Gustavo Grieco - Candidate for Security Council

Introduction

Hey everyone, I’m Gustavo Grieco. I’m a freelance blockchain security engineer. Previously, I spent ~8 years at Trail of Bits working across a wide range of security projects. A big part of that time was dedicated to Arbitrum: I’ve reviewed the stack from Classic to Nitro, and most recently Stylus. I was also elected by the DAO earlier this year to serve as a Technical Expert for the Arbitrum Audit Program.

Background

My background includes deep technical audits across several versions of the protocol, from the original Arbitrum Classic to Nitro and, more recently, Stylus. I was also part of the TOB team that audited the smart contracts used in the Security Council, where we identified a low-severity issue.

Beyond Arbitrum, I also audited various DeFi applications such as stablecoins, lending platforms, decentralized exchanges, wallets, and other core blockchain infrastructure. In my free time, I also contribute to the EVM ecosystem by helping with the development and maintenance of smart contract security tooling such as echidna and hevm.

I wanted to highlight a few points to consider voting for me:

• Extensive security knowledge across the entire Arbitrum technology stack.

• Proven experience reviewing governance actions and emergency upgrades for Nitro/Stylus while at TOB, later overseen by the Security Council.

• Already aligned with the DAO: currently working part time as a Technical Expert for the Arbitrum Audit Program under the Arbitrum Constitution.

• Skilled in fuzzing and formal verification to test and validate smart contract fixes.

Thank you for your time and consideration in this Security Council election. I look forward to continuing to support the DAO with deep protocol knowledge and a proven security background.

For reference, my Tally profile is here.

Best regards,

Gustavo.

“Hi Gustavo, your technical track record with Trail of Bits and the Arbitrum stack is impressive. However, as a current Technical Expert for the Audit Program, how do you plan to manage potential conflicts of interest if the Security Council needs to review an upgrade or a fix that was previously overseen or recommended by the very audit program you serve? How do you balance deep technical involvement with the necessary neutral oversight required for the Council?”

Hello Djermas,

Good question indeed. Let me clarify something: the AAP was created for serving protocols and companies that want to deploy smart contracts in Arbitrum. This never includes any Arbitrum infrastructure, as the security audits for those are decided by the DAO, Offchain Labs and the AF, so it should never happen. On top of that the AAP handles to the security providers: they are the ones doing the audits. My role as a technical expert is to ensure that the quality of the audit outcome matches what what the DAO expects, but not really to validate findings one by one.

Hope that this clarifies, but happy to continue the discussion if there is something else you want to know.

Regards,

Gustavo.

“Thank you for the clarification, Gustavo. However, the line between ‘private protocols’ and ‘core ecosystem infrastructure’ is increasingly blurred with the rise of Orbit chains and major DeFi primitives. If a protocol audited under your technical supervision at AAP becomes systemic to Arbitrum and requires an emergency intervention by the Security Council, the risk of ‘confirmation bias’ remains. As a Council member, would you commit to recusing yourself from votes involving entities previously audited or overseen by you at AAP to ensure 100% neutrality?”

As a Council member, would you commit to recusing yourself from votes involving entities previously audited or overseen by you at AAP to ensure 100% neutrality?”

Yes, I would ensure 100% neutrality or renounce my position if that’s not possible. Clearly the priority should be rescuing funds in risk more than anything else.

“Thank you for sharing the Stylus Emergency Fixes report. This is exactly the point: as you were deeply involved in these emergency reviews, your election to the Security Council would mean you’d be overseeing the long-term integrity of the very fixes you implemented or reviewed. In the interest of full transparency for the 100+ delegates watching this thread, can you confirm that you will formally abstain from any Council vote that touches upon the Stylus architecture or any other infrastructure component you have previously audited? Professionalism is one thing, but institutional neutrality requires clear boundaries.”

I think there is a confusion here: If I’m elected, I will clearly use my experience on Stylus and other Arbitrum components to protect all the core components of Arbitrum, and this is expected. As an example, many current and ex-Offchain Labs engineers were elected in the Security Council before without any conflicts of interest, and they were the ones that created core infrastructure and voted to upgrade their own code.

"Thank you for being so candid, Gustavo. Comparing your potential conflict of interest to the fact that others have done the same doesn’t resolve the risk; it simply confirms an institutional pattern. Voting to ‘improve your own code’ is the definition of a closed-loop system lacking external oversight. For the delegates and the community, the choice is now clear: do we want a Council of creators voting on their own work, or do we want independent security guardians? My question on formal recusal remains unanswered, but your position is now transparent to all 100+ viewers. Best of luck with the vote."☥:balance_scale:⌀☥:balance_scale: