Criteria	Sub-Criteria	Description	Weight
Arbitrum Ecosystem Contribution How aligned is the project with the Arbitrum ecosystem and how easy will it be to track the applicant’s use of the subsidy funds?	Ecosystem Contribution	How does the applicant’s project contribute towards the growth of the Arbitrum ecosystem?	3
	Transparency Practices	To what extent does the applicant demonstrate transparency in its operations?	2
	Community Engagement	How does the applicant engage with the DAO community and solicit feedback/input on its project, incorporating this into its decision-making?	1
	Accountability Measures	What mechanisms does the project have in place to ensure accountability and responsible stewardship of subsidy funds, including governance structures in place?	3
Business Model & Need for the Subsidy How effectively does the applicant's business model align with their need for the subsidy?	Clarity of Business Model	How well-defined and understandable is the applicant’s business model?	2
	Team Experience	What is the track record of the team on their ability to execute their plan?	2
	Funding Gap Rationale	Is there a clear explanation of the funding gap the applicant is facing, along with the rationale for why additional subsidy funding is necessary to achieve its objectives?	3
	Reasonableness of Subsidy Amount Requested	Does the requested subsidy amount make sense within the context of the project’s needs and potential impact?	3
	Scalability Potential	What is the scalability potential of the applicant’s business model following the support of the subsidy?	1
Financial Analysis How realistic and stress tested is the applicant’s financial status and projections and is their plan for the use of the subsidy funds clearly outlined?	Accuracy of Projections	How realistic and well-supported are the financial projections provided by the applicant, inclusive of revenue forecasts and cost analysis?	1
	Sensitivity to Scenarios	To what extent does the applicant’s financial analysis consider different scenarios, such as base, target and stress scenarios to assess the projects’ resilience and adaptability to changing market conditions?	1
	KPIs	Are there clearly defined KPIs that will be used to track the project’s performance and measure progress towards achieving its goals?	3
	Preferred Funding Distribution	Does the applicant have a preferred distribution plan for the subsidy funds, and is there a rationale provided for this distribution approach, such as front-loading funds for critical start-up costs or phased funding based on project milestones?	2
Risk Analysis Is the applicant aware of risks with their project and what is their plan for mitigating these risks?	Risk Identification	How effectively does the applicant identify and assess potential risks and vulnerabilities that the project may have?	2
	Security Requirements	Does the applicant have a clear understanding of its security requirements and the measures needed to protect against security breaches, such as through the conducting of a security audit?	3
	Mitigation Strategies	What strategies does the applicant have in place or intend to implement to safeguard against the aforementioned risks?	2

Criteria	Sub-Criteria	Description	Weight
Arbitrum Ecosystem Contribution How aligned is the project with the Arbitrum ecosystem and how easy will it be to track the applicant’s use of the subsidy funds?	Ecosystem Contribution	How does the applicant’s project contribute towards the growth of the Arbitrum ecosystem?	3
	Transparency Practices	To what extent does the applicant demonstrate transparency in its operations?	2
	Community Engagement	How does the applicant engage with the DAO community and solicit feedback/input on its project, incorporating this into its decision-making?	1
	Accountability Measures	What mechanisms does the project have in place to ensure accountability and responsible stewardship of subsidy funds, including governance structures in place?	3
Business Model & Need for the Subsidy How effectively does the applicant's business model align with their need for the subsidy?	Clarity of Business Model	How well-defined and understandable is the applicant’s business model?	2
	Team Experience	What is the track record of the team on their ability to execute their plan?	2
	Funding Gap Rationale	Is there a clear explanation of the funding gap the applicant is facing, along with the rationale for why additional subsidy funding is necessary to achieve its objectives?	3
	Reasonableness of Subsidy Amount Requested	Does the requested subsidy amount make sense within the context of the project’s needs and potential impact?	3
	Scalability Potential	What is the scalability potential of the applicant’s business model following the support of the subsidy?	1
Financial Analysis How realistic and stress tested is the applicant’s financial status and projections and is their plan for the use of the subsidy funds clearly outlined?	Accuracy of Projections	How realistic and well-supported are the financial projections provided by the applicant, inclusive of revenue forecasts and cost analysis?	1
	Sensitivity to Scenarios	To what extent does the applicant’s financial analysis consider different scenarios, such as base, target and stress scenarios to assess the projects’ resilience and adaptability to changing market conditions?	1
	KPIs	Are there clearly defined KPIs that will be used to track the project’s performance and measure progress towards achieving its goals?	3
	Preferred Funding Distribution	Does the applicant have a preferred distribution plan for the subsidy funds, and is there a rationale provided for this distribution approach, such as front-loading funds for critical start-up costs or phased funding based on project milestones?	2
Risk Analysis Is the applicant aware of risks with their project and what is their plan for mitigating these risks?	Risk Identification	How effectively does the applicant identify and assess potential risks and vulnerabilities that the project may have?	2
	Security Requirements	Does the applicant have a clear understanding of its security requirements and the measures needed to protect against security breaches, such as through the conducting of a security audit?	3
	Mitigation Strategies	What strategies does the applicant have in place or intend to implement to safeguard against the aforementioned risks?	2

Criteria	Sub-Criteria	Description	Weight
Arbitrum Ecosystem Contribution How aligned is the project with the Arbitrum ecosystem and how easy will it be to track the applicant’s use of the subsidy funds?	Ecosystem Contribution	How does the applicant’s project contribute towards the growth of the Arbitrum ecosystem?	3
	Transparency Practices	To what extent does the applicant demonstrate transparency in its operations?	2
	Community Engagement	How does the applicant engage with the DAO community and solicit feedback/input on its project, incorporating this into its decision-making?	1
	Accountability Measures	What mechanisms does the project have in place to ensure accountability and responsible stewardship of subsidy funds, including governance structures in place?	3
Business Model & Need for the Subsidy How effectively does the applicant's business model align with their need for the subsidy?	Clarity of Business Model	How well-defined and understandable is the applicant’s business model?	2
	Team Experience	What is the track record of the team on their ability to execute their plan?	2
	Funding Gap Rationale	Is there a clear explanation of the funding gap the applicant is facing, along with the rationale for why additional subsidy funding is necessary to achieve its objectives?	3
	Reasonableness of Subsidy Amount Requested	Does the requested subsidy amount make sense within the context of the project’s needs and potential impact?	3
	Scalability Potential	What is the scalability potential of the applicant’s business model following the support of the subsidy?	1
Financial Analysis How realistic and stress tested is the applicant’s financial status and projections and is their plan for the use of the subsidy funds clearly outlined?	Accuracy of Projections	How realistic and well-supported are the financial projections provided by the applicant, inclusive of revenue forecasts and cost analysis?	1
	Sensitivity to Scenarios	To what extent does the applicant’s financial analysis consider different scenarios, such as base, target and stress scenarios to assess the projects’ resilience and adaptability to changing market conditions?	1
	KPIs	Are there clearly defined KPIs that will be used to track the project’s performance and measure progress towards achieving its goals?	3
	Preferred Funding Distribution	Does the applicant have a preferred distribution plan for the subsidy funds, and is there a rationale provided for this distribution approach, such as front-loading funds for critical start-up costs or phased funding based on project milestones?	2
Risk Analysis Is the applicant aware of risks with their project and what is their plan for mitigating these risks?	Risk Identification	How effectively does the applicant identify and assess potential risks and vulnerabilities that the project may have?	2
	Security Requirements	Does the applicant have a clear understanding of its security requirements and the measures needed to protect against security breaches, such as through the conducting of a security audit?	3
	Mitigation Strategies	What strategies does the applicant have in place or intend to implement to safeguard against the aforementioned risks?	2

Criteria	Sub-Criteria	Description	Weight
Arbitrum Ecosystem Contribution How aligned is the project with the Arbitrum ecosystem and how easy will it be to track the applicant’s use of the subsidy funds?	Ecosystem Contribution	How does the applicant’s project contribute towards the growth of the Arbitrum ecosystem?	3
	Transparency Practices	To what extent does the applicant demonstrate transparency in its operations?	2
	Community Engagement	How does the applicant engage with the DAO community and solicit feedback/input on its project, incorporating this into its decision-making?	1
	Accountability Measures	What mechanisms does the project have in place to ensure accountability and responsible stewardship of subsidy funds, including governance structures in place?	3
Business Model & Need for the Subsidy How effectively does the applicant's business model align with their need for the subsidy?	Clarity of Business Model	How well-defined and understandable is the applicant’s business model?	2
	Team Experience	What is the track record of the team on their ability to execute their plan?	2
	Funding Gap Rationale	Is there a clear explanation of the funding gap the applicant is facing, along with the rationale for why additional subsidy funding is necessary to achieve its objectives?	3
	Reasonableness of Subsidy Amount Requested	Does the requested subsidy amount make sense within the context of the project’s needs and potential impact?	3
	Scalability Potential	What is the scalability potential of the applicant’s business model following the support of the subsidy?	1
Financial Analysis How realistic and stress tested is the applicant’s financial status and projections and is their plan for the use of the subsidy funds clearly outlined?	Accuracy of Projections	How realistic and well-supported are the financial projections provided by the applicant, inclusive of revenue forecasts and cost analysis?	1
	Sensitivity to Scenarios	To what extent does the applicant’s financial analysis consider different scenarios, such as base, target and stress scenarios to assess the projects’ resilience and adaptability to changing market conditions?	1
	KPIs	Are there clearly defined KPIs that will be used to track the project’s performance and measure progress towards achieving its goals?	3
	Preferred Funding Distribution	Does the applicant have a preferred distribution plan for the subsidy funds, and is there a rationale provided for this distribution approach, such as front-loading funds for critical start-up costs or phased funding based on project milestones?	2
Risk Analysis Is the applicant aware of risks with their project and what is their plan for mitigating these risks?	Risk Identification	How effectively does the applicant identify and assess potential risks and vulnerabilities that the project may have?	2
	Security Requirements	Does the applicant have a clear understanding of its security requirements and the measures needed to protect against security breaches, such as through the conducting of a security audit?	3
	Mitigation Strategies	What strategies does the applicant have in place or intend to implement to safeguard against the aforementioned risks?	2

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC | proposals.app

posted 2 years ago

Dspyt Team after thoroughly reviewing the proposal for the Non-Constitutional Subsidy Fund for Security Services on the Arbitrum governance forum, we believe this initiative is essential for fostering a secure and robust ecosystem.

