[PROPOSAL] - Procurement Framework | Security : Non-Constitutional Proposal (Prev RFP)

SNAPSHOT TO REVIEW PROCUREMENT FRAMEWORK IS LIVE

The purpose of this snapshot is to ensure the framework is on the correct path;

If passed in favor of, the next step will be to discuss the specifics regarding how to elect procurement committee leadership, as well as a grant ask to fill procurement committee roles. At this step, we will wrap everything together for one final push through to onchain vote.

Previous Milestones:

OPEN CONSULTATION PERIOD HAS ENDED AND PROCUREMENT FRAMEWORK DRAFTED

OPEN CONSULTATION PERIOD HAS BEGUN - ENDING NOV 17

SNAPSHOT TEMP CHECK HAS PASSED WITH ~99% SUPPORT
The intention of the Snapshot is to signal willingness and interest to coordinate as a DAO on a RFP Process. A focus group dedicated to begin working on this will be discussed during the Delegate Workshop on Tuesday, Nov 7th, at 3 pm UTC.

The main objective of the proposal is to establish a comprehensive Request for Proposal (RFP) process for the selection of auditors or security-based service providers in the Arbitrum ecosystem. This process consolidates the piecemeal approach of individual auditors submitting separate budget requests. The proposed RFP process will provide a structured framework for the onboarding of security service providers, and a council responsible for ensuring due diligence has been conducted on what the DAO is comfortable sponsoring, financially or otherwise.

The proposal emphasizes the importance of stakeholder involvement in the RFP process and calls for the Arbitrum DAO to consider this proposal and participate in the conversation. I open the call to action to all security service and tooling providers, as we can never be too safe.

I do recommend that the leader of this focus group ultimately be in a role that currently facilitates the buy-side of an auditing arrangement as they know the importance of deal negotiation, current market pricing on services, the rapport of various auditors in the business, understand the importance of established auditing relationships, areas of concern that need attention, etc. I have offered to lead the focus group pro bono, but I am happy to be an advisor and take a backseat role.

Background

Multiple security proposals are being introduced piecemeal; the Arbitrum DAO should not rush into anything but work together on an inclusive RFP framework.

Introduction

The security of smart contracts is of utmost importance in the Arbitrum ecosystem. To ensure the highest level of security, we propose implementing an RFP structure for smart contract security auditors. This proposal aims to establish a process for onboarding security service providers and then selecting them on a per-project basis in a transparent, fair, and efficient manner. The process will be open to all security engineers, researchers, and organizations.

Proposal

The Arbitrum DAO shall issue an RFP for security services. The RFP will outline the requirements for security professionals, including their experience, qualifications, and methodology. The RFP will also specify the scope of the security services needed, the timeline, and the compensation rates for various project categories. [RFP Details TBD]

Selection Process

The selection process will be based on the following criteria:

Experience and Qualifications: Security researchers must have a proven track record of conducting smart contract security audits and/or tooling & platform development. They must have experience with the Arbitrum ecosystem and be familiar with its unique features.

Methodology: Security researchers must have a rigorous audit and tooling SDLC methodology. They must be able to identify vulnerabilities and provide recommendations for remediation.

Price: Auditors must provide a competitive price for their services. [Standarized Metrics for rates TBD]

The selection process will be overseen by a committee of experts appointed by the Arbitrum DAO. The committee will review the proposals submitted by auditors and select the most qualified candidates based on the abovementioned criteria.

A Call to Action

Implementing an RFP structure for security services will ensure the Arbitrum ecosystem remains secure and resilient. By establishing a transparent and fair service provider onboarding and project selection process, we can attract the best professionals and ensure they are compensated fairly for their services. We urge the Arbitrum DAO to consider this proposal and participate in the conversation, as the current state of the proposals is unmanageable, rushed, and exclusive.

I’ve moved this to the Grant Discussion category, since there is nothing for the DAO to vote on atm.

