Non-Constitutional AIP: Arbitrum Security Enhancement Fund

Abstract

Home to some of the best smart contract security researchers in the market and one of the strongest Developer Relations teams in the industry - professionals in Cyfrin come from backgrounds like Chainlink, Compound, Alchemy, Aragon, WorldCoin, Microsoft, Google, and other popular FinTech companies.

Through this proposal, Cyfrin would like to request $2M to improve and foster the security and longevity of the Arbitrum ecosystem.

We will do this through launching the Arbitrum Security Enhancement Fund dedicated to sponsoring audits for Arbitrum projects.

Motivation

Blockchains solve global issues no other technology today has been able to solve: verifiable accountability, unbiased data exchange, trust without intermediaries, online ownership, permissionless transactions, global identities, to name a few…

Yet, until Web3 is safe, it is not scalable.

In July, total losses in the DeFi sector breached $77B according to a report from CryptoSlate. In 2022 alone, DeFi experienced hacks resulting in losses of over $3.1B. In 2023, a staggering $2.3B has already been stolen, indicating a trajectory higher than the previous year.

This is a security problem, a best practices problem, and a branding problem - rightfully keeping away institutions and users from a world-changing technology. Not solving this makes any effort of making web3 mainstream, vain.

Every time there is a hack on an Arbitrum project, both the Arbitrum ecosystem and the entire industry, suffer.

Getting this right increases adoption at scale. Value exchange technologies without developers capable of using them appropriately have a hard time succeeding. Value exchange technologies with developers and protocols lacking security best practices create an unsafe environment for everyone participating.

– The future of crypto hinders on projects prioritizing smart contract security.

Cyfrin commits to leveraging our team of industry experts to strengthen, support, and secure Arbitrum’s ecosystem and its developers.

Rationale

Leveraging our auditing, engineering, and educational skill sets, the Cyfrin team will keep projects built on Arbitrum and its users safe. Through this proposal, Cyfrin aims to contribute to the long-term success of the Arbitrum ecosystem through attracting incoming TVL for the Arbitrum ecosystem, gain user trust, and show traction to potential future investors.

Laser-focused on Web3 security, Cyfrin is a market leader in smart contract audits. Cyfrin offers everything from private audits to competitive public and private audits, as well as a multi-phase auditing approach we’ve designed to ensure stronger security guarantees.

Additionally, you may find case studies for Oku Trade and SudoSwap to learn more about how Cyfrin works.

Some testimonials from clients:

  • “It was a pleasure to work with the Cyfrin team. Their approach to security and meticulous testing is exceptionally thorough. Additionally, their intimate knowledge of the Chainlink protocol made them particularly useful for our audit.” - Getty Hill, Oku Trade Founder
  • “Working with Cyfrin feels like a true partnership — they are just plain good at what they do and above all are as motivated as anyone to move our industry’s security practices forward” - Beanstalk
  • “Working with Cyfrin was a good experience, they kept in touch throughout the entire audit, and also followed up post-launch. Competitive with the best of the firms." - 0xmons from Sudorandom Labs

Through this proposal, we’re asking Arbitrum to fund a Security Enhancement Fund to audit projects built on its infrastructure. The fund will allocate funds to private, competitive, or multi-phase audits for projects built on Arbitrum.

Cyfrin will power the long-term success of Arbitrum protocols, so protocols feel safer going to market and users more comfortable interacting with the Arbitrum chain.

Key Terms

  • Audit: An audit is a service where a security researcher reviews a codebase in depth with the intent of finding potential vectors for exploitation. Once completed, a report is presented to the protocol to fix any potential vulnerabilities found.
  • Private audit: A team, consisting of usually 2-3 security researchers, spends weeks looking at a protocol’s codebase with the aim of finding the most critical exploit vectors in a codebase, as well as perform architecture analysis, fuzz testing, improvement pull reviews, etc.
  • Public Competitive Audit: An audit where hundreds, if not thousands, of security researchers review a codebase and compete for funds in a set reward pool based on the complexity of vulnerabilities found, its impact, and its uniqueness.
  • Private Competitive Audit: An invite-only audit where a protocol invites top-performing auditors to review their code and compete in community driven audit competition.
  • Multi-Phase Audit: a new, innovative model known as the Diverge-Converge Multi-Phase Model. Crafted to maximize the quality of audits, a critical aspect in the Web3 space, by strategically incentivizing auditors and ensuring that the protocol codebase goes through at least three comprehensive auditing phases, enhancing the protocol’s ultimate security.

Specifications

The entirety of the funds will be allocated towards funding security reviews for protocols, including the costs to run the audits, hire auditors, promote contests, bring judges, do customer support, and competition moderation.

The Fund will match up to 60% for the audit requested. The remaining amount will have to be paid by the project itself requesting for funding. This is mostly to weed out projects just looking for a free audit, ensuring we’re truly enabling long-lasting impact for the ecosystem.

The one exception to this rule is projects who are already deployed on Arbitrum and who can prove a high number of active users, total value locked, or who provide user retention and stickiness across the Arbitrum ecosystem as a whole. Establishing the details of what “high” means in this case will be a task of the Allocation Committee once formed.

These audits may come in the form of competitive audits, through our CodeHawks platform, private audits through our security research team, or through our multi-phased approach combining the above.

Audit Types

Competitive Audits
CodeHawks, one of the leading competitive auditing platforms in the market and home to some of the top security experts in the industry, enhances the security of protocols through community-driven smart contract security reviews.

On CodeHawks, hundreds of auditors study, test, stress, and review the same protocol’s codebase for a defined amount of time - finding bugs and potential exploit vectors. Auditors then submit the findings to the platform for judge review and monetizing based on the vulnerabilities uncovered.

Private Audits
Private audits, an option tailored to yet-to-be deployed, and already-live protocols. A hand-in-hand relationship between protocol’s engineering team and our security research squad is formalized to uncover vulnerabilities and support developers with state-of-the-art best practices guidance.

Through constant communication, the protocol’s engineering team is able to revise vulnerabilities as soon as they’re found - ensuring the team can start working on fixes immediately. Auditors also provide architecture analysis, fuzz testing, improvement pull reviews, specific knowledge like formal verification, code smells, testing feedback, etc.

Multi-phase Audits
Designed for large and more complex protocols, the Multi-Phase audit approach has the stronger security guarantee of them all since it encourages the protocol to go through several audit phases before completing the final report.

To learn more about the Multi-Phase Audits, review here.

Allocation Committee

The Allocation Committee is the group responsible for determining which projects should receive audit funding. Cyfrin will lead the charge of setting this Committee up within 2 weeks of proposal approval.

The multisig account for the Allocation Committee will contain 5 people (3 from Arbitrum’s side, 2 from Cyfrin). Each team (Cyfrin and Arbitrum) will select who from their organizations will represent them in the Allocation Committee within 10 days of proposal approval.

Once composed, the committee will determine any additional eligibility criteria and share them with the community before opening up the application funnel. The application funnel should open within a maximum of one month post proposal approval.

Additionally, the Allocation Committee is responsible for defining the appropriate application process and reviewing applications on a recurrent basis. The process for reviewing these applications, as well as how often the Committee meets will be determined by the members based on the amount of applications received and their complexity.

We saw the community gather together under the STIP proposal and would like the same community participatory process to guide the direction of how the fund allocates the distribution. It’s a discovery process that we will run, partnering with Arbitrum to validate findings and iterate repeatedly.

Eligibility criteria for protocols applying to the Security Enhancement Fund

The Security Enhancement Fund aims at improving the security of all projects that have already deployed or will be deploying into the Arbitrum chain.

Any protocol that adds value to the Arbitrum ecosystem across DeFi, Gaming, DAOs, or social projects, real world assets tokenization, track and trace solutions, or any other track, bringing a healthy and sustainable contribution to the ecosystem, is welcomed to apply.

Projects should have already deployed to Arbitrum mainnet to apply, although exceptions can be made for:

  • Protocols who commit to deploying on Arbitrum within 6 months of the audit - if this is the case, the code being audited must be deployed exclusively on Arbitrum for 6 months before launching elsewhere. The Allocation Committee will determine when taking such a risk is worth the assessment.
  • Protocols who already have deployed and gained traction on other chains, looking to deploy to Arbitrum as well - if this is the case, information regarding the protocol’s TVL, active user base, and Arbitrum strategy should be shared in the application for review by the Allocation Committee.

Ineligible Projects

In an effort to keep the Arbitrum ecosystem secure and sustainable, we comply and leverage Arbitrum’s guidelines to determine which projects are ineligible to apply for the Security Enhancement Fund.

Additionally, the Allocation Committee may establish additional guidelines for ineligible projects.

Security Enhancement Fund Distribution

The 100% of the funds from the Security Enhancement Fund will be used to audit Arbitrum projects.

The fund allocation per project will cover 60% of the protocol audit, expecting the protocol to cover the rest. The reasoning behind this is to ensure only protocols serious about their long-term growth get audited. However, an exception of sponsoring 80% of the audit could be made for unique situations as established by the Allocation Committee, like for a protocol amounting for large ecosystem growth or a large protocol deploying to Arbitrum.

This makes it extremely convenient for protocols built on Arbitrum to enhance the security of their codebase and protect users’ assets.

Audit prices are aligned with industry standards and calculated based on the complexity of the codebase under review.

  • For competitive audits, the prize pool is calculated as approximately $30 multiplied by the number of lines of code in the code base.
  • For private audits, the cost is calculated as $60,000 multiplied by the number of weeks required by the auditors to read, understand, and review the code base in scope. The time required for each audit is evaluated before the security review by the lead auditor assigned to the project and will be made publicly available to the community.

Protocols are permitted to undergo one or multiple smart contract security reviews per protocol update. The number of reviews is determined based on the codebase size, as indicated below:

  • For codebases or protocol updates with less than 5000 nSloc, security reviews will be limited to 1 per type.
  • For codebases or protocol updates with more than 5000 nSloc, security reviews will be limited to 2 per type.

nSloc is an objective measure and industry that stands for Normalized Source Code. Calculated reducing all multiline functions declarations to a single line, removing all comments and empty lines and counting the remaining number of lines of code.

