leaderboard listing on the sponsor landing page
• Mid-roll logo placement on Sponsor and Program Landing Page
• An Arbitrum Boost (Audit Contest) on Immunefi with up to a $100K rewards pool at 100% Immunefi Discount within 180 days of the conclusion of the Ethereum program
• 1x Dedicated Twitter post announcing sponsorship from Immunefi Twitter handle

By supporting the Attackathon, Arbitrum can leverage the findings to ensure its network remains robust against vulnerabilities. This initiative not only enhances security but also demonstrates Arbitrum’s commitment to the ecosystem.

Hello, we have seen this same post on other forums for the Ethereum Attackathon, and while we support this initiative, we would like to see additional verification. On the Uniswap variant of this proposal, this was made by Jay Yu from the Stanford Blockchain Club (and he has prior history within Uniswap DAO). If we could receive some confirmation that you are Rodrigo Vasquez (since you currently do not have forum history on Arbitrum DAO that would speak to this) we would appreciate it.

Otherwise, here are some of our other concerns with this proposal. The current dates for the attackthon appear to have moved 1-2 days from other posts. Given that this would move to a Snapshot and then to Tally, this would take about ~2 weeks for Arbitrum alone. With this in mind, we think you should be cautious and plan for delays. Also, it seems as though this proposal will likely launch in other DAOs as well, are there plans to post this for the Optimism community or elsewhere?

An additional concern that we have is that this proposal is denominated in ETH rather than a dollar value, which with recent market action seems unsafe. We are just providing a heads up because as this proposal moves to Tally, there could be an unforeseen issue if the dollar denominated amount is not properly established.

In addition to the questions above, I have a couple of others:

1. Apparently, the sponsorship is not for houses, but for projects. At least, that’s what it seems to me from the benefits that the sponsor gets.
2. What does this sponsorship give? Besides the obvious benefit of the security of Ethereum itself.
3. Why exactly this amount?

Thanks for your feedback and for raising these concerns about the proposal.

1. Verification: You can verify my identity through my Twitter post here. Also, I created my account with my Ethereum Foundation email, if the mods can confirm this for you, I’m also open to verify by any other suggested method.
2. Timeline Flexibility: We understand the timelines within the Arbitrum DAO and are ready to adjust the start date of the Attackathon if needed. The proposed dates are tentative, and we’re committed to working with the DAO’s schedule.
3. Funding Denomination: Your point about market volatility is well taken. We talked with Immunefi and can convert the donation tracker into USD denomination. We can also update the proposal to request funds in USD when it moves to the next step to avoid issues with ETH price changes.
4. Engagement with Other DAOs: While we’re looking to collaborate with other communities to maximize the impact of the Attackathon, we’re not currently planning to submit this proposal to Optimism. However, we’re open to submitting to other DAOs in the future if there’s interest and support.

We appreciate your support and are here to address any further concerns you might have. Thanks for your attention and consideration.

In general, I am supportive of this cause, of course!

Is it possible for our portion and the bounties to be paid and denominated in ARB instead of ETH?

In my opinion, it’s a no brainer to fund at the highest tier. Supporting genuinely decentralized, trust minimized tech is part of our core values. Without secure base layers (Ethereum) to scale, the orbit stack does’t reach the same value in its competitive ecosystem. Arbitrum One and many orbit chains do and will continue to rely on Etheruem’s security. Also there is optic value in not just saying but showing we are Ethereum aligned.

I like Griff’s idea to use ARB instead of ETH if possible. Additionally, I wonder if we might be able to secure a bit more brand and marketing value out of the Unicorn Partnership. Potentially 3x tweets from the @ethereum account about Arbitrum, or something of the nature.

Hey cp0x,

Thanks for your questions.

1. Clarification Needed: I’m not entirely sure what you mean by “not for houses, but for projects.” Could you clarify that a bit so I can give you a better answer?

2. Sponsorship Benefits: The benefits of sponsorship are threefold:

• Security of Ethereum: As you mentioned, the primary benefit is contributing to the security of the Ethereum protocol, which directly impacts Arbitrum and its users.
• Direct Security Benefit to Arbitrum: Arbitrum will also get a free Immunefi Boost, which is a similar security initiative to this Attackathon, further expanding the reach of this security effort.
• Amplification of Arbitrum’s Support: The sponsorship also amplifies Arbitrum’s support through the marketing benefits included, signaling Arbitrum’s ongoing commitment to the security of both the Ethereum and Arbitrum ecosystems.

3. Sponsorship Amount: While you can contribute any amount, these specific tiers are tied to particular benefits listed above.

Hope that helps! Let me know if you have any other questions.

missclick, I didn’t mean the house, I meant the chains

Hey cp0x,
I’m still unsure what you mean by the question. The sponsors could be L2s, but some of the sponsors are Dapps and other protocols. Could you rephrase the question?

Hey Griff,

Thanks for your support! We can definitely accept the sponsorship in ARB. However, paying out the bounties in ARB (or multiple tokens) would reintroduce the volatility issue that we’re trying to avoid by switching to USD denomination instead of ETH. It would also add a lot of complexity to the bounty disbursement process.

Let me know if you have any other thoughts or suggestions!