Hi folks, this is Dex Chen from Verilog Solutions. We have audited a couple of Arbitrum projects since its mainnet, including the first CDP on Arbitrum.

I have experience working on ecosystem security grants before. My biggest takeaway is that auditors need to present the benefits of a lump-sum security grant paid to the auditing firm versus piecemeal security grant paid to each project/protocol on a per-case basis.

As of right now, I think DK3’s proposal makes more sense than having individual audit firms proposing security grants dedicated to themselves, for a couple of reasons:

1. No auditor lock-ins
   By not allocating a grant that is only spendable at a particular auditor, protocols are free to choose which auditor they prefer to work with. This also adds some competition amongst auditing firms and incentivizes auditing firms to provide consistent and high-quality services, as being selected into the council is not end-all and be-all.

2. More competition, better cost-effectiveness
   More on the encouraging competition part. If dedicated security grants is established, the pricing power is monopolized by the dedicated audit firm that receives the grants. This creates an interest misalignment between the recipient and the Arbitrum DAO. With a council proposed by DK3, audit firms can participate in sealed bidding for the privilege to provide service. The bidding process gives the pricing power back to the Arbitrum DAO.

3. More flexible capacity
   Many of the auditors have been in this market for more than two market cycles, and we all understand how bad the backlog could become in a bull market, when everybody is rushing to launching. The risk of running an auditor-dedicated security grants is its lack of flexible capacity, where the recourses are 1. for the auditor to do emergency hire (bad for quality) 2. for the auditor to outsource (even worse quality) 3. for the auditor to increase the audit cost (bad for cost effectiveness). With what DK3 is proposing, multiple audit firms can work on projects simultaneously, if the audit demand increases.

That’s my $0.02 on the security grants. TLDR is DK3’s proposal is more cost-effective and interest-aligned than having auditor-specific security grants.

After discussing this proposal with DK to understand their vision, Sherlock believes that an RFP-style process for auditing services is in the best interest of the DAO (if executed well). Because of this, Sherlock has decided not to post Sherlock’s forum proposal to Snapshot, and Sherlock will instead direct its coalition of delegates to vote for this RFC (DK’s approach) and to vote against all other auditor-specific proposals.

Of course, a lot of effort is needed to turn this current RFC into a fully fleshed-out version that everyone can rally behind. Sherlock has successfully been through similar RFP processes with other DAOs and Sherlock is happy to provide feedback to DK and others as to what works well and what causes issues.

To confirm, Sherlock is withdrawing its own proposal and putting its endorsement (and delegates) behind this one because Sherlock believes this approach is in the best interest of the Arbitrum DAO.

Hello everyone, and a big thank to @dk3 for sharing your proposal with all of us. I’m Ofir from Hats finance, which offers an on-chain audit competition and bug bounty platform. Hats have been an integral part of the Arbitrum ecosystem since the beginning of 2023 when we deployed on Arbitrum. Since then, we have facilitated audit competitions and bug bounties for Arbitrum projects, employing a unique pay-for-results-only model. This approach aims to increase the security of a project while harnessing the expertise of hundreds of auditors and keeping the budget only for results instead of efforts.

Our primary objective is to make our space safer, and we have always aligned with Ethereum and Arbitrum’s core values: openness, decentralization, non-custodial, and on-chain operations at all times.

We greatly appreciate this proposal, as it aligns with these values and presents an important opportunity to enhance the security of the entire ecosystem. Hats is willing to participate and offer our products and tools to help achieve the goals outlined in the proposal.

Thanks!

I think this will properly organize security expenses and also provide transparency.

Shifting this to the Proposals category now that it is up on Snapshot for a temperature check.

This is the best way to approach this type of funding.

Audits today have become one of the top expenses for new protocols, and if the Arbitrum DAO is able to select the best firms to work with and negotiate in bulk better deals, that can only be a win for the ecosystem.

If this initiative is successful we should find ways to replicate it across different categories (ex: quest initiatives).