Whatever allocation we don’t spend, at the end of the year we will return to the DAO for further use.

Steps to implement

Within the next year, the Cyfrin team commits to:

  1. Technical implementation of creating the Allocation Committee’s multisig and define its members
  2. Allocation Committee details eligibility requirements and allocation criteria
  3. Define and implement process for protocols to apply for audits alongside the Allocation Committee
  4. Review applications and start distributing funds strategically for protocols who meet the criteria
  5. Pair auditors with protocols
  6. Kick-off auditing process
  7. Amplify the Security Enhancement Fund as a great reason for projects to choose Arbitrum as their L2 of choice, as well as promotion of the protocols Cyfrin audits
  8. Final report to protocols

– Keep in mind, this process may vary depending on whether the protocol is undergoing a private, competitive or multi-phase audit.

Team

  • Patrick Collins: Cyfrin’s CEO and former Lead of Chainlink DevRel, Patrick revolutionized the industry onboarding hundreds of thousands of developers into web3 with its courses and speeches, with more than 3 million views on his courses and ~160.000 subscribers across platforms.
  • Alex Roan: Cyfrin’s CTO, Alex is a veteran Web3 developer who has contributed to core DeFi infrastructure such as Chainlink and Compound - securing billions of dollars in value.
  • Hans Friese: Cyfrin Lead Auditor and Co-founder, Hans is one of the world’s top auditors, consistently ranking at the top within competitive auditor leaderboards. He is also the founder and Lead Engineer of Solodit, the most used vulnerability aggregator tool for auditors.
  • Don Dodge: tech veteran with a past in Google, Microsoft, Groove, Napster, AltaVista, and more. Startup investor, advisor, and board member.
  • Mark Scrine: previously the Strategic Lead for Proof of Reserve at Chainlink Labs and led a number of their biggest integrations. These included protocols such as TUSD, Matrix Port, Avalanche Bridge, BackedFi, and Swell Network.
  • Developer Relations & Marketing: Our industry leading DevRel team will work together with the Arbitrum’s community to promote, educate, and onboard auditors into the Cyfrin ecosystem, advocating for audit quality for protocols. Additionally, through Cyfrin’s Education platform, our DevRel team is brewing the next generation of software engineers into the space with Arbitrum as their L2 of choice. Composed of 6 people total, here’s an example of some of the leaders in our team:
    • Vitto Rivabella, formerly leading Developers Experience at Alchemy, the popular Web3 infrastructure provider, and Alchemy University, educating tens of thousands of Web3 developers. Web3 educator, investor, developer, public speaker and a former VFX supervisor.
    • Juliette Chevalier, former Lead of Developer Relations at Aragon and Co-founder of Surge Women, an organization bridging the educational gap between women and crypto products. She is also a key contributor to various DAOs, angel investor, software engineer, and public speaker.
  • Community Manager: Our Community Manager will foster peer-to-peer relationships and manage technical support for the students going through the Arbitrum courses - a vital resource for community members seeking assistance and supporting CodeHawks auditors to do their best work.
  • Design: Our design team will create visually engaging and user-friendly materials, enhancing the overall learning experience for the Abitrum developer community and CodeHawks auditors.
  • CodeHawks Team: The CodeHawks team together with Cyfrin will run, promote, judge, support and moderate the competitions and the community, onboarding and assisting the protocols looking to onboard on Arbitrum. Once the team has made sure the protocol respects the eligibility criteria, they will manage the entire cycle from start to finish. This includes sales (answering to active inbounds, and protocols suggested by the community), contest details, marketing, judging, and final report submission.
  • Audit Team: Our team of security researchers are experts across a variety of fields like DeFi, oracles, Web3 social, and more. They come from the industry’s top auditor leaderboard and are dedicated entirely to the private audits.

Cost

The budget for this proposition totals $2 million.

The entirety of the funds is dedicated towards the sponsoring of audits for protocols deployed or deploying on Arbitrum.

The entirety of the funds will be expected upon proposal approval to maintain a rapid response to audit requests and safeguard protocol integrity.

Upon the onchain approval of the proposal, these funds will be transferred to the Allocation Committee’s multi-sig, as set up by Cyfrin containing the 2 Cyfrin Committee representatives. The multi-sig’s first transaction will then add the 3 Arbitrum representatives before transferring any funds to protocols.

Additionally, Cyfrin suggests the Allocation Committee reimburses the DAO quarterly in the event that the minimum expected capital for that quarter ($500,000) isn’t spent within that time period. This will also enable a tangible oversight mechanism for the DAO to ensure Cyfrin is doing the expected work.

Why $2M?

At an average cost of $60,000, sponsored at 60%, $2M would cover anywhere from 20-25 audits in the span of a year.

Although the cost of an audit varies widely based on codebase size, complexity, and audit type, audit prices typically range between $30,000-$100,000, with an average audit being ~$60,000.

Assuming the Fund covers 60% of the audit, $2M are estimated to cover anywhere from 20-25 audits within the span of a year. Additionally, 70% of the fund will be used to cover existing protocols on Abitrum, with the remaining 30% used to cover new protocols launching on the chain.

