Disclaimer: Immunefi, Spearbit, and Nethermind are all aware of the current RFP process for security providers. We wanted to release the initial proposal we had created in order to raise awareness and receive feedback from the community. We all absolutely plan to participate in the RFP process. Let me know if there are further questions.
Team
Henry Shen
Omar Bheda
Peter Kecman
Outline
This proposal dictates the agreement between Spearbit, Immunefi, and Nethermind as industry-leading security service providers across the web3 ecosystem to provide comprehensive bug coverage and security services to the Arbitrum ecosystem. This includes but is not limited to providing subject matter expertise from the best professionals in web3 security to conduct:
Spearbit & Nethermind
Immunefi
Motivation
The core motivation and purpose for driving comprehensive bug coverage and security review services beyond basic smart contract security services is to position protocols building on Arbitrum for operational excellence. We strongly believe that to maximize the security posture of the Arbitrum ecosystem a far more holistic and comprehensive approach to security is needed. We’ve highlighted these areas below and why we believe that providing full security coverage and advisory services from beginning to end will enable the Arbitrum ecosystem to scale far more quickly and efficiently.
vCISO Secure Development Advisory Services: This service aims to provide protocols and projects building on Arbitrum with subject matter experts in secure web3 development lifecycles in the form of a virtual CISO or external consultant that can focus on system architecture and guide development teams towards security best practices. Spearbit and Nethermind have provided similar advisory services to other leading protocols such as Optimism, Worldcoin, and Polygon ID to re-evaluate complex design choices or architecture from a security mindset. These technical advisory services are best represented anecdotally by:
“an ounce of prevention is worth a pound of cure”
Smart Contract Security Reviews / Audits: We intend to provide comprehensive and high-signal bug coverage of Arbitrum protocols through protocol security reviews by industry-leading security researchers/auditors. Spearbit, Immunefi, and Nethermind are home to many of the top 50 web3 security professionals in the ecosystem and are ready at a moment’s notice to employ the absolute best talent available to secure mission-critical protocols building on Arbitrum. With each partner providing their unique approach to security audits, we will further ensure that Arbitrum ecosystem projects have diverse security options to choose from. We believe industry-leading protocols deserve no less than the best security talent available, and we vouch to provide this for the Arbitrum ecosystem.
Web2 Security Reviews / Penetration Testing: With the advent of numerous protocols and projects being exploited by traditional attack vectors, it has become evident and increasingly clear that there is a pressing need to address the security concerns inherent in the traditional web2 frameworks that protocols are utilizing within the web3 ecosystem. In addition to provisioning comprehensive smart contract security solutions and coverage, we believe in providing full-suite application, cloud, and network penetration testing.
Incident Response and Monitoring: Through harnessing advanced analytics and deep blockchain expertise, this service provides real-time surveillance of web3 ecosystems to detect and mitigate potential threats. In the event of an anomaly or breach, we can provide rapid incident response measures with swift remediation, safeguarding your assets and reputation. We want to enable all builders on Arbitrum to navigate the web3 landscape with confidence, knowing that they are backed by the pinnacle of security vigilance and response readiness with Spearbit, Immunefi and Nethermind.
Crowdsourced Security Competitions: Through Cantina, a web3 security platform incubated by Spearbit, protocols can conduct crowdsourced security competitions to maximize the value added to their security posture by optimizing for maximum code coverage with high-signal security findings and less spam.
Bug Bounty Programs: Bug Bounty Programs allow projects to leverage security researcher communities to improve their protocol’s security over a continuous period of time. The core aspect of a bug bounty program is the bug bounty, which is a financial reward given to security researchers in exchange for any known vulnerabilities. Bug Bounty Programs are vital to a project’s risk management strategy and should always be implemented as a last, added layer of security.