Support Eco system

After going through the proposal and the ongoing discussion about the proposed RFP process for security auditors in the Arbitrum ecosystem, I find the insights from @Dexchen of Verilog Solutions particularly compelling and would like to integrate these perspectives into my supportive stance.

@Dexchen ‘s experience with ecosystem security grants provides a practical viewpoint on the effectiveness of a lump-sum security grant model. The benefits of avoiding auditor lock-ins cannot be overstated. By allowing protocols the freedom to select auditors, we encourage a healthy competitive environment. This not only eliminates the risks associated with granting monopolistic power to a single firm but also incentivizes auditors to consistently improve their service quality. As a result, the entire ecosystem benefits from higher standards of security.

Moreover, the argument for cost-effectiveness is crucial. The proposed RFP framework would prevent any single auditing firm from gaining pricing power that could potentially misalign with the interests of the Arbitrum DAO. Instead, a council-led RFP process would enable a sealed bidding system, thus restoring pricing power to the DAO and ensuring fair market rates.

@Dexchen ‘s point about flexible capacity resonates deeply, particularly in the context of varying market cycles. The industry has seen the backlogs that can occur during peak periods, and a system that relies on a single auditor’s bandwidth is inherently flawed. The proposed RFP process, as highlighted by @dk3 's proposal, allows for multiple firms to engage with projects concurrently, thereby scaling capacity as demand increases and maintaining both quality and cost-effectiveness.

Building upon these points, I advocate for an RFP process that reflects these principles—one that ensures no single auditor can dominate the space, thus preserving the decentralized ethos of the DAO and fostering a competitive yet collaborative environment that can dynamically respond to the ecosystem’s needs.

In summary, integrating the decentralized, competitive, and flexible approach as emphasized by @Dexchen with the structured RFP process as originally proposed will not only enhance the security infrastructure of the Arbitrum ecosystem but also align with the DAO’s values of fairness, transparency, and efficiency.

Due to the recent rush of proposals from service providers, we believe this initiative is extremely necessary to prioritise transparent and neutral processes aligned with the Arbitrum ecosystem.

The value proposition of supporting the security and audits for Arbitrum builders is clear. However, as we experienced with the incentive grants, a framework is imperative to ensuring that we promote competitive pricing for the DAO, avoid large concentrations of power, avoid significant conflicts of interest and more.

Protocols building on Arbitrum inherently have skin-in-the-game, and the grant framework created an open process where all protocols could apply and be judged on their contributions. While respecting individual SPs, we think having the security requests go through a transparent and neutral framework is crucial to ensure alignment and optimal cost/value for Arbitrum.

Hey folks,

Just going to chime in here with my $.02 after speaking w/ a few other folks in different channels I think there’d be support for a more marketplace style approach:

A committee is established plus a vendor whitelist with a Q1 Budget and trial process. Obv lots of details re eligbility, etc. to figure outbut as a brainstorming exercise…

Security Audit Setup Process1871×968 52.8 KB

Then the process is a grant committee approves protocols, creates and RFP for vendors, vendors submit, grantee + committee review options, and decide to award a grant based on vendor quotes:

Vendor Process1871×968 79.1 KB

This needs to be fleshed out…but didn’t want to spend more than 30 min on this…hopefully this helps spur some further ideas/discussion.

Thanks so much @dk3 for the obvious thought you put into this proposal and your effort in pushing the issue of security forward. We at Halborn believe that establishing a comprehensive RFP process for security services will not only create a more robust and efficient process, but it will make the Arbitrum ecosystem stronger and more secure as a whole. We’re an award-winning, elite cybersecurity company for blockchain organizations providing a wide range of services, including Smart Contract Security Assessment, Advanced Penetration Testing, DevOps & Automation, and Security-Advisory-as-a-Service. We would be thrilled to participate in this process and believe our wide range of services can help ensure the safety and longevity of the Arbitrum ecosystem.