– Important to note that in order to have the best possible security for a protocol, projects often go through 2 or more audits - including private and competitive audits. Particularly for complex projects already holding a high TVL, a multi-phase audit is highly advised to decrease the chances of an exploit to an absolute minimum.

Considering Arbitrum is believed to have 1.2M total commits and over 1,100 Arbitrum repositories, with over 450 active developers, this fund would cover ~10% of Arbitrum’s development.

Framework on payments, reporting, and oversight

Cyfrin pledges to publish financial reports to the DAO to uphold transparency and accountability every quarter, outlining expenditure details, audits funded, decisions made, and progress updates. These reports will be posted in the Arbitrum DAO’s forum for the DAO to periodically review.

Risks and Mitigation

  • CodeHawks auditing effectiveness: The effectiveness of the CodeHawks auditing program in enhancing security for Arbitrum projects may not be guaranteed, as it is dependent upon auditors joining the auditing contests.
    — Mitigation: Cyfrin will focus our efforts in ensuring CodeHawks has a strong track record of successful audits and large enough reward pools that attract the best auditors in the market. Additionally, the Cyfrin team will thoroughly assess projects receiving grants to ensure quality is high.

  • Quality of private audits: There’s always a risk that vulnerabilities are missed during a private audit which may lead to exploits.
    — Mitigation: Cyfrin strictly vets its security researchers and recruits the best from the market. However, when vulnerabilities occur, our auditing team is always on-call to support the project on an emergency basis. Additionally, we also offer the multi-phase audit approach, enabling projects with high TVL and active users to go through an even more in-depth review process as reviewed above.

  • Missing funds: Considering how complex and large some of Arbitrum’s codebases already are, we may see a scenario where a few protocols take up the whole dedicated quarterly amount or where more funds are needed than what the quarterly payment can afford.
    – Mitigation: Receiving lots of applications and interest from Arbitrum protocols is generally seen as a positive signal towards increasing ecosystem security. If we encounter such a case, the Allocation Committee may request an earlier dispatch of funds to the DAO in order to serve that specific protocol or wait until the following quarter payment if the audit time is not critical for the project.

  • Growth decreases quality: In the case where the amount of audits requested exceeds the amount of auditors Cyfrin has, there’s a risk we decrease quality of audits for quantity.
    – Mitigation: Where Cyfrin cannot do private audits, we will do competitive audits instead – relying on our community of auditors worldwide to support in the security review. We will not hire new auditors just for the sake of hiring, but rather focus always on the best in the industry for long-term recruitment and rely on our additional offering in the case where we don’t have bandwidth for more private audits.

  • Budget management: The proposed budget of $2 million is substantial, and there’s a risk of misallocation or overspending.
    — Mitigation: The Allocation Committee will be in charge of establishing clear guidelines for budget allocation, with quarterly payments allowing for adjustments based on performance. Periodic financial reports should be provided to the DAO to maintain transparency and accountability. Additionally, if no funds are being spent on a quarter, these funds will be returned to the DAO to further use.

  • Lack of applications: There is a scenario where this Fund doesn’t get enough projects applying for funding and audits are not being granted.
    – Mitigation: The sole focus of our Sales team will be dedicated to getting quality Arbitrum projects to apply for audits, as well as the marketing efforts of our industry-leading DevRel team. This means reaching out to existing protocols individually, as well as unleashing the full force of our marketing efforts among Arbitrum circles to ensure the existence of this

Conclusion

More than a blockchain security research firm, Cyfrin is a web3 security powerhouse solving crypto’s most fundamental issues: security, education, and developer experience.

Leveraging our joint expertises, the Cyfrin team is beyond excited to partner with Arbitrum and provide our security services to make the Arbitrum ecosystem the go-to choice for engineers and businesses building in Web3.

– For reference, this proposal was made in consultation with Krysztof Urbański (L2Beat), Disruption Joe (Plurality Labs), CLG, Seb (Gains Network), Zer8 PRM, Matt (StableLab), Onkar, Sinkas, Limes.eth, and Frisson. It has gone through several rounds of feedback, ensuring we’re building alongside the Arbitrum ecosystem for the longer term.


UPDATE: Upon conversations with the L2Beat delegate, Cyfrin adds the additional details to the proposal:

  • L2Beat has suggested the Allocation Committee to be formed by 2 Cyfrin members, 2 Arbitrum DAO members, and 1 member from the Arbitrum Foundation. We find this to be a reasonable composition and would recommend the DAO and the Foundation select their own members to be represented since they know their members best and will have the most context on who’s best for the role.
  • Additionally, since we understand this can be a complex decision, we’re open to extending the timeframe on this selection process to 1 month after proposal approval. Defining the members within the Allocation Committee is a key requirement before any funds are allocated towards audits.
  • Additionally, as an additional reporting mechanism, we commit to, at least one member of the Allocation Committee, attending Arbitrum DAO’s monthly call to update on the Fund’s allocations.
  • Aside from what’s established in the proposal, the report will also include the amount of protocols which have applied for audits, the number of protocols that have undergone a security audit through the Fund, the total funds distributed within the quarter and how many funds remain for the rest of the year, the qualitative feedback from both private and competitive audits from the protocols who go through this service. Every report from an audit funded via this Fund will also be made publicly available for the DAO to review.
  • In terms of payments for the Allocation Committee members, we suggest spending a total of the Fund’s 75,000 USD on salaries for the Allocation Committee members within the span of a year. Cyfrin representatives will not receive additional funding, so the 75,000 USD will be divided across the 3 Arbitrum representatives. This translates to 25,000 USD a year for each Arbitrum representative. This means that the Fund’s total assets to allocate would instead be 1,925,000 USD.
  • We’d also like to add that Allocation Committee members commit to not accepting bribes from protocols in exchange for their vote.
  • Another suggestion we received was to set a cap amount of audit funds per quarter. We have defined that as 481,250 USD per quarter - so 25% of the Fund each quarter.
    As defined above, all yet-to-launch protocols who receive an audit should commit to deploying on Arbitrum within 8 months of their audit. If they do not accomplish this, there is reasonable expectation that they should refund the money to the DAO.
  • The Cyfrin team will lead co-marketing efforts with all the protocols audited, as well as with the Arbitrum DAO to further amplify our brands. This co-marketing will be done through our industry-leading DevRel team including, but not limited to, Patrick Collins.
  • While reviewing financial numbers above, we understand the value of these amounts will be in ARB. The conversion rate is determined at the moment when the proposal gets published for onchain vote. Meaning, when 100 USD are mentioned, these should be read as the value of 100 USD in ARB, at the value of ARB at the moment when the proposal is published for the onchain vote.
  • This proposal ultimately wishes to provide a signal to the wider Web3 ecosystem that Arbitrum cares deeply about protocols already on Arbitrum or looking to launch on Arbitrum. Getting this approved builds a safer ecosystem longer-term for everyone.
21 Likes

Really thrilled to see this proposal go up. We are dedicated to the craft of making web3 a better and safer place for developers and protocols.

And been huge proponents of the Arbitrum ecosystem for some time, been featuring security NFTs on the Arbitrum ecosystem in our educational courses for the past couple of years!

DeFi and web3 only work when what we have is secure. As far as financial environments go, this is the most adversarial environment out there, and we want to do our part to make sure we bring this amazing web3 technology to the masses.

And we can do it here on Arbitrum!

10 Likes

The future of crypto adoption hinders on smart contract security :zap:

This proposal passing could be a huge step towards a safer web3 ecosystem and an incredible advantage to protocols launching on Arbitrum.

Excited to see this come to life!

3 Likes

Arbitrum :clinking_glasses:Security :clinking_glasses: Safehands

3 Likes

Here is my view on how this proposal aligns to DAO priorities.

Alignment

This is intended to show how this proposal aligns to our strategic priorities.

(Scale: Actively against, Not aligned, Neutral, Aligned, Highly Aligned)

World Class DevRel - Highly Aligned

  • Developer support via smart contract audits

Future Proofing - Highly Aligned

  • Users & builders knowing that Arbitrum cares about security

Governance Optimization - Neutral

Grow the Community - Aligned

  • Competitive audits give developers a reason to use Arbitrum

This review is cost neutral. It’s only concern is alignment to strategic priorities. The DAO always reserves the right approve any proposal, aligned or not.

5 Likes

Thank you for the proposal @Cyfrin

  • What metrics will be used to evaluate the success and impact of the Security Enhancement Fund? How will these metrics be reported to the community?

  • In the event of a critical vulnerability being discovered in a live protocol, what is the emergency response plan? How quickly can Cyfrin and/or the community respond to mitigate risks?

  • @stonecoldpat Are there existing security initiatives within the Arbitrum foundation? and how does this proposal aim to integrate with or complement these initiatives?

4 Likes

We have sponsored engagements with security firms for audits on core changes to the Arbitrum protocol, but we currently have no activities in relation to supporting audits for projects that want to deploy on Arbitrum (although we are exploring what it could look like).

This proposal does not interfere with any of our initiatives and is seen as complimentary. If the proposal passes, like any proposal passed by the Arbitrum DAO, then we will step in to operationally support it. @jengajojo

10 Likes

Hey @jengajojo , thank you for these questions!

1. What metrics will be used to evaluate the success and impact of the Security Enhancement Fund? How will these metrics be reported to the community?

The success of the Security Enhancement Fund will be assessed through key quantitative and qualitative metrics.

These metrics include:

  • The number of protocols that have undergone a security audit through the Fund, ultimately strengthening the long-term ecosystem sustainability,
  • Total funds distributed within the quarter and how many funds remain for the rest of the year,
  • Qualitative feedback from both private and competitive audits from the protocols who go through this service,
  • Every report from an audit funded via this Fund will be made publicly available for the DAO to review.

Regular reports and feedback mechanisms will be utilized to communicate these metrics to the community transparently, as well as the results from our audits and any findings classified by severity found in our private and competitive audits.

