[Non-constitutional] Subsidy Fund for Security Services

Appreciate the reasoning provided! I too have voted with $2.5 million for a single cohort, i am generally in favor doing pilots at this stage rather than scaled up programs

1 Like

Hi Pedro,

Firstly, appreciate your insightful analysis as always ser!

Addressing queries hereunder:

  1. We do not have a list of ‘pre-approved whitelist’. What we will have is the publication of an RFP process for security service providers to be then assessed in light of the Security Framework for Security SPs and also, the RFP itself. I reiterate, there is no pre-approved whitelist - The whitelisting process will start soon and announced publicly on the forums.

  2. Unfortunately, we cannot make the input collated public yet as it contains data tantamount to business secrecy from the Security SPs end. Hence, we would not like to put the members of the ADPC at risk by making public the fees that were disclosed to us in good faith so that we can create an optimal well-structured and thought out proposal (as I believe this one is).

  3. This isn’t an incentive program like STIP, Backfund, LTIPP, or STIP-Bridge (just realising now that we had quite a bit). This is a subsidy fund for procurement where the ADPC serves as a facilitator (a bridge so to speak), between projects eligible for subsidies and whitelisted SPs themselves. The ADPC whitelists SPs as part of the Security Procurement Framework and the ancillary documentation (RFP & legal documentation we have drafted led predominantly by Paul Imseh). Separately the ADPC assesses applications for subsidies by Projects requesting subsidies for a service they desire from a security SP. At no point do we serve as decision-makers re. which SP a project uses - this is at the Project’s discretion. To facilitate the aforementioned process, a background in procurement is vital (in this regard, members of the ADPC do have this background). In LTIPP (a comment that was voiced by many members), elections turned out to be a popularity contest and one not based on merity - by way of disclosure even I participated in the LTIPP elections, yet I am of full belief that there were better candidates than I was that unfortunately placed at the bottom of the pile. Hence, votes weren’t cast on capability, but rather on social capital/optics (this is not to say that good work hasn’t been done as I have not assessed the LTIPP’s work yet - but maybe better work could have been done should votes have been cast on capabilities? I think the answer to this is always a resounding yes whatever the endeavor).

To sum up this point, given the low applicants we even had for the ADPC w/a Procurement Background, we sought to put this under our cap (AT NO ADDITIONAL COST FOR THE DAO) so as to ensure that it’s done correctly. Should there be consensus for a committee setup, we’ll naturally implement it as we are merely vessels of tokenholders’ wants and needs.

  1. Re. “Why is there a need to rush this snapshot vote before having this defined?” Bernard there refers to a separate altogether process for whitelisting SPs which has nothing to do with this proposal. This RFP will be done soon (latest, beginning next week).

  2. Re. the Security Expert; it is not an acknowledgement of lack of security expertise (speaking for myself, I deal with Security SPs, scopes of work, reports, audit structuring etc. on a daily basis due to my firm’s clientele). This was merely a comment posted by a contributor that we saw generated general consensus and also made sense and thus (as we always do) we sought to implement. Re. Additional Costs, this is yet tbd as we have interested parties willing to do it free of charge due to their non-profit nature. Re. utilising ARDC, let me remind you that OpenZeppeling is on the ARDC - and OZ will be participating in the RFP - hence this would be a conflict of interest.

  3. Re. "I sincerely believe that it was not sufficiently discussed. I have requested information about the public notion, the biweekly reports, and the minutes of the meetings, none of which were made available to the DAO.

The only message with information about a call was in the Telegram group regarding the first call, which was announced approximately an hour before it actually took place. If I am mistaken or do not have the correct source of information, I apologize."

Firstly, the call was on the ArbitrumDAO calendar for circa 1.5/2 weeks before the call occurred. In addition, we also had another call this week to discuss which was pre-announced, also put in the calendar, yet no delegates attended aside from Krzystof from L2Beat. It is a delegate’s responsibility to ensure he/she stays up to date so that the voting rationale mirrors diligent work done. In addition, the proposal has also now been up on the Forums for 20 days - 13 days more than the pre-required timeperiod by the ArbitrumDAO Constitution. We reached out to delegates to discuss, hosted calls, one-on-ones, etc. Not much more we can do - we cannot force people to participate ser :slight_smile:

Also, our Notion will be made public in the coming days containing all details (was not made public previously as we were sorting out confidentiality issues).

  1. Re. “What is the need to expand the budget that has already been approved for controlling one (or the same) multisig?”

The MS Members undertake potential legal risk for being signers. At this point in time, they merely sign ADPC-member payments yet, with the Subsidy Fund in place, we require an additional level of security to pay project subsidies. Hence, we believe that with an additional task in place, an addiitonal reimbursement is sensical and fair.

  1. Re. “I believe it would be ideal for this entire document to be presented on the forum rather than in a separate PDF on Drive that could be modified in the future.” - Not an issue to post on the Forum - when I have posted on the Forum previously, the comment was the opposite from delegates i.e. post a doc as it’s difficult to read on the forum. No issue doing both :slight_smile:

  2. Re. “Regarding this, I believe it would be better for the funds paid by the DAO to be denominated in ARB” - We do not agree as Projects needing to pay service costs cannot exactly pay SPs in ARB tokens. We also need the funds in stables so that we can ensure that we cover a certain amount of service fees (which are always USD Denomianted and payable).

Appreciate your rigorous assessment @pedrob - I appreciate your diligence in providing feedback to us ser <3

1 Like

Hi @ruslanklinkov ,

Should you have any feedback on specific points in the proposal we’re all ears. We put in a lot of work to make sure that it does indeed contain transperancy requirements and targets all the specifics needed.

We believe that a proposal aiding projects cut down on their security service cost is an important endeavor to implement - hence, we’re all ears to hear your feedback even privately if needed to see how we can improve - keep in mind amendments can be made pre-on-chain vote :handshake:

Hey @AbdullahUmar !

Appreciate your comments ser :handshake:

Addressing your queries hereunder:

  1. The pending matters are close to being resolved (in consideration of the fact that these can be submitted on the on-chain voting stage, we thought it best to first get a sense of whether this proposal has the ancillary appetite from the DAO, and in the meantime, hash out these pending facets - naturally, at on-chain stage these will be in place - we first wanted to see whether the SF’s structure, assessment etc. is to the DAO’s liking hence the temperature check).

  2. Keep in mind that the RFP to be issued is re. Security SPs, not Projects.

There are two piles of work here so to speak:

[i] Whitelisting Security SPs as per the Security Procurement Framework and the RFP to be published by (latest) beginning next week - SPs apply, ADPC vets, ADPC whitelists.

[ii] Subsidy Fund - Projects apply for subsidies, ADPC assesses in light of Means Test, ADPC issues Subsidy % amount, Project chooses SP from whitelisted SP List, APDC pays the % service subsidy.

  1. Re. “stated areas of interest–RWA, gaming, and collab tech” This is merely an idea of ours to further incentivise development of these projects. The SF is naturally not limited to these project-types, but an idea is to grant these project-types a higher % subsidy if they are developing in that area. to continue building on these primitives/sectors in our ecosystem and attract these verticals.

Apprecaite your feedback ser <3

Saying we should hire based on capabilities is an obvious yes but your logic for arriving at the ARDC self deciding to step into this role are somewhat flawed.

Given the ADPC was also elected the point seems mute since it could have been just as much a social or popularity contest instead of capability. This is not to say that good work hasn’t been done as the DAO has not assessed the ADPC work yet.

Hope my questions are taken in the spirit of improving the proposal, because it would be disappointing if the audit support program which could be a key unlock to our tools available to new builders gets sidetracked by an potential perceived overreach on the part of ADPC, because I see these as two seperate topics.

Fully respect the need for confidentiality but at the same time it would be great to get some seperate validation given that currently the proposal places immense power and less checks on the ADPC.

