Arbitrum

Abstract

This proposal seeks funding from the Arbitrum DAO to support an Attackathon, a large-scale security audit event hosted by the Ethereum Foundation and Immunefi. The Attackathon will focus on securing the Ethereum protocol with three key phases: education, active bug hunting, and result evaluation. The initiative aims to raise over $2 million, with $500,000 already committed by the Ethereum Foundation. This effort is crucial for ensuring Ethereum’s stability, which is vital to maintaining the reliability of projects on Arbitrum.

Motivation

As a Layer 2 on Ethereum, Arbitrum is directly dependent on the security of the Ethereum protocol. Given that Arbitrum is EVM-compatible, any vulnerabilities in Ethereum could potentially impact Arbitrum’s ecosystem. This Attackathon is particularly timely given the recent major Ethereum hard forks, which have introduced new code that requires careful auditing.

Additionally, the Attackathon will include an educational program featuring live technical walkthroughs and detailed documentation from Ethereum Foundation, client teams, Solidity developers, and Immunefi. This program will cater to security researchers at all levels, helping to build a stronger security community around both Ethereum and Arbitrum. The increased awareness and participation in Ethereum’s security will ultimately benefit Arbitrum by ensuring a more secure underlying infrastructure.

Rationale

The Attackathon aligns with Arbitrum’s mission to support a secure and scalable Ethereum ecosystem. By contributing to this initiative, Arbitrum will directly enhance Ethereum’s security, which supports the reliability of Arbitrum. Moreover, the educational component will upskill security researchers, giving them the tools to audit and secure both the Ethereum and Arbitrum ecosystems.

Additionally, Arbitrum will benefit from increased visibility as a proactive participant in Ethereum security efforts, enhancing its credibility and reputation among developers, users, and security researchers. By sponsoring the Attackathon, Arbitrum positions itself as a leader in the ecosystem, contributing to long-term sustainability and security.

Detailed Financial Justification

The goal of securing $2M in total funding aligns with other major security audits in the blockchain ecosystem. Comparable initiatives include:

• MakerDAO contest on Sherlock: $1.35M
• Euler contest on Cantina: $1.25M
• Uniswap v4 contest on Cantina: $2.35M
• Firedancer contest on Immunefi: $1M

The Attackathon funding goal reflects the importance of thoroughly securing Ethereum’s core protocol. With $500,000 already committed by the Ethereum Foundation, additional sponsorship from ArbitrumDAO will help us reach this $2M target, ensuring participation from top-tier security researchers and maximizing the event’s impact.

Outcome Metrics

By setting clear goals for participation, reports submitted, and transparency, we can effectively track the impact of the Attackathon. Key outcome metrics include:

• Secure over 100 security researcher signups before the program’s launch.
• Achieve participation from over 100 distinct individuals submitting reports.
• Submit more than 150 reports by the conclusion of the Attackathon.
• Publish an audit-style report summarizing findings for the Arbitrum and Ethereum communities.

These metrics will demonstrate the program’s effectiveness in attracting top security talent and identifying critical vulnerabilities across both ecosystems.

Community Feedback Loop

To ensure transparency and alignment with community expectations, we will provide regular updates on the Attackathon’s progress through Arbitrum forums and governance channels. These updates will include detailed reports on fund usage, security vulnerabilities identified, and overall outcomes. Community feedback will be encouraged through these platforms to maintain alignment with the community’s goals and priorities.

Breakdown of Expenditures

100% of the funds raised from the ArbitrumDAO and other sponsors will be allocated to security researcher payouts based on the severity of the bugs they find. Immunefi has waived their usual fees for this event, so all funds will be directly used for researcher rewards. If any funds remain after the Attackathon, they will be rolled over to an audit contest focused on securing the Pecta hardfork.

Estimated Timeline

• November 20: Detailed program announcement and education kickoff
• November 27: Attackathon hunting begins
• January 22: Attackathon concludes and results compilation begins
• January 23: Review period begins
• Late March: Results announced

Overall Cost

The Arbitrum DAO is invited to sponsor the Attackathon with a 30 ETH commitment. This sponsorship includes:

• 1x Unique NFT with leaderboard rank
• Leaderboard listing on the sponsor landing page
• Mid-roll logo placement on Sponsor and Program Landing Page
• An Arbitrum Boost (Audit Contest) on Immunefi with up to a $100K rewards pool at 100% Immunefi Discount within 180 days of the conclusion of the Ethereum program
• 1x Dedicated Twitter post announcing sponsorship from Immunefi Twitter handle

The ArbitrumDAO had previously signalled its support via a temperature check on Snapshot with a 30 ETH sponsorship for the Attackathon via the Panda Partnerships tier.

By supporting the Attackathon, Arbitrum will leverage the event’s findings to ensure its network remains secure and robust. This initiative not only enhances security but also demonstrates Arbitrum’s commitment to the broader Ethereum ecosystem.

Multi-Sig Address for DAO Deposit

To deposit the funds, the Arbitrum DAO can use the following multi-sig address: 0xD4427b312D42191640Ea12c97457636bb807d65e.

This multi-sig is a 3/5 MultiSig owned by Immunefi who is contracted on behalf of the Ethereum Foundation to run the Attackathon program.