By subsidizing security services, the ArbitrumDAO aims to enhance the security posture of projects within the network, which is crucial for maintaining trust and reliability. Security concerns often present significant barriers for new projects; this fund will reduce onboarding friction, making it easier for innovative projects to join and thrive on Arbitrum. This influx of new projects will drive overall growth and innovation within the ecosystem.

Furthermore, this initiative aligns perfectly with our goals at DSPYT and Evm Explorer. We are dedicated to promoting safe and sustainable growth in blockchain technology, and by supporting measures that enhance security, we contribute to a more resilient and trustworthy environment.

The positive feedback from various community members highlights a shared recognition of the need for such an initiative, reflecting a collective agreement on the importance of prioritizing security to safeguard the interests of all stakeholders involved.

We firmly believe that voting FOR this proposal will significantly benefit the Arbitrum community by ensuring a safer and more inviting ecosystem for new and existing projects. This initiative not only addresses immediate security needs but also strategically positions Arbitrum as a preferred platform for developers and startups. Supporting this proposal demonstrates our commitment to advancing blockchain technology and data science in a secure and sustainable manner.

Dspyt

posted 2 years ago

Pablo

posted 2 years ago

edited 2 years ago

Following on from @sid_areta's post, as I'm putting together the RFP, framework agreements and templates and have some relevant procurement experience, I thought it might be useful for me to respond to a few themes emerging here:

Mandate and Set-up of Independent Committee to Disburse Subsidies

The ADPC did discuss this in the beginning and the view was that having the ADPC establish the framework and administer the subsidy program was within the original mandate of the ADPC ultimately approved through governance.

This decision was not taken lightly. We carefully considered the original Snapshot and proposal as well as the significant workload involved and the resources within the team. It would have been far easier for us to handball this to someone else with the risk it falls into a hole at the end of the 6 month tenure. It did not strike any of us as good stewardship or professionalism.

The concern we have in bringing a new committee onboard is that (A) it creates a new workstream that was not part of the original mandate and, (B) even if we got a new committee spun up, would result in significant delays while new team gets voted in, briefed on the procurement strategy, wraps their head around the legalities of the framework agreement, state of negotiations, tools and processes etc. That’s 4-6 weeks of their 8 week sprint gone.

If the DAO supports a truncated proof-of-concept, the better "bang for buck" would be to let the current ADPC facilitate this first tranche, re-assess at the end of the POC and then feed the learnings into a more substantial program. There is a lot of upside doing it this way.

Addition of a Security Expert

The ADPC identified this as a critical requirement early on. We have been in contact with several organisations and individuals who might be able to assist. However one challenge has been identifying suitable SMEs who are not already conflicted out or who might be seen to be biased. Both of these factors knock out many candidates.

Alternative Approaches

Having run a lot of procurements both in government and the private sector, best practice involves establishing a core team consisting of strategic procurement specialists driving the Approach-to-Market and lawyers experienced in strategic sourcing. We believe we have those resources on hand.

Technical SMEs certainly have an important role to play in defining requirements, the technical evaluation criteria and evaluating RFP responses and we definitely want to include suitably qualified SMEs in that process. However the technical requirements are only one part of a procurement process and evaluation.

Given the problems flagged above in terms of conflicts of interest, one suggestion offered to the ADPC was to speak with experienced buyers of audit services so we are exploring that option as well.

Timeline and Sequence of Events

As can be seen from the ADPC Dashboard, the ADPC has made great progress on significant pieces of the Framework. We have already released the first draft of the Means Test and the related Terms and Conditions. This alone was a considerable piece of work - we hope this serves as a role model for other grant programs.

The first draft of the Procurement Framework is being currently reviewed internally, pending input from SMEs and the Foundation. Once those steps are completed, we’ll be ready to publish the RFP and Head Agreement and officially kick off the procurement stage. We know everyone is super keen to get this ball rolling however we only have one chance to get it right. Once the RFP is published, it is inadvisable to make changes as it creates havoc for respondents and undermines probity of the process.

As part of the publication step, we’ll be developing a TLDR and overview to the legal documents to assist all participants. Keep an eye out for updates!

Pablo

posted 2 years ago

edited 2 years ago

Mandate and Set-up of Independent Committee to Disburse Subsidies

Addition of a Security Expert

Alternative Approaches

Given the problems flagged above in terms of conflicts of interest, one suggestion offered to the ADPC was to speak with experienced buyers of audit services so we are exploring that option as well.

Timeline and Sequence of Events

As part of the publication step, we’ll be developing a TLDR and overview to the legal documents to assist all participants. Keep an eye out for updates!

Hi all, thank you for your engagement on this proposal and for voting in favour on Snapshot! We appreciate all the feedback we have received and are in the process of implementing it.

Addressing the first major point of feedback, we are instituting an independent committee for selection of subsidy recipients and will provide further details regarding the proposed structure of the committee soon.

Regarding the second major point of feedback, i.e., proposing to add a Security SME to the ADPC, we managed to secure a trusted third party, who we are proposing to provide its services to the ADPC including:

Crafting the technical and business requirements for the RFP for security service providers;
Helping the ADPC whitelist the security service providers based on their RFP responses over a 4-week span.

We have managed to secure the help of DeDaub. DeDaub is a well-known security services firm which has worked with the likes of the Ethereum Foundation, EigenLayer, Chainlink, GMX, Lido, Maple, Pendle, etc., and has completed 200+ audits for 59 clients over 14 chains.

The next step before onboarding DeDaub is to get the DAO’s confirmation via Snapshot to use part of the ADPC’s budget to pay them. Note, the ADPC already has the funds in the Multi-Sig as part of the original endowment, but since this was not explicitly approved for spending by the DAO in the original Tally vote, we are requesting approval via Snapshot to use these funds to pay DeDaub. Find details below:

We propose to pay DeDaub a total of 12k ARB for their assistance on crafting the requirements and helping whitelist the security service providers. We believe this is fair since:

Each ADPC member gets compensated $8k worth of ARB per month;
The technical and specialist nature of the work allowing for a higher rate;
The difficulty we have had in sourcing Security SMEs who are not conflicted out, as mentioned above;
The market rates for Security SMEs (we were quoted $500/hour by another SME).

As such, we believe a compensation of 12k ARB is fair for the value DeDaub will bring to the ADPC and to this process.

Moreover, we also request an additional 10k ARB to the ADPC’s budget as an operational buffer to ensure that the ADPC can operate with speed and does not need to get the DAO’s approval for any small operational matters. Of course, this will be returned to the DAO’s treasury upon the completion of the ADPC’s tenure if it has not been utilized, and will not be spent on any internal salaries.

We will put up a Snapshot to get the ball rolling on this budget approval and reduce the likelihood of any delay in meeting timelines.

Summary Ask: 22k ARB in total (12k ARB compensation for DeDaub and 10k ARB operational buffer) to use from the ADPC’s buffer in the multi-sig.

Note: To confirm, DeDaub’s participation as the Security SME will preclude them from responding to the RFP and applying to be a whitelisted security service provider.

sid_areta from aretagov.eth

3.1M TOKEN

posted 2 years ago

edited 2 years ago

Thank you for all your engagement and feedback on this proposal! Given the complexity of the task at hand, the feedback has been extremely useful in helping us refine and improve the proposal.

This post will break down a subset of the major themes of the feedback and outline our plan for incorporating it. @Pablo will be providing responses on the following feedback themes in due course that this post will not cover:

Thank you for all your engagement and feedback on this proposal! Given the complexity of the task at hand, the feedback has been extremely useful in helping us refine and improve the proposal.

I. Mandate of the ADPC & Process for Whitelisting of Security Service Providers for the Provision of Subsidies II. Set-up of Independent Committee to Disburse Subsidies III. Addition of a Security Expert to the ADPC IV. Timeline and Sequence of Events V. Proposed Alternative Approaches

Feedback Themes

Input Collated for Benchmarking Exercise to Determine Size of Subsidy Fund

Feedback

There has been an ask from @coinflip and @mcfly around the input collated to define the size of the subsidy fund.

Response

To clarify, as mentioned in the proposal, we directly consulted with security service providers on their scope of services and fees:

The figure of up to $10 million worth of ARB has been determined via a benchmarking exercise conducted with various security audit service providers. This form was shared with these service providers and based on the responses of 10 service providers (including the likes of Spearbit, Halborn, Nethermind, Three Sigma, Guardian, Zellic, etc.) on their scope of services and fees associated, we have estimated that each project will require a 2-month security audit at an average cost of $200K.

As @ImmutableLawyer has mentioned above, the specific fees provided by each service provider cannot be made public due to privacy requirements and competition issues from the service providers. However, as @coinflip has suggested, we are happy to run the data points and our assumptions past members of the Foundation, who we already shared this with. To provide further clarity, the figure of $200K for a 2-month audit was based on data points / fee structures provided of:

Weekly fees per auditor
Monthly flat fees
Cost per audit

Edit: Having spoken to the Foundation on whether they can publicly confirm the sanity check, as a rule of thumb their role is not to approve what the DAO does or provide public endorsements. As such, we will find another party to do so, most likely the security expert we are currently sourcing.

Size of the Subsidy Fund

Feedback

A fund of $10 million worth of ARB is too high to begin with and a smaller pilot fund is more desirable.

Response

We are happy to institute a smaller pilot fund and already took this feedback on board in providing the different options for fund size and duration on Snapshot.

Role & Cost of the Multi-Sig

Feedback

There is no need to expand the budget to control the multi-sig to disburse the Subsidy Funds, as pointed out by @pedrob and @mcfly.

Response

As you can see in the Tally vote, the responsibilities for the Multi-Sig signers are the following:

Streaming of funds to elected members through Hedgey on a monthly basis.
Clawback capability.

Given that the signers will now have an additional responsibility to disburse the subsidy funds to recipients, and this is a more time-intensive task with potentially higher frequency, it may be fair to compensate them accordingly. We'd propose limiting the additional pay to 500 ARB in that case, given they already have an existing mandate. However, if there are allergic reactions to this or the MSig signers want to waive payment, we are open to any proposal.

BlockworksResearch from blockworksresearch.eth

2.00 TOKEN

posted 2 years ago

Blockworks Research will be splitting its vote on Snapshot; 50% for do not fund and 50% for the $2.5M fund.

On a fundamental level, we like the idea behind the subsidy fund and think it’s highly beneficial to support smaller, non-established projects. While this proposal is undoubtedly extensive and showcases that a vast amount of thought has gone into different frameworks, as pointed out by other delegates, we feel that it is still somewhat rushed. Consequently, more work is required before we feel comfortable voting for this proposal onchain. In particular, we agree with points 1. and 2. made by @mcfly, and it would be great to have a further discussion around this point:

Quoted from mcfly

Blockworks Research will be splitting its vote on Snapshot; 50% for do not fund and 50% for the $2.5M fund.

Quoted from mcfly

jump to post →

In addition to the above points, we think the fund being run by the ADPC would lead to a sub-optimal operational structure. As pointed out by @coinflip, the ADPC’s original mandate was to focus on the operational side by, for example, establishing frameworks and setting up programs. By engaging in the selection and oversight process as well, effectively 1/3 of the ADPC’s current term would be diverted from the important task of creating a foundational procurement structure for the DAO. Having said that, we are conscious of the ADPC having expressed willingness to establish a separate committee for the fund, which we think would be a great addition to this proposal. This could be structured such that both security and procurement experts could be appointed, and would be another avenue through which the ADPC would standardize the procurement framework for the DAO.

SavvyDAO

4.6K TOKEN

posted 2 years ago

edited 2 years ago

Savvy DAO has voted FOR "100% for 1 cohort of 8 weeks, $2.5M fund" for the Subsidy Fund for Security Services proposal for the following compelling reasons:

Focused and Manageable Scope: Allocating $2.5 million for an initial 8-week cohort allows the Arbitrum DAO Procurement Committee (ADPC) to pilot the subsidy program in a controlled, manageable environment. This targeted approach facilitates careful monitoring and assessment of the fund's impact on project security and development within the Arbitrum ecosystem.
Strategic Allocation for Maximum Impact: The decision to fund a single cohort initially ensures that resources are concentrated where they can be most effective. It allows the ADPC to optimize the subsidy distribution, ensuring that funds are awarded to projects that not only need them the most but also have the potential to provide significant returns on security investment.
Evaluation and Scalability: Starting with one cohort gives the ADPC the opportunity to evaluate the effectiveness of the fund’s distribution mechanisms and the performance of the funded projects. Insights gained from this initial phase can be used to fine-tune the program for future cohorts, potentially scaling the initiative based on demonstrated success and community feedback.

Savvy DAO has voted FOR "100% for 1 cohort of 8 weeks, $2.5M fund" for the Subsidy Fund for Security Services proposal for the following compelling reasons:

Focused and Manageable Scope: Allocating $2.5 million for an initial 8-week cohort allows the Arbitrum DAO Procurement Committee (ADPC) to pilot the subsidy program in a controlled, manageable environment. This targeted approach facilitates careful monitoring and assessment of the fund's impact on project security and development within the Arbitrum ecosystem.
Strategic Allocation for Maximum Impact: The decision to fund a single cohort initially ensures that resources are concentrated where they can be most effective. It allows the ADPC to optimize the subsidy distribution, ensuring that funds are awarded to projects that not only need them the most but also have the potential to provide significant returns on security investment.
Evaluation and Scalability: Starting with one cohort gives the ADPC the opportunity to evaluate the effectiveness of the fund’s distribution mechanisms and the performance of the funded projects. Insights gained from this initial phase can be used to fine-tune the program for future cohorts, potentially scaling the initiative based on demonstrated success and community feedback.

See delegate thread: https://forum.arbitrum.foundation/t/non-constitutional-subsidy-fund-for-security-services/22958/38?u=savvydao

JoJo from jojothecow.eth

2.6M TOKEN

posted 2 years ago

For snapshot, voting "for" on 2 cohort of 8 weeks for 5M arb.

I partially share some concerns about the size, and dao wanting to first try with a lower amount. But, I think 2 months are just not enough. Audits can potentially be complex as a process, in 60 days we might just not encounter enough different situations to properly assess the best way to operate.

For snapshot, voting "for" on 2 cohort of 8 weeks for 5M arb.

On the whitelisting of operators. I agree that there can be a concern about ADPC whitelisting operators. But I also know security is hard, and there are few people who actually know security, both in holistic terms and in specific, vertical terms. I used to work in cyber threat intelligence myself before larping as a cow on the internet, and want to touch this.

Quoted from coinflip

Hope the ADPC takes this feedback to help refine their proposal, and to critcally evaluate what role they are intended to have during this initial 6 month mandate, is it to run procurement for the DAO or is it to recommend and hopefully implement systems for the DAO to be able to handle such activities at scale in many areas of DAO procurement.

jump to post →

There is a merit in what flip said. But there is also a merit in understanding that a "simple" election from the dao on people able to vet security expert is in my opinion not feasible. Either we pre fetch strong candidates, publicly known workers in the security fields and make them run (but, a figure like this one, who can clearly contribute to protocols and ecosystems with just their own means and skills, why should it take the hassle to run an election?), or we trust adpc, or we find something in the middle which I don't know what it could be.

I personally feel this is one of the situation in which a democratized vote is less positive than an intelligence dictator stepping in so to say. Optimistic challenge can make sense to exclude vendors proposed. Would it work to include new ones tho? Don't think so.

Quoted from Bernard

Stand up a separate committee to disburse the Subsidy Fund.

jump to post →

This could make a lot of sense. But the composition of this committee, while lighter in requirements compared to the above, is still subject to issue because there is the need of a certain background imho.

Quoted from AbdullahUmar

The above comments from Bernard illustrate some pending work that should be completed before snapshot.

jump to post →

This is logic but i personally disagree. I interpret the current snapshot as a sentiment check, and also a reference number that the program can obtain if X, Y, Z, K is solved. I think, to fetch good experts, knowing what the budget is is mandatory. I don't personally mind having a decision process in snapshot, that clears partially the sky for further discussion and decision process before tally.

To conclude, I totally understand why there is a lot of fuss around economics. Makes sense. But the topic requires somehow a differnt approach from the usual being very specific, and needs some steering from the usual way the DAO is used to work due to the necessity of several professional figures and vendors being integrated in the program.

This doesn't mean we have a white page on which we can write whatever, there are stuff to solve like for example a committee for deciding the receivers of the funds for audits, and a way to onboard security expert (i don't like elections on this as i explained but also i don't currently have an answer).

mcfly from 0xmcfly.eth

101.8K TOKEN

posted 2 years ago

I'm sorry to post this right now as it'll be very late to get a Q&A on all the topics, though here is my rationale to only support a small 8-week program with 2.5m ARB or less and go over some feedback before this proposal moves to an on-chain vote. Here are my notes on why I'll support the general essence of this proposal but am looking for further discussion to get it more mature and less prone to unforeseen consequences for the whole ecosystem.

Negotiating discounts with security audit firms: Given the substantial amount of funds allocated for security audits, it would be prudent to negotiate discounts with the whitelisted service providers. The ADPC should leverage the scale of this program to secure more favorable rates for the benefit of the Arbitrum ecosystem. I'd like to see a clear plan for how the ADPC intends to negotiate these discounts and ensure the best value for the allocated funds.
Additional disbursement for multisig signers: The justification provided for the additional disbursement of up to 1k ARB for multisig signers is insufficient. The legal risks mentioned are unclear, and the time and effort required to verify and sign transactions do not appear to warrant such a significant additional compensation, especially considering the signers are already being paid for their role in the ADPC. I'd like to discuss the necessity of this additional disbursement and explore alternative ways to compensate signers for their efforts, if deemed necessary.
Potential second-order consequences: The subsidy program may lead to a lack of competition among security audit firms and potentially inflate prices. By acting as a government-like entity subsidizing the entire security industry, the ADPC may inadvertently create an unfair advantage for projects that have previously struggled to secure funding for audits. This could lead to an alignment of prices based on what the ADPC deems fair, rather than market forces, and may result in an inflationary trend among the selected audit firms.

Negotiating discounts with security audit firms: Given the substantial amount of funds allocated for security audits, it would be prudent to negotiate discounts with the whitelisted service providers. The ADPC should leverage the scale of this program to secure more favorable rates for the benefit of the Arbitrum ecosystem. I'd like to see a clear plan for how the ADPC intends to negotiate these discounts and ensure the best value for the allocated funds.
Additional disbursement for multisig signers: The justification provided for the additional disbursement of up to 1k ARB for multisig signers is insufficient. The legal risks mentioned are unclear, and the time and effort required to verify and sign transactions do not appear to warrant such a significant additional compensation, especially considering the signers are already being paid for their role in the ADPC. I'd like to discuss the necessity of this additional disbursement and explore alternative ways to compensate signers for their efforts, if deemed necessary.
Potential second-order consequences: The subsidy program may lead to a lack of competition among security audit firms and potentially inflate prices. By acting as a government-like entity subsidizing the entire security industry, the ADPC may inadvertently create an unfair advantage for projects that have previously struggled to secure funding for audits. This could lead to an alignment of prices based on what the ADPC deems fair, rather than market forces, and may result in an inflationary trend among the selected audit firms.

Furthermore, the proposed average cost of $200k for a 2-month security audit seems significantly higher than what many small projects have experienced in the past. In my personal experience contributing to projects since 2017, I have never paid more than $110k for a security audit with top-tier firms, with the usual average price among the latest invoices received being around $30 per line of Solidity code as of the end of 2023. I'd like to discuss ways to structure the program to encourage competition, maintain fair market prices for security audits, and ensure that the allocated funds are used efficiently to support a larger number of projects. It's important to note that the security firms involved will likely profit either way from this program if they do a good job at securing the first codebase audited. However, it's crucial to recognize that many audited projects have ended up as graveyards, as evidenced by the Rekt list, which highlights the varying effectiveness of audit firms.

Alternative approach with an Immunefi fund: Allocating a portion of the requested funds to an Immunefi fund could be an effective way to incentivize white hats to find issues in deployed smart contracts on Arbitrum One or Orbit. The existing Immunefi framework for categorizing bug reports and rewarding white hats based on their talent and the amount of funds at risk could be a more efficient use of the allocated funds. I'd like to explore the possibility of incorporating this alternative approach into the overall proposal, perhaps as a complementary initiative to a more targeted subsidy program. As a project listed on such platforms, you may receive many redundant or AI-generated reports. However, having your code in production with a substantial bug bounty can make a significant difference in continuously securing the project community and Arbitrum as a whole.

In conclusion, while I support the general essence of this proposal and believe it could significantly enhance the security of the Arbitrum ecosystem, I believe further discussion is necessary to address the potential drawbacks and refine the proposal before moving to an on-chain vote. By addressing the concerns raised and exploring alternative approaches, we can create a more effective and efficient program that minimizes unforeseen consequences for the ecosystem as a whole. I look forward to engaging in constructive dialogue with the community to refine this proposal and ensure its success.

Immutablelawyer

50.0K TOKEN

posted 2 years ago

Hi Pedro,

Firstly, appreciate your insightful analysis as always ser!

Addressing queries hereunder:

Hi Pedro,

Firstly, appreciate your insightful analysis as always ser!

Addressing queries hereunder:

We do not have a list of 'pre-approved whitelist'. What we will have is the publication of an RFP process for security service providers to be then assessed in light of the Security Framework for Security SPs and also, the RFP itself. I reiterate, there is no pre-approved whitelist - The whitelisting process will start soon and announced publicly on the forums.
Unfortunately, we cannot make the input collated public yet as it contains data tantamount to business secrecy from the Security SPs end. Hence, we would not like to put the members of the ADPC at risk by making public the fees that were disclosed to us in good faith so that we can create an optimal well-structured and thought out proposal (as I believe this one is).
This isn't an incentive program like STIP, Backfund, LTIPP, or STIP-Bridge (just realising now that we had quite a bit). This is a subsidy fund for procurement where the ADPC serves as a facilitator (a bridge so to speak), between projects eligible for subsidies and whitelisted SPs themselves. The ADPC whitelists SPs as part of the Security Procurement Framework and the ancillary documentation (RFP & legal documentation we have drafted led predominantly by Paul Imseh). Separately the ADPC assesses applications for subsidies by Projects requesting subsidies for a service they desire from a security SP. At no point do we serve as decision-makers re. which SP a project uses - this is at the Project's discretion. To facilitate the aforementioned process, a background in procurement is vital (in this regard, members of the ADPC do have this background). In LTIPP (a comment that was voiced by many members), elections turned out to be a popularity contest and one not based on merity - by way of disclosure even I participated in the LTIPP elections, yet I am of full belief that there were better candidates than I was that unfortunately placed at the bottom of the pile. Hence, votes weren't cast on capability, but rather on social capital/optics (this is not to say that good work hasn't been done as I have not assessed the LTIPP's work yet - but maybe better work could have been done should votes have been cast on capabilities? I think the answer to this is always a resounding yes whatever the endeavor).

To sum up this point, given the low applicants we even had for the ADPC w/a Procurement Background, we sought to put this under our cap (AT NO ADDITIONAL COST FOR THE DAO) so as to ensure that it's done correctly. Should there be consensus for a committee setup, we'll naturally implement it as we are merely vessels of tokenholders' wants and needs.

Re. "Why is there a need to rush this snapshot vote before having this defined?" Bernard there refers to a separate altogether process for whitelisting SPs which has nothing to do with this proposal. This RFP will be done soon (latest, beginning next week).
Re. the Security Expert; it is not an acknowledgement of lack of security expertise (speaking for myself, I deal with Security SPs, scopes of work, reports, audit structuring etc. on a daily basis due to my firm's clientele). This was merely a comment posted by a contributor that we saw generated general consensus and also made sense and thus (as we always do) we sought to implement. Re. Additional Costs, this is yet tbd as we have interested parties willing to do it free of charge due to their non-profit nature. Re. utilising ARDC, let me remind you that OpenZeppeling is on the ARDC - and OZ will be participating in the RFP - hence this would be a conflict of interest.
Re. "I sincerely believe that it was not sufficiently discussed. I have requested information about the public notion, the biweekly reports, and the minutes of the meetings, none of which were made available to the DAO.

The only message with information about a call was in the Telegram group regarding the first call, which was announced approximately an hour before it actually took place. If I am mistaken or do not have the correct source of information, I apologize."

Firstly, the call was on the ArbitrumDAO calendar for circa 1.5/2 weeks before the call occurred. In addition, we also had another call this week to discuss which was pre-announced, also put in the calendar, yet no delegates attended aside from Krzystof from L2Beat. It is a delegate's responsibility to ensure he/she stays up to date so that the voting rationale mirrors diligent work done. In addition, the proposal has also now been up on the Forums for 20 days - 13 days more than the pre-required timeperiod by the ArbitrumDAO Constitution. We reached out to delegates to discuss, hosted calls, one-on-ones, etc. Not much more we can do - we cannot force people to participate ser :)

Also, our Notion will be made public in the coming days containing all details (was not made public previously as we were sorting out confidentiality issues).

Re. "What is the need to expand the budget that has already been approved for controlling one (or the same) multisig?"

The MS Members undertake potential legal risk for being signers. At this point in time, they merely sign ADPC-member payments yet, with the Subsidy Fund in place, we require an additional level of security to pay project subsidies. Hence, we believe that with an additional task in place, an addiitonal reimbursement is sensical and fair.

Re. "I believe it would be ideal for this entire document to be presented on the forum rather than in a separate PDF on Drive that could be modified in the future." - Not an issue to post on the Forum - when I have posted on the Forum previously, the comment was the opposite from delegates i.e. post a doc as it's difficult to read on the forum. No issue doing both :)
Re. "Regarding this, I believe it would be better for the funds paid by the DAO to be denominated in ARB" - We do not agree as Projects needing to pay service costs cannot exactly pay SPs in ARB tokens. We also need the funds in stables so that we can ensure that we cover a certain amount of service fees (which are always USD Denomianted and payable).

Appreciate your rigorous assessment @pedrob - I appreciate your diligence in providing feedback to us ser <3

Hi all, thank you for your engagement on this proposal and for voting in favour on Snapshot! We appreciate all the feedback we have received and are in the process of implementing it.

Crafting the technical and business requirements for the RFP for security service providers;
Helping the ADPC whitelist the security service providers based on their RFP responses over a 4-week span.