For example have you discussed with the two members of the Foundation (one who oversaw and created and another now running it) about their Audit support program to validate numbers and input provided to you by SPs, and to understand what negotiation and terms the Foundation secured for their program from similar SPs.

Not sure if there is any other source we can propose to validate this

Nowhere did I state that we cannot utilise the ARDC (or want to) - as we have already queried w/the DAOAdvocate in this regard.

I am just pointing out that we cannot use the security seat of the ARDC (which would have fit within the role of an external security advisor) as OpenZeppelin has shown its interest in participating in the Security SP RFP process and this would naturally be a COI - i.e. Security Advisors advising on its own application/advising on direct competitor’s applications :slight_smile:

Thanks CF :handshake:

@Immutablelawyer thank you for the response but my query wasn’t related to the ARDC but was related to the Foundation program and team working on a similar scope.

Has there been active work coordinating efforts?

It was actually hence why I addressed it “your logic for arriving at the ARDC self deciding to step into this role are somewhat flawed” - the logic was explained i.e. why it isn’t actually flawed :slight_smile:

Re. Foundation and audit support - we went directly to the source i.e. Security Service Providers themselves and solicited consultations from 10+ security SPs to establish the quantiative metrics needed. However, we’ll have additional discussions w/Foundation as well - no harm in getting further data :handshake:

Hi all,

We’ve posted an update on the ADPC’s mandate, progress to date, timelines, open items, and links to our public pages - feel free to have a look here.

Re. the open item of having a committee to disburse the Subsidy Funds, as we have mentioned above, we are in favour of exploring this idea and setting up a committee if there is consensus from delegates. We’ll aim to discuss this on the bi-weekly governance call tomorrow so please attend - would love to gain a variety of perspectives on this topic in addition to those voiced by @coinflip and @pedrob!

To be clear, I think this is a great initiative; however the execution is suboptimal. Potentially an oversight, but I don’t believe the ADPC are best suited to whitelist Security providers nor should they be handing out grants. Although it is a group of well skilled individuals, their backgrounds and skill set don’t seem suit this specific goal and a more suited member / another committee should be handling it.

If the following are done before tally, then Im happy to support:

  • Security SME expert added to ADPC to help with whitelisting SPs
  • Auditing committee concept is explored and if wanted, then they are elected and approved to disburse or the ADPC + Security expert disburse funds

I’m sorry to post this right now as it’ll be very late to get a Q&A on all the topics, though here is my rationale to only support a small 8-week program with 2.5m ARB or less and go over some feedback before this proposal moves to an on-chain vote. Here are my notes on why I’ll support the general essence of this proposal but am looking for further discussion to get it more mature and less prone to unforeseen consequences for the whole ecosystem.

  1. Negotiating discounts with security audit firms: Given the substantial amount of funds allocated for security audits, it would be prudent to negotiate discounts with the whitelisted service providers. The ADPC should leverage the scale of this program to secure more favorable rates for the benefit of the Arbitrum ecosystem. I’d like to see a clear plan for how the ADPC intends to negotiate these discounts and ensure the best value for the allocated funds.
  2. Additional disbursement for multisig signers: The justification provided for the additional disbursement of up to 1k ARB for multisig signers is insufficient. The legal risks mentioned are unclear, and the time and effort required to verify and sign transactions do not appear to warrant such a significant additional compensation, especially considering the signers are already being paid for their role in the ADPC. I’d like to discuss the necessity of this additional disbursement and explore alternative ways to compensate signers for their efforts, if deemed necessary.
  3. Potential second-order consequences: The subsidy program may lead to a lack of competition among security audit firms and potentially inflate prices. By acting as a government-like entity subsidizing the entire security industry, the ADPC may inadvertently create an unfair advantage for projects that have previously struggled to secure funding for audits. This could lead to an alignment of prices based on what the ADPC deems fair, rather than market forces, and may result in an inflationary trend among the selected audit firms.

