Abstract
This proposal requests $100,000 payable in ARB to integrate Almanax, an AI-powered security engineering tool, into the Arbitrum ecosystem for 100 ecosystem projects. With Almanax, ecosystem projects get access to on-demand AI security audits, as well as vulnerability management in their CI/CD pipelines for continuous real-time vulnerability detection, triaging, and automated patching. The goal is to help Arbitrum’s developer community strengthen security, improve remediation time, reduce overhead, and prevent costly exploits at the development level, regardless of size and funding.
Almanax has discovered critical vulnerabilities across 160+ companies in cryptography libraries, wallet infrastructure, Layer 1 and Layer 2 monorepos, and traditional finance stacks. It also found vulnerabilities in Coinbase, OP Labs, Fireblocks, and smart contracts written by Vitalik. Almanax also continues to win bug competitions, competing alongside the best security researchers in the world. Recently our AI agents made it to the podium in:
-
Solana Foundation Token22 audit competition on Code4rena (1st place)
-
Citrea by Chainway Labs audit competition on Cantina (4th place)
-
Meteora competitive audit on Code4rena (4th place)
Almanax proposes a phasic approach to providing long-term impact to projects building on Arbitrum. The first phase will be to provide subsidized Almanax accounts to 100 ecosystem projects for 1 year. The second phase will be at Arbitrum’s request to train a custom agent specifically for the Arbitrum ecosystem. The training process will include the creation of a benchmark dataset, agent training, deployment, support, maintenance, and upgrades.
Motivation
As one of the largest and most active Layer-2 ecosystems, Arbitrum is a high-value target for exploits and hacks. A single major incident would not only incur direct financial losses but also erode trust, slow adoption, and potentially deter builders from deploying on Arbitrum.
Historically, many exploits on Arbitrum have followed recurring patterns and could likely have been detected via code analysis.
Comparatively, below are some examples of vulnerability types Almanax successfully detects:
-
Access Control
-
Reentrancy
-
Logic Bugs
-
Incorrect Business Logic
-
Flash Loan Exploits
-
Unchecked Delegate Calls & Proxy Risks
-
Oracle Manipulation
-
Overflows
-
Time Manipulation & Randomness Issues
For example, a contract vulnerability Almanax discovered in the Farcaster Attestation Cantina competition earlier this year. In this case, the contract calculates a final payout by taking the total balance, subtracting the deposit amount, and adding the reward amount. In certain scenarios, this calculation can demand more ETH than the contract really holds, or, if the balance is high enough, it can overpay and let an attacker withdraw more than they deserve. If the protocol had scanned their repository with Almanax, the scan would have flagged this logical oversight as a high vulnerability.
While smart contracts are the epicenter of catastrophic exploits, the software supply chain presents an equally dangerous vector. A single compromised third-party dependency can lead to devastating outcomes across multiple projects. Almanax’s vision goes beyond smart contracts.
For example, the infamous typosquatting attack (typosquatting: registering names nearly identical to legitimate ones to deceive developers) on the Go ecosystem mimicked the popular BoltDB module to distribute a backdoor. This malicious package could have led to widespread system compromise, data exfiltration, and persistent access for attackers. Almanax’s scan of the malicious Go package resulted in a positive detection with a critical severity, as seen below.
While traditional static analyzers can also catch vulnerabilities quickly and integrate easily into workflows, one key differentiator is the ratio of true to false positives. Recently we conducted comprehensive benchmarking across multiple distinct security domains including EVM smart contracts written in Solidity. We tested Almanax integrated with three language models (GPT-5, Claude 4.5, and o4-mini) and compared their performance against standard static analyzers including Slither and Solhint.
Given the above false positive rates, when popular legacy tools report vulnerabilities in a Solidity codebase with significantly lower detection rates, there is a high chance major vulnerabilities will remain undetected and leave massive security blind spots. Additionally, the high false positive rates could create noise fatigue.
Almanax is already showing promising versatility in code analysis. Whether it’s EVM-based smart contracts or conventional software in Go or Rust, it can understand syntax, semantics, and even context-sensitive business logic. It combines repository-wide context awareness with specialized security knowledge to identify vulnerabilities that would have remained invisible to traditional tools, while also offering lower false positive rates.
Almanax not only reduces false positives and improves detection accuracy but also extends protection beyond smart contracts to the broader software supply chain. This positions Almanax as a next-generation guardian that continuously monitors, learns, and defends at scale. Empowering builders with an intelligent, always-on layer of protection which aligns directly with Arbitrum’s mission of secure, scalable, and trust-minimized innovation. Supporting Almanax through a grant would therefore strengthen Arbitrum’s role as the most secure, developer-friendly, and forward-looking Layer-2 ecosystem in the Ethereum network.
Rationale
The Arbitrum DAO’s core values underscore a long-term commitment to resilience, transparency, and accessibility. This is evident through Arbitrum’s Audit Program. In this context, ecosystem security is not just a technical priority but a foundational requirement for maintaining user confidence and ensuring the sustainable growth of hundreds of projects that rely on Arbitrum’s infrastructure.
Awarding a grant to Almanax directly advances these objectives by providing projects with a scalable, autonomous security layer that would help protect the entire ecosystem. It also offers vulnerability management as a public good rather than a privilege reserved for well-funded teams. This aligns with Arbitrum’s sustainable, user-focused, and technically inclusive values, while reinforcing its security-minded ethos.