We propose to pay DeDaub a total of 12k ARB for their assistance on crafting the requirements and helping whitelist the security service providers. We believe this is fair since:

Each ADPC member gets compensated $8k worth of ARB per month;
The technical and specialist nature of the work allowing for a higher rate;
The difficulty we have had in sourcing Security SMEs who are not conflicted out, as mentioned above;
The market rates for Security SMEs (we were quoted $500/hour by another SME).

As such, we believe a compensation of 12k ARB is fair for the value DeDaub will bring to the ADPC and to this process.

We will put up a Snapshot to get the ball rolling on this budget approval and reduce the likelihood of any delay in meeting timelines.

Summary Ask: 22k ARB in total (12k ARB compensation for DeDaub and 10k ARB operational buffer) to use from the ADPC’s buffer in the multi-sig.

Note: To confirm, DeDaub’s participation as the Security SME will preclude them from responding to the RFP and applying to be a whitelisted security service provider.

sid_areta from aretagov.eth

3.1M TOKEN

posted 2 years ago

edited 2 years ago

Thank you for all your engagement and feedback on this proposal! Given the complexity of the task at hand, the feedback has been extremely useful in helping us refine and improve the proposal.

Feedback Themes

Input Collated for Benchmarking Exercise to Determine Size of Subsidy Fund

Feedback

There has been an ask from @coinflip and @mcfly around the input collated to define the size of the subsidy fund.

Response

To clarify, as mentioned in the proposal, we directly consulted with security service providers on their scope of services and fees:

The figure of up to $10 million worth of ARB has been determined via a benchmarking exercise conducted with various security audit service providers. This form was shared with these service providers and based on the responses of 10 service providers (including the likes of Spearbit, Halborn, Nethermind, Three Sigma, Guardian, Zellic, etc.) on their scope of services and fees associated, we have estimated that each project will require a 2-month security audit at an average cost of $200K.

Weekly fees per auditor
Monthly flat fees
Cost per audit

Size of the Subsidy Fund

Feedback

A fund of $10 million worth of ARB is too high to begin with and a smaller pilot fund is more desirable.

Response

We are happy to institute a smaller pilot fund and already took this feedback on board in providing the different options for fund size and duration on Snapshot.

Role & Cost of the Multi-Sig

Feedback

There is no need to expand the budget to control the multi-sig to disburse the Subsidy Funds, as pointed out by @pedrob and @mcfly.

Response

As you can see in the Tally vote, the responsibilities for the Multi-Sig signers are the following:

Streaming of funds to elected members through Hedgey on a monthly basis.
Clawback capability.

BlockworksResearch from blockworksresearch.eth

2.00 TOKEN

posted 2 years ago

Blockworks Research will be splitting its vote on Snapshot; 50% for do not fund and 50% for the $2.5M fund.

Quoted from mcfly

Blockworks Research will be splitting its vote on Snapshot; 50% for do not fund and 50% for the $2.5M fund.

Quoted from mcfly

jump to post →

SavvyDAO

4.6K TOKEN

posted 2 years ago

edited 2 years ago

Savvy DAO has voted FOR "100% for 1 cohort of 8 weeks, $2.5M fund" for the Subsidy Fund for Security Services proposal for the following compelling reasons:

Focused and Manageable Scope: Allocating $2.5 million for an initial 8-week cohort allows the Arbitrum DAO Procurement Committee (ADPC) to pilot the subsidy program in a controlled, manageable environment. This targeted approach facilitates careful monitoring and assessment of the fund's impact on project security and development within the Arbitrum ecosystem.
Strategic Allocation for Maximum Impact: The decision to fund a single cohort initially ensures that resources are concentrated where they can be most effective. It allows the ADPC to optimize the subsidy distribution, ensuring that funds are awarded to projects that not only need them the most but also have the potential to provide significant returns on security investment.
Evaluation and Scalability: Starting with one cohort gives the ADPC the opportunity to evaluate the effectiveness of the fund’s distribution mechanisms and the performance of the funded projects. Insights gained from this initial phase can be used to fine-tune the program for future cohorts, potentially scaling the initiative based on demonstrated success and community feedback.

Savvy DAO has voted FOR "100% for 1 cohort of 8 weeks, $2.5M fund" for the Subsidy Fund for Security Services proposal for the following compelling reasons:

Focused and Manageable Scope: Allocating $2.5 million for an initial 8-week cohort allows the Arbitrum DAO Procurement Committee (ADPC) to pilot the subsidy program in a controlled, manageable environment. This targeted approach facilitates careful monitoring and assessment of the fund's impact on project security and development within the Arbitrum ecosystem.
Strategic Allocation for Maximum Impact: The decision to fund a single cohort initially ensures that resources are concentrated where they can be most effective. It allows the ADPC to optimize the subsidy distribution, ensuring that funds are awarded to projects that not only need them the most but also have the potential to provide significant returns on security investment.
Evaluation and Scalability: Starting with one cohort gives the ADPC the opportunity to evaluate the effectiveness of the fund’s distribution mechanisms and the performance of the funded projects. Insights gained from this initial phase can be used to fine-tune the program for future cohorts, potentially scaling the initiative based on demonstrated success and community feedback.

See delegate thread: https://forum.arbitrum.foundation/t/non-constitutional-subsidy-fund-for-security-services/22958/38?u=savvydao

JoJo from jojothecow.eth

2.6M TOKEN

posted 2 years ago

For snapshot, voting "for" on 2 cohort of 8 weeks for 5M arb.

Quoted from coinflip

jump to post →

Quoted from Bernard

Stand up a separate committee to disburse the Subsidy Fund.

jump to post →

Quoted from AbdullahUmar

The above comments from Bernard illustrate some pending work that should be completed before snapshot.

jump to post →

mcfly from 0xmcfly.eth

101.8K TOKEN

posted 2 years ago

Negotiating discounts with security audit firms: Given the substantial amount of funds allocated for security audits, it would be prudent to negotiate discounts with the whitelisted service providers. The ADPC should leverage the scale of this program to secure more favorable rates for the benefit of the Arbitrum ecosystem. I'd like to see a clear plan for how the ADPC intends to negotiate these discounts and ensure the best value for the allocated funds.
Additional disbursement for multisig signers: The justification provided for the additional disbursement of up to 1k ARB for multisig signers is insufficient. The legal risks mentioned are unclear, and the time and effort required to verify and sign transactions do not appear to warrant such a significant additional compensation, especially considering the signers are already being paid for their role in the ADPC. I'd like to discuss the necessity of this additional disbursement and explore alternative ways to compensate signers for their efforts, if deemed necessary.
Potential second-order consequences: The subsidy program may lead to a lack of competition among security audit firms and potentially inflate prices. By acting as a government-like entity subsidizing the entire security industry, the ADPC may inadvertently create an unfair advantage for projects that have previously struggled to secure funding for audits. This could lead to an alignment of prices based on what the ADPC deems fair, rather than market forces, and may result in an inflationary trend among the selected audit firms.

Negotiating discounts with security audit firms: Given the substantial amount of funds allocated for security audits, it would be prudent to negotiate discounts with the whitelisted service providers. The ADPC should leverage the scale of this program to secure more favorable rates for the benefit of the Arbitrum ecosystem. I'd like to see a clear plan for how the ADPC intends to negotiate these discounts and ensure the best value for the allocated funds.
Additional disbursement for multisig signers: The justification provided for the additional disbursement of up to 1k ARB for multisig signers is insufficient. The legal risks mentioned are unclear, and the time and effort required to verify and sign transactions do not appear to warrant such a significant additional compensation, especially considering the signers are already being paid for their role in the ADPC. I'd like to discuss the necessity of this additional disbursement and explore alternative ways to compensate signers for their efforts, if deemed necessary.
Potential second-order consequences: The subsidy program may lead to a lack of competition among security audit firms and potentially inflate prices. By acting as a government-like entity subsidizing the entire security industry, the ADPC may inadvertently create an unfair advantage for projects that have previously struggled to secure funding for audits. This could lead to an alignment of prices based on what the ADPC deems fair, rather than market forces, and may result in an inflationary trend among the selected audit firms.

Alternative approach with an Immunefi fund: Allocating a portion of the requested funds to an Immunefi fund could be an effective way to incentivize white hats to find issues in deployed smart contracts on Arbitrum One or Orbit. The existing Immunefi framework for categorizing bug reports and rewarding white hats based on their talent and the amount of funds at risk could be a more efficient use of the allocated funds. I'd like to explore the possibility of incorporating this alternative approach into the overall proposal, perhaps as a complementary initiative to a more targeted subsidy program. As a project listed on such platforms, you may receive many redundant or AI-generated reports. However, having your code in production with a substantial bug bounty can make a significant difference in continuously securing the project community and Arbitrum as a whole.

Immutablelawyer

50.0K TOKEN

posted 2 years ago

Hi Pedro,

Firstly, appreciate your insightful analysis as always ser!

Addressing queries hereunder:

Hi Pedro,

Firstly, appreciate your insightful analysis as always ser!

