Introduction

On the 19th of November 2024, the ARDC Tally proposal was executed, marking the ArbitrumDAO’s decision to extend the ARDC with the launch of the ARDC V2. This iteration features a collaborative structure, comprising specialised working members in Research, Risk and Security, alongside a Supervisory Council. The program is designed to deliver ongoing, specialised specialised assistance to the ArbitrumDAO. For more details, see the executed proposal here: https://www.tally.xyz/gov/arbitrum/proposal/36792157050667056852025000136263368859227883753318633087194112219909798752014?govId=eip155:42161:0x789fC99093B09aD01C34DC7251D0C89ce743e5a4

Following a call for applications, a review process and an amendment period, conducted in accordance with the Election Process ratified by the ArbitrumDAO, the elections for the Arbitrum Research and Development Collective are now open. The full version of the applications can be viewed here:

https://forum.arbitrum.foundation/t/election-application-thread-v2-arbitrum-research-development-collective/27267/16

We encourage all Arbitrum Delegates to vote responsibly and in the best interests of the ArbitrumDAO.

OpenZeppelin

• Applicant: OpenZeppelin
• Applicant Representative: Michael Lewellen
• Telegram Handle: @cyloncat
• LinkedIn Profile: OpenZeppelin | LinkedIn
• Role being applied for: Security Working Member
• Hourly Rate (in USDC): $600/hour for individual security researchers

Experience

OpenZeppelin has been a foundational security provider in the blockchain ecosystem since 2016, with their open-source OpenZeppelin Contracts library being widely trusted and serving as the core infrastructure for secure smart contract development. Previous work with Arbitrum includes evaluating key governance upgrades, verifying proposal correctness, and conducting security design assessments for projects like Timeboost and BOLD. Their contributions to the Stylus Contracts Library further solidify their integration into the Arbitrum ecosystem, leveraging expertise in Stylus runtime.

OpenZeppelin’s approach to security includes fuzzing, and rigorous manual review that addresses vulnerabilities from multiple angles, even developing the Defender platform and being the only security provider to identify a critical vulnerability in their Uniswap V4 Audit. Having participated in the ARDC V1, OpenZeppelin carried out reviews of governance upgrades, verification of proposal correctness, and security design evaluations.

Proposed Scope of Work for Arbitrum:

Deliverables for first two-months

Specific work that we expect to complete within the first two months of the ARDC V2 program. Please note that some of these deliverables are time-dependent on the proposal details being ready for our security feedback within the 2-month time period.

1. Security Council Improvement Suggestions: OpenZeppelin will contribute recommendations for enhancing the Arbitrum Security Council’s functionality, such as enabling multi-sig support for company entities to streamline operations. We will also propose setting technical requirements to ensure at least 9 of the 12 council members possess the technical skills to independently verify emergency upgrades. We’ve already seen forum requests for testing the technical expertise of Council candidates and additional suggestions from the Arbitrum Foundation that we plan to address.
2. Technical Upgrade Security Feedback & Proposal Reviews on Timeboost, Bold, Orbit Chains and Fast Withdrawals: Following up on our prior Security Analyses for BOLD and Timeboost, we expect to review the implementations of these mechanisms for security risks before submission on-chain and provide executive summaries of their impact. We also anticipate reviews of fast withdrawals and Orbit chain proposals that line up with the Arbitrum Foundation’s recommendations.
3. Suggestions to Improve the DAO’s Technical Decision-Making Process: We’ll explore and recommend a technical decision-making framework to improve the DAO’s current process of debating technical trade-offs when implementing upcoming proposals. We’ll especially take the experiences learned from the Arbitrum Governor V2 Upgrade discussion on whether to perform a migration upgrade or direct proxy upgrade.
4. Definition and Security Risk Analysis of a Governance Attack: We’ll examine Arbitrum’s current governance system to identify the potential risks of a governance attack similar to Humpy’s earlier attempt on Compound this year, to better safeguard the DAO. This includes defining the difference between a controversial/contentious proposal and an outright governance attack from an outside entity accumulating tokens and manipulating votes in a manner that warrants a security response. This includes answering questions raised by the Arbitrum Foundation here.

Ongoing Scope of Work

Work that we expect to be ongoing depending on the current proposals and requests made to us throughout our ARDC term.

1. Proposer Assistance and Payload Preparation: Upon request from a proposal that has passed a snapshot, OpenZeppelin will support non-technical proposal authors in preparing their proposals, guiding them through best practices in proposal construction to meet the Arbitrum DAO’s technical and security requirements. We will offer security insights throughout the drafting process to preemptively address any potential vulnerabilities, helping authors create secure and well-structured proposals. This item comes directly from delegate feedback we received following ARDC V1.
2. Proposal Security Review Process: OpenZeppelin will conduct security reviews of proposal payloads submitted to Tally (ideally in draft form prior to submission), ensuring their integrity and alignment with the intended governance actions. We will provide a final security check to verify that the proposal’s on-chain deployment matches the reviewed content along with an executive summary explaining the proposal’s impact for non-technical readers. This process will include manual security checks, supplemented by automated tools where possible, to ensure robustness and accuracy. Our forum reports on proposal safety will foster transparency and community engagement with proposal security.
3. Governance Upgrade Audits: As the primary auditor for governance upgrades, OpenZeppelin will collaborate closely with Tally and Scopelift to ensure future upgrades are secure and aligned with the Arbitrum DAO’s roadmap. Through this collaboration, we’ll also explore integration opportunities with OpenZeppelin Governor, identifying feature enhancements that could serve both Arbitrum DAO and the broader ecosystem as part of the OpenZeppelin Governor Working Group that we’ve recently launched alongside Tally, ScopeLift and Agora.
4. Additional Security Audits: While we’ve explicitly proposed that the Security Member serves as the primary auditor for governance upgrades, we are also happy to conduct security audits for other smart contracts wherever the Supervisory Council considers them to be in-scope for the ARDC. This could include any smart contracts to be utilized in a governance proposal such as the Franchiser Contracts used by Event Horizon that we audited in ARDC V1.

These deliverables address critical security needs and emphasize proactive upgrades and enhanced security governance. OpenZeppelin’s approach allows flexibility in addressing additional security tasks as ARDC’s term progresses. We are also open to additional feedback from other delegates and the guidanc

... please visit link below to view full proposal

https://snapshot.org/#/arbitrumfoundation.eth/proposal/0xc22debaecd252e2eccfa2b561345f091998d20740865ea6a39414f34fde52de2