Furthermore, the proposed average cost of $200k for a 2-month security audit seems significantly higher than what many small projects have experienced in the past. In my personal experience contributing to projects since 2017, I have never paid more than $110k for a security audit with top-tier firms, with the usual average price among the latest invoices received being around $30 per line of Solidity code as of the end of 2023. I’d like to discuss ways to structure the program to encourage competition, maintain fair market prices for security audits, and ensure that the allocated funds are used efficiently to support a larger number of projects. It’s important to note that the security firms involved will likely profit either way from this program if they do a good job at securing the first codebase audited. However, it’s crucial to recognize that many audited projects have ended up as graveyards, as evidenced by the Rekt list, which highlights the varying effectiveness of audit firms.

  1. Alternative approach with an Immunefi fund: Allocating a portion of the requested funds to an Immunefi fund could be an effective way to incentivize white hats to find issues in deployed smart contracts on Arbitrum One or Orbit. The existing Immunefi framework for categorizing bug reports and rewarding white hats based on their talent and the amount of funds at risk could be a more efficient use of the allocated funds. I’d like to explore the possibility of incorporating this alternative approach into the overall proposal, perhaps as a complementary initiative to a more targeted subsidy program. As a project listed on such platforms, you may receive many redundant or AI-generated reports. However, having your code in production with a substantial bug bounty can make a significant difference in continuously securing the project community and Arbitrum as a whole.

In conclusion, while I support the general essence of this proposal and believe it could significantly enhance the security of the Arbitrum ecosystem, I believe further discussion is necessary to address the potential drawbacks and refine the proposal before moving to an on-chain vote. By addressing the concerns raised and exploring alternative approaches, we can create a more effective and efficient program that minimizes unforeseen consequences for the ecosystem as a whole. I look forward to engaging in constructive dialogue with the community to refine this proposal and ensure its success.

For snapshot, voting “for” on 2 cohort of 8 weeks for 5M arb.

I partially share some concerns about the size, and dao wanting to first try with a lower amount. But, I think 2 months are just not enough. Audits can potentially be complex as a process, in 60 days we might just not encounter enough different situations to properly assess the best way to operate.

On the whitelisting of operators. I agree that there can be a concern about ADPC whitelisting operators.
But I also know security is hard, and there are few people who actually know security, both in holistic terms and in specific, vertical terms. I used to work in cyber threat intelligence myself before larping as a cow on the internet, and want to touch this.

There is a merit in what flip said. But there is also a merit in understanding that a “simple” election from the dao on people able to vet security expert is in my opinion not feasible.
Either we pre fetch strong candidates, publicly known workers in the security fields and make them run (but, a figure like this one, who can clearly contribute to protocols and ecosystems with just their own means and skills, why should it take the hassle to run an election?), or we trust adpc, or we find something in the middle which I don’t know what it could be.

I personally feel this is one of the situation in which a democratized vote is less positive than an intelligence dictator stepping in so to say.
Optimistic challenge can make sense to exclude vendors proposed. Would it work to include new ones tho? Don’t think so.

This could make a lot of sense. But the composition of this committee, while lighter in requirements compared to the above, is still subject to issue because there is the need of a certain background imho.

This is logic but i personally disagree. I interpret the current snapshot as a sentiment check, and also a reference number that the program can obtain if X, Y, Z, K is solved. I think, to fetch good experts, knowing what the budget is is mandatory. I don’t personally mind having a decision process in snapshot, that clears partially the sky for further discussion and decision process before tally.


To conclude, I totally understand why there is a lot of fuss around economics. Makes sense. But the topic requires somehow a differnt approach from the usual being very specific, and needs some steering from the usual way the DAO is used to work due to the necessity of several professional figures and vendors being integrated in the program.

This doesn’t mean we have a white page on which we can write whatever, there are stuff to solve like for example a committee for deciding the receivers of the funds for audits, and a way to onboard security expert (i don’t like elections on this as i explained but also i don’t currently have an answer).

I voted for this proposal with the 1 cohort of 8 weeks option. A subsidy fund for security services is a valuable service to provide the Arbitrum ecosystem. I’d like to see this rolled out as a pilot and then reviewed and scaled from there based on learnings from the pilot. I’m open to increasing the scope/size of the pilot if additional details are added to the proposal prior to the onchain vote.