These metrics will collectively gauge the Fund’s effectiveness in enhancing security within the ecosystem and the community’s confidence in the initiative.

2. In the event of a critical vulnerability being discovered in a live protocol, what is the emergency response plan? How quickly can Cyfrin and/or the community respond to mitigate risks?

Cyfrin puts every protocol we audit at the top of our priorities, treating each and every case with maximum promptness and attention.

Before and during private audits, our team provides a tailored security consultation to the protocol. We recommend that protocols themselves have emergency plans defined in the occurrence of an incident.

Having that said, Cyfrin’s emergency plan if a vulnerability is identified in a live protocol that Cyfrin has been privately audited is as follows:

  1. Cyfrin team gets notified of the incident. Usually, the protocol reaches out to our team directly via the channels established at the start of the private audit process. At that point, communication lines with the protocol’s engineering team are prioritized and open.
  2. In high-priority mode, Cyfrin alerts members of the security team with the most context on the protocol. At this point, we act as support in reviewing the mitigation strategy and its implementation.
  3. Once the event has been contained, the Cyfrin team does a post-mortem review and establishes the cause, impact, and mitigation steps that were implemented. This is shared with the protocol for their review as well and can share this with the DAO, if requested, to provide full context of the incident.
    To decrease the chances of this ever occurring, our team strongly suggests projects undergo both a private and a competitive audit.

Hope that answers your questions and, of course, always open to feedback!
— Cyfrin team

11 Likes

Robust smart contract security is paramount to the success of the Arbitrum ecosystem. The combination of publicly viewable code on an immutable ledger with such code often being responsible for handling upwards of billions in user funds, means security absolutely cannot be overlooked. This goes double given the existence of sophisticated state-level threat actors. Helping cover auditing costs for projects building on Arbitrum would help facilitate smart contract innovation in a safe manner, a win for the whole Arbitrum ecosystem.

I’ve personally known Patrick for a number of years and can vouch for not only his deep understanding of the nuances of smart contract development, but also his security-oriented focus with Cyfrin in helping creating a healthy robust onchain economy. I’m fully aligned with this proposal.

14 Likes

This proposal by Cyfrin to establish a Security Enhancement Fund for the Arbitrum ecosystem is a highly foresighted and strategic initiative. The reputation of the Cyfrin team, with their extensive experience and proven expertise in smart contract security, places them in a unique position to spearhead this proposal aimed at bolstering the security infrastructure of Arbitrum. The careful planning, thorough breakdown of audit methodologies, and the pragmatic approach towards cost allocation reflect a deep understanding of the challenges at hand and a well-thought-out strategy to overcome them. The alarming statistics regarding the losses in the DeFi sector underline the critical need for enhanced security measures, and this proposal addresses this issue head-on. By facilitating rigorous audits of Arbitrum projects, this initiative will substantially mitigate the risks associated with smart contract vulnerabilities, thereby fostering a more secure and trustworthy environment for both developers and users.

We at Gains Network wholeheartedly resonate with the ethos of thoroughness and scrutiny as expressed in this proposal. In our operations, we place a paramount emphasis on conducting rigorous unit and system tests, alongside multiple audits before we proceed with deploying any update to our smart contracts on the mainnet. This approach underpins our commitment to ensuring the utmost security and reliability of our platform, which in turn cultivates trust and safeguards the interests of our users which benefit both us and Arbitrum as a whole. The advent of the Security Enhancement Fund as proposed by Cyfrin is a stride in the right direction for bolstering the overall security framework of the Arbitrum ecosystem. Recognizing the synergies in our shared pursuit of elevating security standards, Gains Network looks forward to supporting this proposal once it is live on snapshot, and we hope others also see the value in this proposal.

6 Likes

Hi, thank you very much for the proposal. I completely agree that auditing is a pivotal task, and I am in favor of the DAO funding/subsidizing protocol audits.

However, I have reservations regarding the funding mechanism proposed through this AIP.

Primarily, I don’t see the necessity to allocate 2M in funding to a single auditor who will subsequently determine which protocols should receive the subsidy or funding. This introduces two significant issues:

  • It presents a concentration risk associated with decision-making concerning the allocation of funds.
  • It inadvertently establishes an auditing monopoly. The benefiting provider might lack the incentive to maintain a high standard of service, knowing that lot of protocols will necessitate their services. Furthermore, with an extensive subsidy at their disposal, they will gain a competitive advantage over other providers. Lastly, this could further lead to the potential exploitation through exaggerated service fees.

In distributing funds aimed to benefit the end user, a more direct approach would be preferable—subsidizing the end user directly (in this case, the protocols aiming to deploy on Arbitrum), as opposed to the service provider. By adopting this approach, we can retain all the benefits articulated in this proposal, with which I firmly agree, while also mitigating risks related to centralization.

How can this approach be implemented? The DAO could opt for approving a 2M budget dedicated to subsidizing audits, subsequently allowing each protocol to apply for the subsidy they deem necessary for deployment on Arbitrum. Complementing this, a list of recommended—or potentially mandatory—auditors could be voted to. This ensures that, when evaluating each subsidy application, the audit is guaranteed to be conducted by a reputable and proficient auditor (such as Cyfrin).

