[Non-constitutional] Subsidy Fund for Security Services

While I appreciate the purpose of this subsidy fund proposal and recognize the considerable effort put into it, I have concerns about supporting it. I’d vote “no” on this proposal due to a few concerns. Firstly, it centralizes too much power with the ADPC over the large $10 million fund. There’s also a risk that projects might become too dependent on these subsidies, potentially impacting their organic growth and innovation. Plus, the complex application and evaluation process could lead to inefficiencies or misallocation of funds. More community input and a decentralized decision-making process could improve the proposal’s alignment with the broader ecosystem’s needs but I still don’t see the necessity for its execution. It’s not a sustainable mean of enhancing security among Arbitrum projects. In fact, it’s not ArbitrumDAO’s job to cover its ecosystem audit costs. Most of the good projects (can) raise or earn enough fund to cover audits if needed. These grants might also negatively affect the ARB token’s price action as usual. We should allow the ecosystem to grow more organically.

I have voted for “1 cohort of 8 weeks, funding 2.5m”.

The DAO has shown a near unanimous desire to create a framework for security service providers as indicated from the results of the proposal. As well as put their trust in the 3 committee members elected to use their expertise to find the best path forward. While I absolutely love to see the discussion and feedback, I also want to show a good-faith trust in those elected to the committee and see their idea through. For that reason, I think the 8 week trial funding is a good start for this. This should give us the opportunity to view how successful this type of process is and re-assess at a later date.

I’ll add, the ADPC’s willingness to take feedback into consideration is noted and part of the reason I think it’s fair to move this forward with an exploratory period. This is a good indication that they are willing to take a look at how the next 8 weeks go and have an honest feedback on what can be improved.

As for general opinions, I do think @McFly brings up a good point regarding negotiating discounts. I don’t even want to begin to pretend I know what going rates are, but I think it’s important to remember that Arbitrum is a leader in this space and should be able to reap some of the benefits of that when it comes to bargaining power.

I will also agree with others - I’m not sure I’m for giving additional compensation to multisig signers after the fact.

1 Like

DAOplomats voted in favor of funding one cohort of eight weeks, $2.5M.

There is still some clarity needed before this goes to Tally but we are in support of an eight week pilot. Also, we support the reduced cap of 500 ARB each for the multisig. It is extra work so they should at least be compensated for that.

The Princeton Blockchain Club is voting 100% FOR funding one 8-week cohort at the Snapshot stage.

Just like many other delegates, we’re directionally in favor of this proposal, though most options are quite high for an 8-week program. We’re voting for the smallest funding option, as we’d like to see this first roll out as a pilot program and iron out the execution issues mentioned earlier in the thread.

Following on from @sid_areta’s post, as I’m putting together the RFP, framework agreements and templates and have some relevant procurement experience, I thought it might be useful for me to respond to a few themes emerging here:

Mandate and Set-up of Independent Committee to Disburse Subsidies

The ADPC did discuss this in the beginning and the view was that having the ADPC establish the framework and administer the subsidy program was within the original mandate of the ADPC ultimately approved through governance.

This decision was not taken lightly. We carefully considered the original Snapshot and proposal as well as the significant workload involved and the resources within the team. It would have been far easier for us to handball this to someone else with the risk it falls into a hole at the end of the 6 month tenure. It did not strike any of us as good stewardship or professionalism.

The concern we have in bringing a new committee onboard is that (A) it creates a new workstream that was not part of the original mandate and, (B) even if we got a new committee spun up, would result in significant delays while new team gets voted in, briefed on the procurement strategy, wraps their head around the legalities of the framework agreement, state of negotiations, tools and processes etc. That’s 4-6 weeks of their 8 week sprint gone.

If the DAO supports a truncated proof-of-concept, the better “bang for buck” would be to let the current ADPC facilitate this first tranche, re-assess at the end of the POC and then feed the learnings into a more substantial program. There is a lot of upside doing it this way.

Addition of a Security Expert

The ADPC identified this as a critical requirement early on. We have been in contact with several organisations and individuals who might be able to assist. However one challenge has been identifying suitable SMEs who are not already conflicted out or who might be seen to be biased. Both of these factors knock out many candidates.

Alternative Approaches

Having run a lot of procurements both in government and the private sector, best practice involves establishing a core team consisting of strategic procurement specialists driving the Approach-to-Market and lawyers experienced in strategic sourcing. We believe we have those resources on hand.

Technical SMEs certainly have an important role to play in defining requirements, the technical evaluation criteria and evaluating RFP responses and we definitely want to include suitably qualified SMEs in that process. However the technical requirements are only one part of a procurement process and evaluation.

Given the problems flagged above in terms of conflicts of interest, one suggestion offered to the ADPC was to speak with experienced buyers of audit services so we are exploring that option as well.

Timeline and Sequence of Events

As can be seen from the ADPC Dashboard, the ADPC has made great progress on significant pieces of the Framework. We have already released the first draft of the Means Test and the related Terms and Conditions. This alone was a considerable piece of work - we hope this serves as a role model for other grant programs.

The first draft of the Procurement Framework is being currently reviewed internally, pending input from SMEs and the Foundation. Once those steps are completed, we’ll be ready to publish the RFP and Head Agreement and officially kick off the procurement stage. We know everyone is super keen to get this ball rolling however we only have one chance to get it right. Once the RFP is published, it is inadvisable to make changes as it creates havoc for respondents and undermines probity of the process.