We are in favor of the proposal to establish a subsidy fund. This initiative aligns well with our vision for the DAO as a support system for developers and protocols building on the Arbitrum platform. By providing financial assistance for essential security audits, this fund would greatly benefit developers who might otherwise lack access to such critical services, thereby fostering a secure and robust development environment within the Arbitrum ecosystem. However, there are some concerns raised by other delegates about the essential groundwork that remains to be completed to ensure the effectiveness and integrity of the subsidy fund. Given these considerations, we propose to support this initiative as a pilot program initially. We suggest allocating a portion of the total fund $2.5 million for the first cohort. This approach will allow us to observe the program’s implementation and effectiveness, address any unforeseen challenges, and evaluate the program’s results before committing further resources.

I have decided to ABSTAIN from voting on the “Subsidy Fund Proposal from the Arbitrum DAO Procurement Committee” at this stage.

Rationale:

While the proposal significantly addresses a crucial aspect of the Arbitrum ecosystem—enhancing security, which I deeply value—there are numerous legal and procedural details that I need to understand better. The complexity of the issues presented requires more thorough consideration to make a fully informed decision.

Comments:

Before moving forward with my final decision in the on-chain voting, I would love to first understand:

Cohort Program Execution: What is the expected execution of this program? For example, if the option of 1 cohort, 8 weeks, and say, 2.5M ARB is chosen, what would be expected from a program like this? How is going to run this effort, etc. I’m not seeing this detail in this proposal and as we saw on another programs there’s a lot of work involved. Apart from reports, results, KPIs, etc.

Regarding the audit firms, I appreciate the diversity. And of course, I applaud Joseph and the procurement committee for pushing these efforts in the DAO which, although quite technical to implement, are very necessary for the security and long-term well-being of the ecosystem.

Savvy DAO has voted FOR “100% for 1 cohort of 8 weeks, $2.5M fund” for the Subsidy Fund for Security Services proposal for the following compelling reasons:

  1. Focused and Manageable Scope: Allocating $2.5 million for an initial 8-week cohort allows the Arbitrum DAO Procurement Committee (ADPC) to pilot the subsidy program in a controlled, manageable environment. This targeted approach facilitates careful monitoring and assessment of the fund’s impact on project security and development within the Arbitrum ecosystem.
  2. Strategic Allocation for Maximum Impact: The decision to fund a single cohort initially ensures that resources are concentrated where they can be most effective. It allows the ADPC to optimize the subsidy distribution, ensuring that funds are awarded to projects that not only need them the most but also have the potential to provide significant returns on security investment.
  3. Evaluation and Scalability: Starting with one cohort gives the ADPC the opportunity to evaluate the effectiveness of the fund’s distribution mechanisms and the performance of the funded projects. Insights gained from this initial phase can be used to fine-tune the program for future cohorts, potentially scaling the initiative based on demonstrated success and community feedback.

See delegate thread: [Non-constitutional] Subsidy Fund for Security Services - #38 by SavvyDAO

1 Like

The following reflects the views of L2BEAT’s governance team, composed of @krst and @Sinkas, and it’s based on the combined research, fact-checking, and ideation of the two.

We’re voting in favor of the proposal and specifically to fund the SF with 2,500,000 for 1 cohort of 8 weeks to run as a pilot. The Subsidy Fund is something that we definitely want to see established as it could be extremely helpful for builders, especially of smaller, newer projects, building on Arbitrum.

We would have supported the proposal for a larger amount and a longer duration as we believe there has been a lot of thought gone into it, but there are some concerns with the execution side of the proposal that led us to rethink our decision.

To conclude, we’re voting in favor of the proposal as a signal when it comes to its direction, but we’d like to clarify the details before the proposal goes to an on-chain vote.

2 Likes

Blockworks Research will be splitting its vote on Snapshot; 50% for do not fund and 50% for the $2.5M fund.