Thus, when a protocol applies for an audit subsidy, it would be obligatory to detail the chosen auditor, the associated audit costs, and the subsidy amount being requested. If approved, the funding then is released to the auditor. This method ensures the prudent allocation of funds, safeguarding against the aforementioned potential adversities

*I am a member of SEED Latam, but this opinion is my own personal view and does not reflect that of the Arbitrum’s delegation.

2 Likes

UPDATE: Upon conversations with the L2Beat delegate, Cyfrin adds the following details to the proposal:

  • L2Beat has suggested the Allocation Committee to be formed by 2 Cyfrin members, 2 Arbitrum DAO members, and 1 member from the Arbitrum Foundation. We find this to be a reasonable composition and would recommend the DAO and the Foundation select their own members to be represented since they know their members best and will have the most context on who’s best for the role.
  • Additionally, since we understand this can be a complex decision, we’re open to extending the timeframe on this selection process to 1 month after proposal approval. Defining the members within the Allocation Committee is a key requirement before any funds are allocated towards audits.
  • Additionally, as an additional reporting mechanism, we commit to, at least one member of the Allocation Committee, attending Arbitrum DAO’s monthly call to update on the Fund’s allocations.
  • Aside from what’s established in the proposal, the report will also include the amount of protocols which have applied for audits, the number of protocols that have undergone a security audit through the Fund, the total funds distributed within the quarter and how many funds remain for the rest of the year, the qualitative feedback from both private and competitive audits from the protocols who go through this service. Every report from an audit funded via this Fund will also be made publicly available for the DAO to review.
  • In terms of payments for the Allocation Committee members, we suggest spending a total of the Fund’s 75,000 USD on salaries for the Allocation Committee members within the span of a year. Cyfrin representatives will not receive additional funding, so the 75,000 USD will be divided across the 3 Arbitrum representatives. This translates to 25,000 USD a year for each Arbitrum representative. This means that the Fund’s total assets to allocate would instead be 1,925,000 USD.
  • We’d also like to add that Allocation Committee members commit to not accepting bribes from protocols in exchange for their vote.
  • Another suggestion we received was to set a cap amount of audit funds per quarter. We have defined that as 481,250 USD per quarter - so 25% of the Fund each quarter.
    As defined above, all yet-to-launch protocols who receive an audit should commit to deploying on Arbitrum within 8 months of their audit. If they do not accomplish this, there is reasonable expectation that they should refund the money to the DAO.
  • The Cyfrin team will lead co-marketing efforts with all the protocols audited, as well as with the Arbitrum DAO to further amplify our brands. This co-marketing will be done through our industry-leading DevRel team including, but not limited to, Patrick Collins.
  • While reviewing financial numbers above, we understand the value of these amounts will be in ARB. The conversion rate is determined at the moment when the proposal gets published for onchain vote. Meaning, when 100 USD are mentioned, these should be read as the value of 100 USD in ARB, at the value of ARB at the moment when the proposal is published for the onchain vote.
  • This proposal ultimately wishes to provide a signal to the wider Web3 ecosystem that Arbitrum cares deeply about protocols already on Arbitrum or looking to launch on Arbitrum. Getting this approved builds a safer ecosystem longer-term for everyone.
3 Likes

I think the proposal that was uploaded to Snapshots does not have the latest updates. could you check if I am wrong?

https://snapshot.org/#/arbitrumfoundation.eth/proposal/0xd295aabe7d3072c4397957e329ba164025c81e5844814388188bd2875d51e447

As builders in the space, we believe security is of utmost importance. It would be great to be able to work alongside Cyfrin to accelerate the growth of Arbitrum, and are supportive.

3 Likes

Hey @axlvaz_SEEDLATAM.eth ,

Sadly, Snapshot has a 20k character maximum so we couldn’t upload it all through text. Instead, we added a PDF link with the entire proposal at the bottom of the text, which contains the updates. You can find the proposal here: https://bafybeieamtixt3tpeajimfkye5utfdh6m3sy6y5drzz7bgdx4ilbgxubza.ipfs.dweb.link/

Hopefully that helps!

Best,
– Cyfrin Tream

2 Likes

The below response reflects the views of L2BEAT’s governance team, composed of @krst and @Sinkas, and it’s based on the combined research, fact-checking and ideation of the two.

We’ve had an extensive back and forth with Cyfrin team in order to provide our feedback to their original proposal. We’re glad they’ve taken some of it at heart and revised their proposal before bringing it to temp check. After careful consideration, we’re leaning towards voting in favour of the proposal during the temp-check.

As we see it, the benefits of the proposal are that:

  • Assisting protocols with their security audits is a net positive for the ecosystem and further solidifies Arbitrum as a good ecosystem for projects to build on.
  • We’ll be allocating a budget around a very important aspect of DeFi and blockchain tech in general which is security.
  • The Arbitrum ecosystem will benefit from the exposure gained through Patrick Collins and the association of Cyfrin with him.

Disclaimer:

  • We do not know how good of a security audit firm Cyfrin is, and how efficient they are with identifying vulnerabilities.
  • We are uncertain around whether or not the budget requested is competitive compared to the market rates for similar scope of work.