Key Terms
False Positive Rate (FPR): Measures how often a tool incorrectly flags secure code as vulnerable. Lower FPR means fewer false vulnerabilities and less wasted time investigating code. This metric is equally important in practice because a tool that drowns developers in false positives quickly loses trust and vulnerabilities often get ignored, even when it’s flagging real issues.
Recall: Represents detection rate, the proportion of actual vulnerabilities that a tool successfully identifies. Higher recall means fewer vulnerabilities slip through undetected, which is crucial for security. A tool with perfect recall would catch every single vulnerability in your codebase, giving you complete visibility into your security posture.
Specifications
Almanax is an AI-powered security platform that identifies complex software vulnerabilities at machine speed. The tool acts as a persistent security radar, addressing gaps that current commercial scanners and static analysis tools cannot fill. Launched in April 2025, Almanax is seeing great traction, gaining more users every month. Users are scanning several millions lines of code every week understanding the value of having an AI Security Engineer available 24/7.
At present, our security capabilities include:
-
AI Security Audits for large and complex repositories
-
Continuous vulnerability detection at every code push through CI/CD integration
-
Natural language custom rules
-
Foundational knowledgebase
-
Severity classification (Critical, High, Medium, Low)
-
Clear, contextual explanations for each issue to aid developer remediation
-
Noise reduction by filtering false positives from legacy tools
-
Commit and PR patching suggestions with every finding
Steps to Implement, Timeline, Milestones, and Deliverables
Subsidized Accounts for Ecosystem Projects: Arbitrum releases initiative to ecosystem projects for up to 100 subsidized subscriptions:
Timeline: Month 1 - 12
Deliverables
-
Exclusive flat fee partner pricing
-
100 x Premium 1 year subscriptions to Almanax, including:
-
Full repo scanning
-
CI/CD integration
-
Access to all Specialized AI Agents
-
Auto-Patching
-
Custom Rules
-
Proof of concept generation
-
Slack integration
-
Role-based access control
-
Dedicated support
-
-
Ecosystem projects perks at no cost to them:
-
Joint marketing opportunities
-
10% discount to each project that wants to continue using Almanx post-promotion for 12 months of service
-
OPTIONAL Custom Agent Development:
Milestone 1 - Dataset Creation: Develop a plug-and-play dataset that can be used by Arbitrum, Almanax, and select ecosystem projects to evaluate the performance of AI models and static analyzers. Almanax will collect and structure additional data with the help of Arbitrum security team including but not limited to:
-
Audit reports and their correspondent codebase
-
Best practices
-
Security guidelines
-
Known vulnerabilities
-
Synthetic data
Timeline: Months 1 - 3
Deliverables:
-
Benchmark dataset
-
Opensourced script to evaluate the performance of other AI models on the benchmark dataset
Milestone 2 - Agent Customization: Almanax will customize its AI model on the Arbitrum dataset and make the custom Arbitrum Agent available in the Almanax platform.
Timeline: Months 4 - 5
Deliverables:
- Released agent on Almanax platform
Milestone 3 - Maintenance & Upgrade: Arbitrum, select ecosystem projects, and Almanax will work together to monitor the performance of the new custom trained Arbitrum Agent, as well as additional commercial models that may come out during the grant period (i.e. OpenAI o8) based on metrics below:
-
Recall/detection rate
-
False positive rate
-
Biases
-
etc.
Timeline: Months 6 - 12
**Overall Cost: $**100,000 payable in ARB and distributed following the schedule below:
-
$100,000 distributed upon grant approval for 100 Almanax Premium annual subscriptions
-
[OPTIONAL] $25,000, evenly distributed and tied to approved completion of OPTIONAL Custom Agent Development milestone 1 - 3, detailed in the roadmap above.
Conflicts of interest: None
Conclusion
As Arbitrum continues to attract builders, liquidity, and users, the scale and sophistication of potential exploits will only increase. Historical data already shows that recurring vulnerability patterns, many detectable through code analysis, continue to cause preventable losses. Traditional static analysis tools excel at catching simple, single file vulnerabilities, but they struggle when security flaws span multiple files or require deep contextual understanding of complex codebases. They also cause a lot of noise with high false positive rates. Almanax’s roadmap pushes well beyond today’s single line vulnerabilities by acting as a continuously learning, AI-driven defense layer capable of identifying vulnerabilities across smart contracts and the broader software supply chain before they can be exploited. Its precision in detecting logical, access control, and oracle manipulation flaws, combined with its low false-positive rates, ensures developers can focus on building while remaining protected by an always-on layer of security safety net.
Almanax has been awarded a grant from the OpenAI Cybersecurity Grant Program to push the boundaries of what threats AI can detect in real-world multi-host environments. By making Almanax’s advanced protection accessible to ecosystem projects, a grant from the Arbitrum DAO to subsizide the use of Almanax for ecosystem projects would help reduce ecosystem risk, enhance user trust, and continue to strengthen Arbitrum’s position as one of the most secure and resilient Layer-2 networks in the Ethereum ecosystem. This investment would help safeguard Arbitrum’s reputation as the most secure and innovative Layer-2 network, ensuring that developers and users alike can engage with confidence in a trusted, resilient environment while reinforcing Arbitrum’s community values: security, sustainability, and inclusivity.
Non-Constitutional
This proposal is submitted as a Non-Constitutional AIP under the Arbitrum DAO Grants Program, under the security and developer tooling category. It will follow the standard governance process of forum discussion, Snapshot off-chain voting, and on-chain Tally vote.