Addressing queries hereunder:

We do not have a list of 'pre-approved whitelist'. What we will have is the publication of an RFP process for security service providers to be then assessed in light of the Security Framework for Security SPs and also, the RFP itself. I reiterate, there is no pre-approved whitelist - The whitelisting process will start soon and announced publicly on the forums.
Unfortunately, we cannot make the input collated public yet as it contains data tantamount to business secrecy from the Security SPs end. Hence, we would not like to put the members of the ADPC at risk by making public the fees that were disclosed to us in good faith so that we can create an optimal well-structured and thought out proposal (as I believe this one is).
This isn't an incentive program like STIP, Backfund, LTIPP, or STIP-Bridge (just realising now that we had quite a bit). This is a subsidy fund for procurement where the ADPC serves as a facilitator (a bridge so to speak), between projects eligible for subsidies and whitelisted SPs themselves. The ADPC whitelists SPs as part of the Security Procurement Framework and the ancillary documentation (RFP & legal documentation we have drafted led predominantly by Paul Imseh). Separately the ADPC assesses applications for subsidies by Projects requesting subsidies for a service they desire from a security SP. At no point do we serve as decision-makers re. which SP a project uses - this is at the Project's discretion. To facilitate the aforementioned process, a background in procurement is vital (in this regard, members of the ADPC do have this background). In LTIPP (a comment that was voiced by many members), elections turned out to be a popularity contest and one not based on merity - by way of disclosure even I participated in the LTIPP elections, yet I am of full belief that there were better candidates than I was that unfortunately placed at the bottom of the pile. Hence, votes weren't cast on capability, but rather on social capital/optics (this is not to say that good work hasn't been done as I have not assessed the LTIPP's work yet - but maybe better work could have been done should votes have been cast on capabilities? I think the answer to this is always a resounding yes whatever the endeavor).

Re. "Why is there a need to rush this snapshot vote before having this defined?" Bernard there refers to a separate altogether process for whitelisting SPs which has nothing to do with this proposal. This RFP will be done soon (latest, beginning next week).
Re. the Security Expert; it is not an acknowledgement of lack of security expertise (speaking for myself, I deal with Security SPs, scopes of work, reports, audit structuring etc. on a daily basis due to my firm's clientele). This was merely a comment posted by a contributor that we saw generated general consensus and also made sense and thus (as we always do) we sought to implement. Re. Additional Costs, this is yet tbd as we have interested parties willing to do it free of charge due to their non-profit nature. Re. utilising ARDC, let me remind you that OpenZeppeling is on the ARDC - and OZ will be participating in the RFP - hence this would be a conflict of interest.
Re. "I sincerely believe that it was not sufficiently discussed. I have requested information about the public notion, the biweekly reports, and the minutes of the meetings, none of which were made available to the DAO.

Also, our Notion will be made public in the coming days containing all details (was not made public previously as we were sorting out confidentiality issues).

Re. "What is the need to expand the budget that has already been approved for controlling one (or the same) multisig?"

Re. "I believe it would be ideal for this entire document to be presented on the forum rather than in a separate PDF on Drive that could be modified in the future." - Not an issue to post on the Forum - when I have posted on the Forum previously, the comment was the opposite from delegates i.e. post a doc as it's difficult to read on the forum. No issue doing both :)
Re. "Regarding this, I believe it would be better for the funds paid by the DAO to be denominated in ARB" - We do not agree as Projects needing to pay service costs cannot exactly pay SPs in ARB tokens. We also need the funds in stables so that we can ensure that we cover a certain amount of service fees (which are always USD Denomianted and payable).

Appreciate your rigorous assessment @pedrob - I appreciate your diligence in providing feedback to us ser <3

AbdullahUmar from uniswap-dao.eth

1.3M TOKEN

posted 2 years ago

Here are some comments from the UADP:

Directionally, we are in favor of this proposal. There is clearly a need to help front some of the costs associated with audits. However, the proposal does seem a bit rushed. There are a couple of aspects that could have been addressed prior to taking this proposal to snapshot, which would’ve assured a higher success rate as opposed to the current divisiveness we’re seeing in the polls.

Here are some comments from the UADP:

“we are in the process of sourcing a neutral security expert as an advisor to aid us in judging both, applications from service providers during the RFP process and applications from projects looking to receive subsidies from the Subsidy Fund”

“the ADPC is currently in the process of setting up the procurement framework to whitelist security service providers for the DAO. Given the large amount of legal work required to structure an RFP, it is still in the drafting phase and has not yet been published to procure any security service providers.”

The above comments from Bernard illustrate some pending work that should be completed before snapshot.

Perhaps a better order of operations is to attain a soft commitment from the DAO regarding how much an initial pilot cohort will require. Say, the snapshot vote leads to the $2.5M fund being selected. Then, the ADPC can run an RFP process, collect the projects that require subsidy, present the findings to the DAO, then follow up with an onchain vote finalizing the payment transfer from the DAO to the ADPC for distribution. This way, there’s a soft commitment present from the DAO, and the contingency at hand is that the initiative attains the earmarked funds only if it’s run in a reasonable manner. What if the DAO disapproves the onchain vote? I doubt that this will happen as long as the ADPC delivers on its promises properly. To those ends, we would like to signal our support for $2.5M for a single cohort, treating this as a pilot. If this proposal fails the snapshot, the ADPC should return to the DAO with a more comprehensive proposal once the aspects from the above quotes have been addressed.

Also, regarding the stated areas of interest–RWA, gaming, and collab tech are noted as the main sectors for audits since there are many developments occurring here. I may be wrong in my assumption, but isn’t the best use of audits for protocols that perhaps have the most value at risk? This would largely include DeFi protocols, especially high TVL ones like money markets. RWA seems like another sector that falls under this umbrella. I’d assume the cost for audits regarding tooling/collab tech and even gaming is properly lower. All this to say I’d think critically about what teams really need an audit to begin/sustain operations–versus those who can delay a full-fledged audit until they either raise more or earn more revenue.

coinflip

9.1M TOKEN

posted 2 years ago

@Bernard @Immutablelawyer thank you for the work on getting this proposal up for evaluation and taking feedback from the DAO, its good to see ADPC progressing on putting up a framework for the Audit subsidy support program.

I am supportive that we need a framework and program to support development of our ecosystem to have access to the best audit and security partners, including hopefully in later rounds a wider selection of safety and security tools and inputs (threat detection, economic security, formal verification (especially for Stylus protocols) etc...).

Having said all that I have some concerns with the framework that is put up because it feels like it has veered somewhat from the original mandate which was to propose and assist the DAO in handling procurement operations, establishing frameworks and setup procurement programs with the Subsidy Fund being named as one of the first initiatives.

While I appreciate the urgent need for these programs, intentionally or unintentionally you have proposed a system where the ADPC is seeking to deploy up to $10m under the following process:

ADPC are the screening committee to decide which vendors to whitelist for this program
ADPC has not made public (or not linked here) which vendors qualified or didn't qualify and why
ADPC will directly administer and decide on which protocols are recipients of this $10m
no oversight board or technical board with specific expertise in the area of these grants
no DAO voting either directly or via an Optimistic process with challenge

To be clear do not take my comments as a total rebuke there is much to like in this proposal including in the sections for Application Process an Selection Process & Reporting which show great thought. Still we we might be better served by the ADPC not trying to take on all roles in this process.

A good procurement process even if not whole transparent should be auditable and have good checks and balances, the current process simply lacks any material checks and balances. Which isn't a good precedent for the ADPC to set out the gate for establishing such frameworks.

For reference looking at other grant programs that are $1m or more to date in the DAO to see their process and how there is some clear aspect of checks and balances.

LTIPP where up to 45m ARB is being distributed has a council of 5 members, three teams of advisors who work to provide recommendations to the DAO and all proposals are approved by the DAO.
PL / Thrive where there is now an oversight board providing approval or has challenge authority over expenditures depending on spend levels, and provide insight into areas of focus for the DAO (like for deciding what areas we want to focus on).
Questbook does all for the domain experts to singularly or jointly deploy grants but with each grant and available budgets being much smaller, plus each domain expert was elected by the dao based on their specific competancy in the subject of the grants.

ps. if you feel the proposal should go to the DAO as is please do consider providing delegates multiple voting options on significantly smaller program size, because it's possible that there is interest in funding a quick and dirty pilot program while a full program is formally put in place.

pedrob from pedrobreuer.eth

581.3K TOKEN

posted 2 years ago

edited 2 years ago

Hello! Thank you very much for developing this proposal and process. With @SEEDGov we've been involved as an Advisor in the LTIPP and I think this process has a very interesting and well-thought-out design. So, congratulations and thank you.

That said, I have some questions and concerns very similar to those expressed by @coinflip, which I support and believe need further discussion.

According to the proposal approved in Tally “The mandate of the ADPC aims to create an optimal organizational framework for service procurement while also creating a marketplace for service providers that would have gone through preemptive quality assurance.”

Quoted from Bernard

These subsidies will be exclusive to a pre-approved whitelisted set of security audit service providers, selected by the ADPC, who will publicly display their fees.

It is my understanding that mandate 1/5 was to develop the RFP for the selection of these service providers. How is it that now it depends on a pre-approved white list? Am I wrong?

Also, when listing your mandates, you mention that:

Quoted from Immutablelawyer

Steps [2], [3] & [4] of the mandate will necessarily have to be coupled with a 14-day consultation period pre-structuring so that input is solicit from the ArbitrumDAO and other relevant third-parties. The input collated during the public consultation period will necessarily need to be made public.

Where can I find the “input collated” for the evaluation criteria (mandate 2) of small projects that will receive the subsidies? Have you discussed the rubric with the LTIPP Council? There have been very useful learnings from their scoring experience that I think can be helpful.