Formal Verification: Formal verification can identify flaws that could potentially lead to exploits before our clients’ smart contracts are deployed. Nethermind’s formal verification team works in tandem with project engineering teams to define a standard specification detailing the behaviors of their smart contracts. Once defined, our formal verification experts can verify that the implementation satisfies these specifications. Furthermore, Nethermind Security has expertise in developing Interactive Theorem Proving (ITP) infrastructures and Automated Theorem Proving (ATP) tools, enabling us to reason about smart contracts precisely.
Rationale
Spearbit, Immunefi, and Nethermind are teaming up together to provide comprehensive security services and bug coverage for the entire Arbitrum ecosystem, given our track records within the Arbitrum ecosystem and other ecosystems like Optimism, zkSync, and Starknet. We also wholeheartedly believe that receiving diverse feedback and opinions is paramount to an ecosystem’s security posture. Spearbit has work experience and a track record in many other ecosystems and with core actors such as Optimism, Polygon, Coinbase, zkSync, OpenSea and many others. Immunefi also works with other notable ecosystems, such as Optimism, Avalanche, Polygon, LayerZero, Scroll, etc., in hosting bug bounty for their protocols and Dapps. Nethermind, with its core development, infrastructure, cryptography research, development, and security expertise, provides a unique mix of skill sets that is hard to come across in a single organization. Their partners include the likes of Ethereum Foundation, Starknet, Gnosis Chain, Lido, Obol, and many others, with Nethermind Security being one of the leading security auditors in the StarkNet ecosystem, as well as working with Polygon, zkSync, and Worldcoin, among others. Our 35,000+ security researcher community does not discriminate against any type of project, allowing Arbitrum projects to receive diverse opinions and feedback from various types of security researchers worldwide. Immunefi is able to run a bug bounty program for any type of project (defi vs. consumer-facing Dapp) regardless of ecosystem or coding language (ETH, Cosmos, Avalanche, etc).
As mentioned earlier, Immunefi is currently working with the Arbitrum Foundation/Offchain Labs team to run an Immunefi bug bounty program for the Arbitrum protocol itself. Immunefi currently provides comprehensive bug coverage to 22 Arbitrum projects and has identified at least 5 other Arbitrum projects that are onboarding onto Immunefi in the near future. These 22 Arbitrum projects have received a total of 930 bug reports, with 118 bug reports resulting in a payout to a security researcher. Out of the 118 paid bug reports, 18 paid bug reports were labeled as critical, meaning that the bug identified would have resulted in direct theft of funds or protocol insolvency. The total cumulative payout amount across these 22 Arbitrum projects totals $2.2M USD to date.
Overview of Stakeholders
Spearbit: Spearbit is a distributed network of industry-leading security researchers tackling the most complex and mission-critical protocols across web3. We provide smart contract security services for industry-leading protocols and actors such as Optimism, OpenSea, Polygon, Coinbase, zkSync, and many more.
Spearbit has:
Immunefi: Immunefi is a Web3-focused bug bounty platform that protects over $60 billion in user funds. We work with many notable names across L1s, L2s, DeFi protocols (such as LayerZero, Cronos Labs, Polygon, Arbitrum, Boba Network, GMX, SushiSwap, etc.) in hosting bug bounties for their protocols. We host bug bounties for any type of blockchain project, regardless of coding language, ecosystem, or type of project (defi vs. creator economy). We utilize a community of over ~35k security researchers who use our platform to hunt for bugs within our clients’ protocols.
Nethermind: Nethermind is a blockchain research and software engineering company empowering enterprises and developers worldwide to work with and build upon decentralized systems. Our work touches every part of the web3 ecosystem, from core development and fundamental cryptography research through security to application-layer protocol development. As one of the core contributors to the development of Ethereum, our execution client represents a significant portion of synced nodes. In addition, we are active builders of the Starknet ecosystem, delivering a node implementation, block explorer, Solidity-to-Cairo transpiler, and formal verification tooling.
