I’m Yoav, a security researcher at the Ethereum Foundation. I’ve been building in the Ethereum space since 2017, working on account abstraction (ERC-4337,EIP-7701), cross-L2 interop (EIL), OpenGSN, L2 security, etc. As par of my research I found and reported vulnerabilities in multiple L2s.
I’ve been an early Arbitrum supporter, audited the contracts before mainnet and reported issues (without compensation, as part of my commitment to the community). I’ve been a member of the Arbitrum Security Council since it was formed and helped established its security procedures.
I created two proposals (AIP-2, AIP-7) and participated in discussions about others.
As a delegate and a security council member, I’m committed to keeping Arbitrum users safe, and keeping the network secure, trustless, and credibly neutral.
Quorum should reflect the voting power that actually participates in governance. Moving to a delegated voting power based quorum better aligns quorum with real participation levels and reduces the risk of governance gridlock as token supply grows.
I also support allowing proposal cancellation during the pending period, which avoids unnecessary governance cycles if issues are identified before voting starts.
Yoav longest serving Security Council member, zero compensation history, and Ethereum Foundation independence. Hard to argue with that combination.
One genuine question you’ve helped establish Arbitrum’s security procedures from the beginning. That institutional knowledge is valuable. But it also means the current system reflects your thinking.
What would you change about how the Security Council operates today if anything? And is there a risk that long-serving members become too comfortable with the status quo…..?@yoavw@Arbitrum
I see no major downside, and it enables more experimentation. Since shielded elections is optional, I’d be curious to see a comparison of shielded and unshielded ones as we accumulate more of each type.
IMHO, unlike most other councils, the security council is not political in the sense that “status quo” implies. It acts mainly in emergency situations, and needs to ensure the safety of the network and its users. Its procedures are therefore mainly meant to ensure good opsec. This includes strong verification of any transaction the council has to sign, independent simulation and understanding of what it’s going to do. In addition, the council needs to secure itself - it holds keys that, together, can take emergency actions and are therefore quite powerful. The council members and the foundation established security procedure based on years of security experience (over 3 decades in my case), and council members including myself must keep up with the latest attacks and mitigate any emerging threat. While the council can always benefit from more security-savvy eyes to catch any blind spots, I think it would not benefit form periodic “reset” of its procedure and/or members.
I do share your concern about long-serving members becoming too comfortable, but not with the status quo. In some security councils, members have to sign transactions quite frequently, so there’s a risk that they develop “signing-fatigue” and don’t spend enough time verifying each transaction. Arbitrum’s security council is relatively safe from this, since the frequency of SC transactions is low enough to keep us all alert
@yoavw Thank you for such a detailed and transparent response. This is exactly the kind of open dialogue that strengthens trust between the Security Council and the broader Arbitrum community.
Your point about “signing-fatigue” is particularly insightful I hadn’t considered that lower transaction frequency in Arbitrum’s SC could actually be an advantage for maintaining vigilance. That’s a meaningful structural difference worth highlighting more publicly.
I still believe that transparency around member tenure and periodic public accountability reports from the SC could go a long way not to disrupt the security procedures, but to keep the community informed and engaged. A council that communicates openly is naturally more trusted.
With over 3 decades of security experience you bring, I’m curious do you see a role for community-nominated security observers (non-signing, read-only) who could provide an external perspective without compromising opsec?
Looking forward to your continued engagement here.
I’m curious how you see this role being performed in practice. The security council isn’t one that votes on decisions, etc. but mainly acts on emergencies and would typically require near-term confidentiality (when dealing with an actual security emergency) and long term (post-incident) transparency. Suppose an actual critical security bug was found in Arbitrum (luckily something we have yet to encounter), the community would benefit the most from keeping it on need to know basis while the bug is being patched, hence I’m not sure it would benefit from having an additional observer. After the bug has been fixed, the foundation would have to publish a transparency report about the incident and how it was handled, and the security council would review it for correctness. At that point, the council is effectively the observer since the report is written and published by the foundation, and the council is there to “keep it honest” and ensure that a full report is published in a timely manner. Do you see a security benefit in adding an additional observer?
Thanks for this pushing back on this, it actually helps me clarify my own thinking.
You’re right that an observer during an active incident makes no sense. I wasn’t suggesting that.
What I had in mind was narrower: a community-nominated, read-only voice who reviews the Foundation’s transparency report alongside the Council post-fix, no live access. The Council already plays this verification role, but since it’s appointed rather than community-elected, an additional independent reviewer could add a layer of community trust to that process not security, just legitimacy.
Do you see any risk even in that limited, post-incident scope…? @yoavw
I don’t see a risk after the incident report is published. The more eyes on it, the better. Whether it justifies nominating a specific person vs. assuming that enough community members already have the incentive to review the report since they hold assets on arb and care about their security, is a governance decision rather than a security one. Like you said, it promotes legitimacy and trust rather than security, Therefore it shouldn’t be the security council’s decision.
I agree this is fundamentally a governance legitimacy question rather than something for the Security Council to decide directly, and Iam glad we were able to narrow the scope together…
I support this proposal as it improves capital efficiency by moving idle balances into the Treasury Management Portfolio, where they can be actively deployed rather than sitting unused. As long as risk controls and reporting remain robust, this is a straightforward improvement to how the DAO manages its assets.