The above points didn’t affect our decision-making, simply because we were unable to reasonably assess them.

3 Likes

After discussion with a few project delegates, I have raised a proposal and snapshot to take an alternative approach which targets inclusivity for security services projects to collaborate on a RFP process.

3 Likes

Reviewed the proposal in depth and had a few questions.

I did not see how many resources you allocate at 60k per week for private audits.
At that cost, I would expect 4 full-time resources plus a project mgmt lead. Is my understanding correct, I saw it said teams of 2-3 but that seems like it may be a mistake?

I want to explore this with an example.
6500 nSLOC (Complexity High, Diamond Proxy Use, Option Derivative-like Product)
4+1 Resources over 6 weeks = 24 weeks in total.

Using the rubric you have proposed to the DAO, what would be:
A) The total cost in USD
B) The time from start date to finish date (would it be 24w or 6w)
C) The cost to the Project, the cost to the DAO.
D) Assuming 4 Auditors, can you confirm the individual security researchers?

3 Likes

Hey @dk3 , thank you for these questions!

At Cyfrin, we believe in providing our clients with the best possible security research services.

That’s why we exclusively engage Lead Security Researchers (LSRs) who are part of our in-house talent pool. We don’t involve junior researchers or anonymous contractors in security reviews. Instead, we prefer to have 2-3 LSRs per project to ensure that we provide our clients with the highest quality service. We believe that this approach sets us apart and enables us to deliver the best results for our clients.

It is important to note that our LSRs do not switch between projects and remain focused on a single codebase throughout the entire audit duration. This focus is essential in providing as much value from security reviews as possible.

For our Private Audits, the $60k cost is a fixed amount, and this is underpinned by the reasons I mentioned earlier:

  • a refusal to include anonymous contractors or junior security researchers,
  • a dedication to preventing context switching between projects,
  • and our commitment to providing two LSRs for each project.

This dedication to quality and depth in our services is something we take great pride in.

Using the rubric you have proposed to the DAO, these would be the results:

  • The total cost in USD If three LSRs were assigned to the task, it would cost $60k per week.
  • The time from the start date to the finish date (would it be 24w or 6w). Having that said, it’s difficult to assess the codebase without an LSR’s review. Typically, our researchers require about a week for every 1,000 lines of code to conduct a thorough review. However, the duration can vary based on several factors, such as complexity, external dependencies, security posture, testing strategy, and use case.
  • The cost to the project is different than the cost to the DAO. The budget for the project will cover 60% of the cost of the protocol audit, while the protocol is expected to cover the remaining 40%. However, in certain cases, as defined by the Allocation Committee, such as when a protocol has a significant impact on ecosystem expansion or is deployed on Arbitrum, an exception may be made, allowing for up to 80% of the audit expenses to be covered.
    D) Regarding your last question: Assuming 4 Auditors, can you confirm the individual security researchers?. We can confirm which LSRs are working on a protocol during project onboarding. The protocol team will have a direct line of communication with the LSRs throughout the course of the audit.

Hey everyone,

We first want to thank you all for the time the past 2-3 months, where we’ve collaborated in crafting the Arbitrum Security Enhancement Fund. We’re grateful for the feedback and support.

We have taken all the feedback from the community and have decided to withdraw our proposal for the Arbitrum Security Enhancement Fund.

Cyfrin has one goal: to level up security at every part of the Web3 journey, so we are ecstatic that our proposal initiated these types of conversations within Arbitrum.

Having that said, DK’s proposal of consolidating security proposals into the RFP process is the best way forward for Arbitrum’s ecosystem in the long-term.

We aim to do what’s best for the Web3 industry as a whole, and in this case, for the Arbitrum DAO. Our goal is not to play a political game to try and get votes for our specific proposal, but rather push for higher standards of security across the industry. A RFP process where other security firms can also compete to audit protocols is the best move longer-term.

While in favour of DK’s proposal, we still want to re-iterate the necessity of a timely response from the DAO to address the ongoing security issues our ecosystem faces. We want to raise concerns on how prompt the creation of this RFP process should be, and how imminent we need a system that acts in the best interest of a scalable, secure and sustainable environment for the long-term. The longer we wait to define this internally, the more assets are at stake, the longer it’ll take to reach mainstream adoption.

We remain at the DAO’s disposal for any insight we can provide on how to get this process going, as well as open to running initial audits as test runs, serving as valuable data points for assessing how security firms can best collaborate with the DAO, handle allocation, schedule, and manage audits. We see this as being in the best interests of the DAO, Arbitrum protocols, and its users.

Arbitrum’s protocols can’t go on mainnet unaudited and existing protocols needing security reviews need support from the DAO. A solution needs to be found and actualized in the shortest time possible.

How can we support the Arbitrum DAO to actualize this proposal as soon as possible?

Disclaimer: at the time of writing this, we are at 75% votes in favour of our proposal - but given the recent discussions, we’re taking the stance of pausing the proposal in favour of the ongoing discussions and reaching a consensus around the process that the DAO considers the best.

1 Like