Quoted from Bernard

The administration and selection process of these subsidies will be managed by the ADPC. Even though the ultimate decision will lie with the judgment of the ADPC, their assessment will be strongly guided by a means test that evaluates key metrics to determine deserving projects.

As Conflip mentions, and with whom I agree regarding the question of involving ADPC in the process as program manager, committee, and decision maker, I believe it is better to limit your participation to a sort of program management role (similar to StableLab in the LTIPP where the other decisions are made by Advisors and Council).

Quoted from Bernard

Furthermore, the ADPC’s mandate was always to act as the screening committee to decide the vendors to whitelist for the program. As you can see in the Tally vote which established the ADPC, ‘the ADPC bears the responsibility of diligently executing the steps essential to implement the aforementioned procurement framework’.

jump to post →

I don't believe this response satisfactorily addresses his question. 'Diligently executing the steps' means managing or advancing a process, not positioning oneself as the decision maker for everything related to it.

Quoted from Bernard

Exactly right, the ADPC is currently in the process of setting up the procurement framework to whitelist security service providers for the DAO. Given the large amount of legal work required to structure an RFP, it is still in the drafting phase and has not yet been published to procure any security service providers.

jump to post →

Why is there a need to rush this snapshot vote before having this defined?

Quoted from Bernard

Fully agree here on gap in security experience - as mentioned above, we are in the process of sourcing a neutral security expert as an advisor to aid us in judging both, applications from service providers during the RFP process and applications from projects looking to receive subsidies from the Subsidy Fund.

jump to post →

Assuming it is approved, wouldn't this incur additional costs? Given that you acknowledge a lack of security experience, the role of the 'security expert' would be crucial in assessing the applicants. Why not directly appoint a manager or a committee of security experts and provide them with compensation to carry out the task?

It might be interesting to involve the ARDC in this process, as it includes a DAO advocate, a member qualified for Risk Assessment, and a member qualified for Security Assessment.

Quoted from Bernard

and we have received no other indication from the rest of the community that another committee is required to handle fund disbursement.

jump to post →

I sincerely believe that it was not sufficiently discussed. I have requested information about the public notion, the biweekly reports, and the minutes of the meetings, none of which were made available to the DAO.

Quoted from Bernard

In recognition of the additional responsibilities undertaken, each of the five multi-sig wallets is proposed to receive a supplementary compensation ranging from 500 ARB - 1,000 ARB monthly.

What is the need to expand the budget that has already been approved for controlling one (or the same) multisig?

Quoted from Bernard

Grant Application Terms and Conditions can be found here .

I believe it would be ideal for this entire document to be presented on the forum rather than in a separate PDF on Drive that could be modified in the future.

Quoted from Bernard

1 cohort of 8 weeks (2 months) for a total fund size of $2.5 million.
2 cohorts of 8 weeks each (4 months) for a total fund size of $5 million.
4 cohorts of 8 weeks each (8 months) for a total fund size of $10 million.

jump to post →

Regarding this, I believe it would be better for the funds paid by the DAO to be denominated in ARB

Thanks again, I think overall the proposal is good and well thought out.

Bernard from aretagov.eth

3.1M TOKEN

posted 2 years ago

@coinflip, thanks for the feedback! Appreciate the time you took going through, and happy to clarify a few aspects about the ADPC’s mandate and process - some of them might directly resolve a few of your remarks:

(1) On your comment ‘ADPC has not made public (or not linked here) which vendors qualified or didn’t qualify and why’:

Exactly right, the ADPC is currently in the process of setting up the procurement framework to whitelist security service providers for the DAO. Given the large amount of legal work required to structure an RFP, it is still in the drafting phase and has not yet been published to procure any security service providers.
To shed some more light as to why, the RFP includes a Framework Agreement which outlines detailed considerations around general provisions of the framework, administration of the framework, financial provisions, personnel, information management, risk management, IP rights, termination and dispute, delivery, security, and reporting. The RFP also includes an Order Form and Contract Details for all applicants. As you can imagine, this framework is comprehensive and requires time to put together, refine, and publish. Moreover, we are also putting time into defining the infrastructure around accepting RFP responses and evaluating them fairly, including sourcing a security expert as an advisor to aid us in judging applications.
The aim is for the ADPC to publish the RFP at the end of April, with applications needing to be submitted 4 weeks after the RFP being published and a subsequent review period consisting of 8 weeks, which will be a rolling process where the ADPC will approve applicants through the course of this period. We will start accepting applications for the Subsidy Fund only after vendors are whitelisted as part of this process.
As such, the ADPC will make public the vendors that have been whitelisted, along with a rationale for their selection. The intention was never to make decisions in a silo and always make the reasons for selection public. We will also publicise which vendors have not been selected but will not provide a reason for their non-selection in the interest of privacy.
Furthermore, the ADPC’s mandate was always to act as the screening committee to decide the vendors to whitelist for the program. As you can see in the Tally vote which established the ADPC, ‘the ADPC bears the responsibility of diligently executing the steps essential to implement the aforementioned procurement framework’.

(2) On your remarks ‘ADPC will directly administer and decide on which protocols are recipients of this $10m’ and ‘no oversight board or technical board with specific expertise in the area of these grants’:

Fully agree here on gap in security experience - as mentioned above, we are in the process of sourcing a neutral security expert as an advisor to aid us in judging both, applications from service providers during the RFP process and applications from projects looking to receive subsidies from the Subsidy Fund.
On management, the original intention around the drafting of the original ADPC proposal was that the ADPC would execute the Subsidy Fund, and we have received no other indication from the rest of the community that another committee is required to handle fund disbursement.
Besides that from an operational standpoint, we would feel comfortable managing it bringing in our experience from running the Uniswap-Arbitrum Grants Program (UAGP).
Obviously, if there is consensus from the DAO on standing up another separate committee to disburse grants from the Subsidy Fund, we are very happy to take that into consideration.

(3) On your question ‘no DAO voting either directly or via an Optimistic process with challenge’:

Good idea, we'd be happy to institute an Optimistic Challenge process on the selection of specific security service providers or grant recipients if it works operationally. At this point in time, the Optimistic Governance Module that is being developed by Axis Advisory &. Tally is not available for use yet.

(4) On your comment ‘if you feel the proposal should go to the DAO as is please do consider providing delegates multiple voting options on significantly smaller program size’:

Hear you on this one, we are not married to this number but merely see it as a reasonable starting point. In that sense, agree with your suggestion to reflect different options for funding amounts in the initial Snapshot. We propose $2.5M over a 2-month period, $5M over a 4-month period, or the original $10M over an 8-month period.
For more context on the $10M, as explained in @ImmutableLawyer’s response to @cp0x above, the amount requested was based on data we obtained via a public consultation where we consulted security service providers on their fee structures and scope of services. The mere size was seen as a high enough amount to provide sufficient impact and justify the efforts going into structuring the program.
The $10M size is based on the assumption of a 2-month audit at an average cost of $200K, which will allow the ADPC to fund 50 projects over the 8-month program. Any unutilised funds will be sent to the ArbitrumDAO Treasury or, if the ADPC’s mandate is extended, transitioned over to the next iteration of the ADPC.

Just to recap, if there is consensus from delegates on the below, we are happy to:

Stand up a separate committee to disburse the Subsidy Fund.
Institute an Optimistic Challenge process on the selection of specific security service providers or grant recipients.
Start with a smaller program, e.g., of $2.5M over a 2-month period or $5M over a 4-month period before additional funds are requested to continue the program.

If you have time to respond, obviously much appreciated and thanks again for the helpful guidance

Pepperoni_Jo3

3.9M TOKEN

posted 2 years ago

edited 2 years ago

These comments and thoughts reflect my personal opinions on this proposal. Whilst I am a member of the Arbitrum Representative Council (ARC), they do not necessarily represent the overall views of the council or provide an indication of final voting decision

I'm directionally in favour of this proposal as it aligns well with my vision for the DAO as a support service for protocols building on Arbitrum. This would be a competitive advantage which would draw builders to Arbitrum by offering them a range of free/discounted support services they could not access elsewhere.

I'm also in favour of this change for the reasons pointed out by @dk3 and @JoJo. Thanks for being flexible.

Quoted from Immutablelawyer

Re. the %-based approach, following your comments and internal discussions w/ fellow ADPC Members, we have decided to amend the proposal to reflect a %-based approach to subsidies which will entail the ADPC covering up to 70% (maximum threshold) of the corresponding service solicited by the project.

jump to post →

@coinflip makes an interesting point RE check and balances. I lean towards greater empowerment of the groups like the ADPC to make decision on behalf of the DAO. However, adding in greater transparency (i.e. details on vendors qualifying / didn't qualify) and/or an optimistic process with challenge on decisions may be beneficial.

AbdullahUmar from uniswap-dao.eth

1.3M TOKEN

posted 2 years ago

Here are some comments from the UADP:

The above comments from Bernard illustrate some pending work that should be completed before snapshot.

coinflip

9.1M TOKEN

posted 2 years ago

While I appreciate the urgent need for these programs, intentionally or unintentionally you have proposed a system where the ADPC is seeking to deploy up to $10m under the following process:

ADPC are the screening committee to decide which vendors to whitelist for this program
ADPC has not made public (or not linked here) which vendors qualified or didn't qualify and why
ADPC will directly administer and decide on which protocols are recipients of this $10m
no oversight board or technical board with specific expertise in the area of these grants
no DAO voting either directly or via an Optimistic process with challenge

For reference looking at other grant programs that are $1m or more to date in the DAO to see their process and how there is some clear aspect of checks and balances.