Thanks!
-Halborn

Firstly, thank you for your proposal and keen interest in the Arbitrum ecosystem.

Executive Summary

Proposal Overview: A unified framework for managing security audits, replacing individual auditor budget requests with a consolidated approach.

Preliminary Stance: We stand in support, contingent upon the implementation of a robust governance process for the proposed working group/council and the clarification of operational details.

Proposal Evaluation

Strategic Importance: The integration of a centralized security protocol is critical. The crypto space has been marred by security breaches, emphasizing the need for reinforced trust and safety for Arbitrum users.

Alignment with Arbitrum’s Vision: The proposal seeks to address the current disjointed nature of security efforts by creating a standardized and transparent framework, resonating with Arbitrum’s mission of fostering a secure and scalable ecosystem.

Tracking and Metrics: The current proposal lacks a concrete mechanism for evaluating the effectiveness of the security fund. The establishment of a working group is suggested but without specific performance indicators. However, due to the nature of the proposal and the state of DAO proposals, this was required.

Working Group Credibility

Formation and Success Metrics: Since the working group is not yet established, its efficacy and conflict-of-interest policies are not assessable at this juncture.

Ecosystem Advantages

Proposal Benefits: By consolidating security efforts and establishing clear requirements for auditors, the proposal promotes competition, cost-effectiveness, and flexibility—key factors in advancing Arbitrum’s competitive edge.

Concerns and Actionable Points for the Working Group

• Care needs to be taken for the selection process’s impartiality and professionalism
• While fitting for the DAO’s current needs, specifics on the working group’s formation and operational guidelines are lacking
• Implementation of a democratic procurement process to establish a fair selection mechanism for security providers.
• Defining a fixed fund amount and stipulating comprehensive requirements and KPIs to guide the selection and evaluation of auditing services.

Final Position

Support Confirmation: We endorse the proposal in principle, acknowledging its potential to significantly elevate Arbitrum’s security posture.

Conditions for Full Support: Our unreserved support is contingent upon the adoption of the above recommendations, with particular emphasis on the establishment of a transparent, accountable, and democratically elected working group.

Some Additional Thoughts Around a Procurement Process

Budget Considerations

• The DAO needs to determine the ARB allocation for the security fund based on the current demand for audits. The volume of pending and requested audits should guide the budgetary decisions.
• Eligibility criteria must be set to decide which projects qualify for funding, considering factors such as codebase size, code efficiency, TVL, project originality, team size, and scope. Funding amounts should vary accordingly—for example, standard DEX forks might receive minimal funding, while unique, innovative projects may be allocated more.
• The creation of budget tranches should be explored to categorize projects by their specific needs.
• Key Performance Indicators (KPIs) are essential for the fund’s success, such as the number and scale of projects supported and the timelines for codebase audits.

Procurement Strategy

• Once the fund amount, KPIs, and project requirements are established, the working group can outline detailed Scope Of Work requirements for auditors, including a timeline and evaluation metrics.
• Evaluation criteria might encompass the quality of audits, timeliness, methodology, and the audit process.
• Standardizing submissions through a template could streamline the evaluation process for both the working group and the DAO.
• A clear list of deliverables and obligations for the auditing firms should be articulated.

Proposal Submission

• Firms should also provide their KPIs, ensuring transparency and allowing for an objective assessment of their offerings.

Closing Remarks

Castle Capital appreciates the effort put forth by @dk and the support of many security firms as they aim to establish a better path forward for Arbitrum.

We hope that our feedback is received as a constructive contribution, aiding the further enhancement and success of Security on Arbitrum.

Michigan Blockchain is voting FOR this proposal on the Snapshot Temperature Check. This proposal aims to provide a comprehensive framework to ensure the community’s security via an RFP process for auditors rather than multiple individual budget requests.

Smart contract security and maintaining a safe reputation for the Arbitrum ecosystem are crucial for the sustainable growth of the space. The RFP framework will fairly allocate ArbitrumDAO treasury funds to top auditors in a transparent fashion that ensures quality and efficiency.