As part of the publication step, we’ll be developing a TLDR and overview to the legal documents to assist all participants. Keep an eye out for updates!

1 Like

SEED Latam voted to ABSTAIN on this proposal, since, even though we fully agree on the goal behind it - subsidizing security services could help a lot in reducing friction for onboarding new projects looking to build on arbitrum, we think there are still some points that have to be defined as mentioned by @pedrob.

On this part tho, I think we could simply have someone who served as a member of a past Security Council cohort. Since they would already be somewhat vetted and “Arbitrum aligned”.

2 Likes

After consideration Treasure’s Arbitrum Representative Council (ARC) would like to share the following feedback on the proposal

We are directionally supportive of the proposal and have voted FOR allocating $2,500,000 to the Subsidy Fund, intended to support a single 8-week cohort. We view this as a trial phase, with the possibility of expansion contingent upon performance. Establishing the Subsidy Fund holds promise in aiding and drawing in builders, especially those engaged in smaller, emerging projects within the Arbitrum ecosystem.

1 Like

I don’t see why the DAO should pay for the audits of new protocols. Yes security is important, but so is creating an environment where real businesses decide to create real value based on real success. We’re creating so much noise that it’ll be hard to spot the signal and the protocols that truly deserve our attention.

Hi all, thank you for your engagement on this proposal and for voting in favour on Snapshot! We appreciate all the feedback we have received and are in the process of implementing it.

Addressing the first major point of feedback, we are instituting an independent committee for selection of subsidy recipients and will provide further details regarding the proposed structure of the committee soon.

Regarding the second major point of feedback, i.e., proposing to add a Security SME to the ADPC, we managed to secure a trusted third party, who we are proposing to provide its services to the ADPC including:

  1. Crafting the technical and business requirements for the RFP for security service providers;
  2. Helping the ADPC whitelist the security service providers based on their RFP responses over a 4-week span.

We have managed to secure the help of DeDaub. DeDaub is a well-known security services firm which has worked with the likes of the Ethereum Foundation, EigenLayer, Chainlink, GMX, Lido, Maple, Pendle, etc., and has completed 200+ audits for 59 clients over 14 chains.

The next step before onboarding DeDaub is to get the DAO’s confirmation via Snapshot to use part of the ADPC’s budget to pay them. Note, the ADPC already has the funds in the Multi-Sig as part of the original endowment, but since this was not explicitly approved for spending by the DAO in the original Tally vote, we are requesting approval via Snapshot to use these funds to pay DeDaub. Find details below:

We propose to pay DeDaub a total of 12k ARB for their assistance on crafting the requirements and helping whitelist the security service providers. We believe this is fair since:

  • Each ADPC member gets compensated $8k worth of ARB per month;
  • The technical and specialist nature of the work allowing for a higher rate;
  • The difficulty we have had in sourcing Security SMEs who are not conflicted out, as mentioned above;
  • The market rates for Security SMEs (we were quoted $500/hour by another SME).

As such, we believe a compensation of 12k ARB is fair for the value DeDaub will bring to the ADPC and to this process.

Moreover, we also request an additional 10k ARB to the ADPC’s budget as an operational buffer to ensure that the ADPC can operate with speed and does not need to get the DAO’s approval for any small operational matters. Of course, this will be returned to the DAO’s treasury upon the completion of the ADPC’s tenure if it has not been utilized, and will not be spent on any internal salaries.

We will put up a Snapshot to get the ball rolling on this budget approval and reduce the likelihood of any delay in meeting timelines.

Summary Ask: 22k ARB in total (12k ARB compensation for DeDaub and 10k ARB operational buffer) to use from the ADPC’s buffer in the multi-sig.

Note: To confirm, DeDaub’s participation as the Security SME will preclude them from responding to the RFP and applying to be a whitelisted security service provider.

4 Likes

gm, late feedback here.

I have voted FOR and I am directionally supportive of the initiative as I believe it would be a fantastic incentive for the best undercapitalized builders to create and deploy on Arbitrum.
This is another way to remove frictions.

However, as others have pointed out, I am not convinced about the approach suggested, so voted for the smallest funding option as this will be an exploratory pilot.

Thank you for all your feedback here. As an update, yesterday we published the proposed structure for the independent committee for the selection of subsidy recipients here.

To ensure we act with sufficient speed, we are aiming to put the proposal up on Snapshot next Monday (20 May) and would greatly appreciate your opinions on the committee structure!

Thank you for this proposal; we are enthusiastic about its progress. While we acknowledge that we might be a bit late in offering suggestions, we hope our input can still be considered.

A primary topic at the top of Entropy’s mind at the moment is enabling projects to integrate Stylus into their tech stacks. We are working on a proposal in this regard. Given that Stylus is a key differentiator for Arbitrum, it’s crucial to address the current lack of auditors proficient in dapps consisting of contracts written in multiple languages using Stylus. We urge the DAO to prioritize support for projects aiming to leverage this vital technology, ensuring they have the necessary resources for success, and that auditors have a proper incentive to learn how to audit projects using Stylus.

1 Like