LTIPP where up to 45m ARB is being distributed has a council of 5 members, three teams of advisors who work to provide recommendations to the DAO and all proposals are approved by the DAO.
PL / Thrive where there is now an oversight board providing approval or has challenge authority over expenditures depending on spend levels, and provide insight into areas of focus for the DAO (like for deciding what areas we want to focus on).
Questbook does all for the domain experts to singularly or jointly deploy grants but with each grant and available budgets being much smaller, plus each domain expert was elected by the dao based on their specific competancy in the subject of the grants.

pedrob from pedrobreuer.eth

581.3K TOKEN

posted 2 years ago

edited 2 years ago

That said, I have some questions and concerns very similar to those expressed by @coinflip, which I support and believe need further discussion.

Quoted from Bernard

These subsidies will be exclusive to a pre-approved whitelisted set of security audit service providers, selected by the ADPC, who will publicly display their fees.

It is my understanding that mandate 1/5 was to develop the RFP for the selection of these service providers. How is it that now it depends on a pre-approved white list? Am I wrong?

Also, when listing your mandates, you mention that:

Quoted from Immutablelawyer

Quoted from Bernard

jump to post →

Quoted from Bernard

jump to post →

Why is there a need to rush this snapshot vote before having this defined?

Quoted from Bernard

jump to post →

It might be interesting to involve the ARDC in this process, as it includes a DAO advocate, a member qualified for Risk Assessment, and a member qualified for Security Assessment.

Quoted from Bernard

and we have received no other indication from the rest of the community that another committee is required to handle fund disbursement.

jump to post →

Quoted from Bernard

In recognition of the additional responsibilities undertaken, each of the five multi-sig wallets is proposed to receive a supplementary compensation ranging from 500 ARB - 1,000 ARB monthly.

What is the need to expand the budget that has already been approved for controlling one (or the same) multisig?

Quoted from Bernard

Grant Application Terms and Conditions can be found here .

I believe it would be ideal for this entire document to be presented on the forum rather than in a separate PDF on Drive that could be modified in the future.

Quoted from Bernard

1 cohort of 8 weeks (2 months) for a total fund size of $2.5 million.
2 cohorts of 8 weeks each (4 months) for a total fund size of $5 million.
4 cohorts of 8 weeks each (8 months) for a total fund size of $10 million.

jump to post →

Regarding this, I believe it would be better for the funds paid by the DAO to be denominated in ARB

Thanks again, I think overall the proposal is good and well thought out.

Bernard from aretagov.eth

3.1M TOKEN

posted 2 years ago

(1) On your comment ‘ADPC has not made public (or not linked here) which vendors qualified or didn’t qualify and why’:

Exactly right, the ADPC is currently in the process of setting up the procurement framework to whitelist security service providers for the DAO. Given the large amount of legal work required to structure an RFP, it is still in the drafting phase and has not yet been published to procure any security service providers.
To shed some more light as to why, the RFP includes a Framework Agreement which outlines detailed considerations around general provisions of the framework, administration of the framework, financial provisions, personnel, information management, risk management, IP rights, termination and dispute, delivery, security, and reporting. The RFP also includes an Order Form and Contract Details for all applicants. As you can imagine, this framework is comprehensive and requires time to put together, refine, and publish. Moreover, we are also putting time into defining the infrastructure around accepting RFP responses and evaluating them fairly, including sourcing a security expert as an advisor to aid us in judging applications.
The aim is for the ADPC to publish the RFP at the end of April, with applications needing to be submitted 4 weeks after the RFP being published and a subsequent review period consisting of 8 weeks, which will be a rolling process where the ADPC will approve applicants through the course of this period. We will start accepting applications for the Subsidy Fund only after vendors are whitelisted as part of this process.
As such, the ADPC will make public the vendors that have been whitelisted, along with a rationale for their selection. The intention was never to make decisions in a silo and always make the reasons for selection public. We will also publicise which vendors have not been selected but will not provide a reason for their non-selection in the interest of privacy.
Furthermore, the ADPC’s mandate was always to act as the screening committee to decide the vendors to whitelist for the program. As you can see in the Tally vote which established the ADPC, ‘the ADPC bears the responsibility of diligently executing the steps essential to implement the aforementioned procurement framework’.

Fully agree here on gap in security experience - as mentioned above, we are in the process of sourcing a neutral security expert as an advisor to aid us in judging both, applications from service providers during the RFP process and applications from projects looking to receive subsidies from the Subsidy Fund.
On management, the original intention around the drafting of the original ADPC proposal was that the ADPC would execute the Subsidy Fund, and we have received no other indication from the rest of the community that another committee is required to handle fund disbursement.
Besides that from an operational standpoint, we would feel comfortable managing it bringing in our experience from running the Uniswap-Arbitrum Grants Program (UAGP).
Obviously, if there is consensus from the DAO on standing up another separate committee to disburse grants from the Subsidy Fund, we are very happy to take that into consideration.

(3) On your question ‘no DAO voting either directly or via an Optimistic process with challenge’:

Good idea, we'd be happy to institute an Optimistic Challenge process on the selection of specific security service providers or grant recipients if it works operationally. At this point in time, the Optimistic Governance Module that is being developed by Axis Advisory &. Tally is not available for use yet.

(4) On your comment ‘if you feel the proposal should go to the DAO as is please do consider providing delegates multiple voting options on significantly smaller program size’:

Hear you on this one, we are not married to this number but merely see it as a reasonable starting point. In that sense, agree with your suggestion to reflect different options for funding amounts in the initial Snapshot. We propose $2.5M over a 2-month period, $5M over a 4-month period, or the original $10M over an 8-month period.
For more context on the $10M, as explained in @ImmutableLawyer’s response to @cp0x above, the amount requested was based on data we obtained via a public consultation where we consulted security service providers on their fee structures and scope of services. The mere size was seen as a high enough amount to provide sufficient impact and justify the efforts going into structuring the program.
The $10M size is based on the assumption of a 2-month audit at an average cost of $200K, which will allow the ADPC to fund 50 projects over the 8-month program. Any unutilised funds will be sent to the ArbitrumDAO Treasury or, if the ADPC’s mandate is extended, transitioned over to the next iteration of the ADPC.

Just to recap, if there is consensus from delegates on the below, we are happy to:

Stand up a separate committee to disburse the Subsidy Fund.
Institute an Optimistic Challenge process on the selection of specific security service providers or grant recipients.
Start with a smaller program, e.g., of $2.5M over a 2-month period or $5M over a 4-month period before additional funds are requested to continue the program.

If you have time to respond, obviously much appreciated and thanks again for the helpful guidance

Pepperoni_Jo3

3.9M TOKEN

posted 2 years ago

edited 2 years ago

I'm also in favour of this change for the reasons pointed out by @dk3 and @JoJo. Thanks for being flexible.

Quoted from Immutablelawyer

jump to post →

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

Subsidy Fund Proposal from the Arbitrum DAO Procurement Committee

Executive Summary

Proposal Request

Subsidy Fund Design & Approach

Exec View

Key Pillars

(A) Subsidy Fund Principles and Criteria

(B) Application Process

(C) Selection Process & Reporting

(D) Project Allocation

(E) Team Setup

(G) Governance

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

Subsidy Fund Proposal from the Arbitrum DAO Procurement Committee

Executive Summary

Proposal Request

Subsidy Fund Design & Approach

Exec View

Key Pillars

(A) Subsidy Fund Principles and Criteria

(B) Application Process

(C) Selection Process & Reporting

(D) Project Allocation

(E) Team Setup

(G) Governance

Subsidy Fund Proposal from the Arbitrum DAO Procurement Committee

Executive Summary

Proposal Request

Subsidy Fund Design & Approach

Exec View

Key Pillars

(A) Subsidy Fund Principles and Criteria

(B) Application Process

(C) Selection Process & Reporting

(D) Project Allocation

(E) Team Setup

(G) Governance

Subsidy Fund Proposal from the Arbitrum DAO Procurement Committee

Executive Summary

Proposal Request

Subsidy Fund Design & Approach

Exec View

Key Pillars

(A) Subsidy Fund Principles and Criteria

(B) Application Process

(C) Selection Process & Reporting

(D) Project Allocation

(E) Team Setup

(G) Governance

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

[Non-Constitutional] - Subsidy Fund Proposal from the ADPC

Mandate and Set-up of Independent Committee to Disburse Subsidies

Mandate and Set-up of Independent Committee to Disburse Subsidies

Addition of a Security Expert

Alternative Approaches

Timeline and Sequence of Events

Mandate and Set-up of Independent Committee to Disburse Subsidies

Mandate and Set-up of Independent Committee to Disburse Subsidies

Addition of a Security Expert

Alternative Approaches

Timeline and Sequence of Events

Addition of a Security Expert

Feedback Themes

Input Collated for Benchmarking Exercise to Determine Size of Subsidy Fund

Size of the Subsidy Fund

Role & Cost of the Multi-Sig

Addition of a Security Expert

Feedback Themes

Input Collated for Benchmarking Exercise to Determine Size of Subsidy Fund

Size of the Subsidy Fund

Role & Cost of the Multi-Sig