We are in favor of this structure and look forward to setting a path toward a successful and secure Arbitrum ecosystem.

Appreciate all feedback and support. Want to give a quick update on progress.

On Tuesday, during the Delegate Workshop, it was discussed to limit the immediate scope to two service types to conduct initial research: Traditional Private Audits and Competitive Audits.

Joseph (@Immutablelawyer) and I have been in contact with several security firms. We are gathering their input to ensure we cover all angles as we draft an onboarding and procurement process for these audit services.

Our goal is to have a draft of this onboarding/procurement process to share by this weekend after the Snapshot vote expires. We then plan to initiate a 7-day public feedback period where any group we haven’t directly engaged with can provide additional input. Concurrently, we will work on assembling an administrative group to oversee this procurement process moving forward.

Regarding funding, we hope to align with the initiative @coinflip is exploring. We have not yet discussed anything regarding the project selection criteria, cost coverage models, or other elements of the grant side. Our immediate focus is on optimizing the service provider onboarding and procurement administration.

The Arbitrum Foundation has tentatively agreed to cover KYB costs until dedicated funding is established.

In summary, on the current path, we are on track to potentially be in a place to begin onboarding service providers around the 18th of November. We will keep all parties informed of updates and course corrections as the process is quite fluid at the moment. Please let us know if you need any clarification or have additional questions!

Special thanks again to @Immutablelawyer for lending his expertise and time in assisting in the initiative his leadership and passion have been a delight to partner with and has been critical to the progress that has been made thus far.

This is something that Cyfrin massively supports; thank you to @dk3, @Immutablelawyer and @coinflip for all of their hard work on this.

I have voted “For” this. Simply think this is the way to do this, and will keep the seleciton process as fair as possible. As currently by just letting projects apply it gives a huge advantage to first movers, who might not always be the best choice.

The @SEEDLatam delegation decided to vote:

• AGAINST: Arbitrum Security Enhancement Fund
• FOR: Consolidate Security Proposals into a RFP Process

Note: We want to clarify that while we were analyzing the proposal and preparing this message, the @Cyfrin team decided to withdraw it. However, we believe it is positive to leave our feedback.

Rationale

As with our past vote, we consider it essential to establish a general framework for contracting service providers, where everyone can compete on an equal footing. This will enable ArbitrumDAO to evaluate and choose the best option in terms of cost, capability, and quality. Therefore, we support the initiative proposed by @dk3, which reflects the approach that the DAO should adopt to prevent centralization and the monopoly of services, as @pedrob expresses in their post. Furthermore, this method ensures that any provider has the chance to compete, thereby improving both the variety and quality of available alternatives. It also makes ArbitrumDAO an appealing environment for the most competent teams in the ecosystem.

Conclusion

We consider the Consolidate Security Proposals into a RFP Proces approach to be beneficial to ArbitrumDAO. We believe it is necessary for the vendor selection process to include the participation of recognized experts in the field of security auditing, as this is a critical area that requires knowledge and experience in the field.

We look forward to a more detailed description of the selection process that is fair, democratic, and competitive for all applicants prior to the Tally vote.

After reviewing the proposal, Curia will support the implementation of a Request for Proposal (RFP) process within the Arbitrum ecosystem, recognizing its strategic importance. It ensures no single organization can create a power capture effect, fostering a healthy, competitive environment that benefits the entire ecosystem. By avoiding organizational power capture, we guarantee innovation and service quality remain high, with various providers contributing diverse perspectives on security.
However, we do hold a concern regarding the transparency of the committee process. The effectiveness of the RFP system hinges on the committee’s operations being transparent to maintain trust within the community. There must be clear communication and documentation of decision-making processes to avoid any perception of bias or unfair advantage. Ensuring this transparency will be crucial in upholding the integrity of the RFP process and by extension, the security of the Arbitrum ecosystem.