We are generally not in favor of this proposal as it currently stands. While we understand the importance of strengthening Ethereum’s security, this proposal does not clearly outline a tangible benefit to Arbitrum or the DAO. Additionally, the requested sponsorship amount seems high given the lack of detailed information.

To make a more informed decision, we would like to request the following details:

1. Breakdown of Expenditures: How will the $2 million being raised from the Ethereum Foundation and other sponsors be utilized? A detailed line-item breakdown of the proposed expenditures would provide much-needed transparency and help justify the sponsorship ask.
2. Sponsorship Transparency: We would appreciate more clarity on which sponsors you are targeting and how they align with the goals of this event. Understanding who else is being approached for sponsorship would provide insight into the strategic vision behind this initiative.

While we recognize the critical role of security in the Ethereum ecosystem, we need more detailed information to fully commit to this initiative. We are open to reevaluating our position once these details are provided and the potential benefits to Arbitrum and the DAO are more clearly articulated.

Hi Castle Capital,

Thank you for sharing your concerns and for the opportunity to clarify the proposal further. 100% of the funds will be paid out to security researchers for bug reports. If there are any leftover funds they will be rolled over to an audit contest covering the Pecta hardfork.

1. Tangible Benefits to Arbitrum: I understand the need for clear, tangible benefits to Arbitrum and the DAO. The primary benefit lies in enhancing Ethereum’s security, which directly impacts Arbitrum. A more secure Ethereum means a more secure Arbitrum, reducing potential risks that could affect the entire ecosystem. Specifically, since Arbitrum’s execution client, Nitro, is based on Geth, any bug in Geth is likely to also be present in Nitro. This makes it crucial for Arbitrum to support initiatives that strengthen the security of the Ethereum protocol, as it directly contributes to the stability and security of Arbitrum’s infrastructure. Additionally, Arbitrum will benefit from the free Immunefi Boost, a targeted audit contest that further strengthens Arbitrum’s own security framework.

2. Breakdown of Expenditures: All of the funds raised from the Ethereum Foundation and other sponsors, will be directed towards payouts for security researchers who identify vulnerabilities. These rewards will be structured based on the severity of the bugs found, ensuring that critical issues are appropriately incentivized and addressed. It’s also worth noting that Immunefi is forgoing their usual fees for this event, allowing all funds to be allocated directly to researcher payouts. Additionally, the educational components of the Attackathon are a collaborative effort between Immunefi, client teams, and the Ethereum Foundation, none of whom are charging for their contributions. In the event that there are any unused funds after the Attackathon, they will be rolled over to support an audit contest focused on the Pectra fork, further contributing to the security of the Ethereum and Arbitrum ecosystems.

3. Sponsorship Transparency: I appreciate the need for transparency regarding sponsorship. We have already confirmed sponsorships from Wormhole, GMX, and the Blockchain for Good Alliance. We have also submitted proposals to the Uniswap DAO and are preparing to submit a second proposal to the Gnosis DAO. These partnerships and proposals align with the strategic vision of building a strong coalition dedicated to enhancing the security of Ethereum, and by extension, the security of all connected ecosystems, including Arbitrum.

Thank you for your thoughtful feedback, and we look forward to continuing this conversation.

Im supporting the smaller package. In general my credo is to support anything security related and thus im favour of this.

Blockworks Research will be voting FOR the Unicorn Partners on this proposal on Snapshot.

Investing on the (eventual) underlying security of Arbitrum is necessary. As @MattOnChain said earlier, we would like to have some sort of brand recognition and marketing for Arbitrum, especially per the contribution. Tweets from the Ethereum account about Arbitrum would be perfect, additionally, if there could be some sort of pipeline or invitation to attackathon participants to participate in the DAO’s future developer events, that would be much appreciated.

Hey @BlockworksResearch
I appreciate the support! The EF twitter account will broadcast Arbitrum’s support for the program. We’re also interested in collaborating on the pipeline for SR’s to contribute to future Arbitrum DAO events.

I support this proposal because participating in the Attackathon aligns with Arbitrum’s mission to maintain a secure and scalable Ethereum ecosystem. By sponsoring this initiative, Arbitrum will help strengthen the security of the Ethereum protocol, which is crucial for its own stability and reliability. Additionally, the educational component of the Attackathon will upskill security researchers, enhancing the overall security posture of both Ethereum and Arbitrum.

This large-scale security audit is crucial for reinforcing Ethereum’s security, which directly benefits Arbitrum as a Layer 2 solution.

I just have one question @rodrigolvc , How will Arbitrum’s sponsorship visibility and engagement be measured and reported?

Investing in security is never too costly; it’s essential if we want a secure protocol. I voted in favor of the Panda Partners package because it offers a good balance between cost and effectiveness.

I’d just emphasize the importance of transparency at every stage and demonstrating accountability throughout the process.

It looks like a good proposal, but the reality is that there is very little benefit for the Arbitrum DAO beyond spending a lot of fund. I have always been opposed to such proposals, preferring to fund projects that are already in the Arbitrum ecosystem for a long time, rather than some nee external projects. So I will vote Against.

While the proposal seems well written and thought out, we’re having a hard time connecting how this would be beneficial to the DAO in the long run. Overall, we think that something like this would be nice to have, but more specifically to Arbitrum, much like the gov hackathons and similar that have happened in the past. This feels a bit too much like a large expenses just to have your logo on a few places.