On a fundamental level, we like the idea behind the subsidy fund and think it’s highly beneficial to support smaller, non-established projects. While this proposal is undoubtedly extensive and showcases that a vast amount of thought has gone into different frameworks, as pointed out by other delegates, we feel that it is still somewhat rushed. Consequently, more work is required before we feel comfortable voting for this proposal onchain. In particular, we agree with points 1. and 2. made by @mcfly, and it would be great to have a further discussion around this point:

In addition to the above points, we think the fund being run by the ADPC would lead to a sub-optimal operational structure. As pointed out by @coinflip, the ADPC’s original mandate was to focus on the operational side by, for example, establishing frameworks and setting up programs. By engaging in the selection and oversight process as well, effectively 1/3 of the ADPC’s current term would be diverted from the important task of creating a foundational procurement structure for the DAO. Having said that, we are conscious of the ADPC having expressed willingness to establish a separate committee for the fund, which we think would be a great addition to this proposal. This could be structured such that both security and procurement experts could be appointed, and would be another avenue through which the ADPC would standardize the procurement framework for the DAO.

1 Like

Thank you for all your engagement and feedback on this proposal! Given the complexity of the task at hand, the feedback has been extremely useful in helping us refine and improve the proposal.

This post will break down a subset of the major themes of the feedback and outline our plan for incorporating it. @Pablo will be providing responses on the following feedback themes in due course that this post will not cover:

I. Mandate of the ADPC & Process for Whitelisting of Security Service Providers for the Provision of Subsidies
II. Set-up of Independent Committee to Disburse Subsidies
III. Addition of a Security Expert to the ADPC
IV. Timeline and Sequence of Events
V. Proposed Alternative Approaches

Feedback Themes

Input Collated for Benchmarking Exercise to Determine Size of Subsidy Fund

Feedback

There has been an ask from @coinflip and @mcfly around the input collated to define the size of the subsidy fund.

Response

To clarify, as mentioned in the proposal, we directly consulted with security service providers on their scope of services and fees:

The figure of up to $10 million worth of ARB has been determined via a benchmarking exercise conducted with various security audit service providers. This form was shared with these service providers and based on the responses of 10 service providers (including the likes of Spearbit, Halborn, Nethermind, Three Sigma, Guardian, Zellic, etc.) on their scope of services and fees associated, we have estimated that each project will require a 2-month security audit at an average cost of $200K.

As @ImmutableLawyer has mentioned above, the specific fees provided by each service provider cannot be made public due to privacy requirements and competition issues from the service providers. However, as @coinflip has suggested, we are happy to run the data points and our assumptions past members of the Foundation, who we already shared this with. To provide further clarity, the figure of $200K for a 2-month audit was based on data points / fee structures provided of:

  • Weekly fees per auditor
  • Monthly flat fees
  • Cost per audit

Edit: Having spoken to the Foundation on whether they can publicly confirm the sanity check, as a rule of thumb their role is not to approve what the DAO does or provide public endorsements. As such, we will find another party to do so, most likely the security expert we are currently sourcing.

Size of the Subsidy Fund

Feedback

A fund of $10 million worth of ARB is too high to begin with and a smaller pilot fund is more desirable.

Response

We are happy to institute a smaller pilot fund and already took this feedback on board in providing the different options for fund size and duration on Snapshot.

Role & Cost of the Multi-Sig

Feedback

There is no need to expand the budget to control the multi-sig to disburse the Subsidy Funds, as pointed out by @pedrob and @mcfly.

Response

As you can see in the Tally vote, the responsibilities for the Multi-Sig signers are the following:

  • Streaming of funds to elected members through Hedgey on a monthly basis.
  • Clawback capability.

Given that the signers will now have an additional responsibility to disburse the subsidy funds to recipients, and this is a more time-intensive task with potentially higher frequency, it may be fair to compensate them accordingly. We’d propose limiting the additional pay to 500 ARB in that case, given they already have an existing mandate. However, if there are allergic reactions to this or the MSig signers want to waive payment, we are open to any proposal.

1 Like