With our agile and academic approach to smart contract security, we have established Nethermind Security as a leading auditor in the Starknet ecosystem. Furthermore, we have been working with a number of leading actors in the Ethereum ecosystem, such as zkSync, Gnosis Chain, Polygon ID, Worldcoin, Risc Zero, Gyroscope, and others. Nethermind Security utilizes the experience and knowledge of other teams within Nethermind, such as the research team, smart contract development team, and protocol engineering team, among others. As of now, Nethermind employs over 220 professionals.
Nethermind Security has:
Key Terms
Secure Development Advisory Services: An industry-leading security expert in the secure web3 development lifecycle will be assigned to designate focused attention to the architecture and development of a protocol before launching.
Smart Contract Security Reviews / Audits: A comprehensive review of your protocols' architecture, including smart contracts and dependencies.
Web2 Security Reviews / Penetration Testing: A review of your traditional infrastructure, including any web applications, frontends, network architecture, and any other relevant endpoints comprising your web2 infrastructure.
Incident Response and Monitoring: A service offering real-time monitoring and threat mitigation in web3 ecosystems using advanced analytics and blockchain expertise. With prompt action to anomalies or breaches, we protect your assets and reputation, ensuring you can operate Web3 securely and with peace of mind.
Crowdsourced Security Competitions: A crowdsourced security review conducted through Cantina, seeking to maximize code coverage and leverage as many eyes as possible in order to perform a security review.
Cantina: An efficient web3 security marketplace incubated by Spearbit that provides protocols with full transparency and access to top web3 security service providers as well as high-signal crowdsourced security reviews called competitions.
Bug Bounty: A bug bounty is a financial or monetary reward given to security researchers for successfully discovering and reporting a vulnerability to the project’s developer.
Bug Bounty Program: A program that allows projects to leverage security researcher communities to improve their protocols’ security posture over a continuous time period.
Security Researcher: Skilled computer experts who use their technical knowledge and expertise to identify vulnerabilities within a project.
Managed Triage Service: A 24/7 premium Immunefi service that allows projects to reduce the time and effort spent reviewing and triaging bug reports.
Formal Verification: Formal verification is a rigorous method to mathematically prove or confirm the correctness of software systems through exhaustive analysis based on logical rules and models, ensuring their adherence to specified requirements or properties.
Specifications
Spearbit, Immunefi, and Nethermind are teaming up together to provide comprehensive security services and bug bounty coverage for mission-critical projects and applications.
Spearbit and Nethermind will be focused on providing a comprehensive “Swiss-cheese” approach to security for Arbitrum protocols, as shown below:
Specific examples of Spearbit provided services:
Specific examples of Nethermind provided services:
Immunefi will be focused on providing any services that are related to bug bounties and bug bounty payouts. Some specific examples of these Immunefi-provided services are the bug bounty platform offering, on-chain vaults for payouts, and managed triage services for incoming bug reports.
The roles of this team include but are not limited to:
Cantina: Under Cantina, Spearbit and Nethermind will operate as guilds to provide security services to relevant core protocols across the Arbitrum ecosystem. Cantina will also provide Web2 security expertise, incident response, monitoring, and reviewing for any other unique additional attack surfaces or vectors that are requested by the Arbitrum ecosystem.
Spearbit: Will conduct extensive end-to-end security reviews for core protocols building on the Arbitrum ecosystem to identify core issues and bugs that may arise in any and all attack surfaces. Spearbit will also provide advisory services to protocols pre-deployment to bake in security into the development life cycle.
Immunefi: Will provide end-to-end bug bounty coverage and services for the Arbitrum protocol and any Arbitrum projects. Aside from bug bounty services, Immunefi will also report bug bounty payouts on a monthly basis. These monthly reports will contain additional details, such as the amount of TVL protected, bug bounty payout amount, etc, to showcase Immunefi’s impact and the transparency of how grant funds are being used.
Nethermind: Will conduct thorough reviews of smart contracts to identify vulnerabilities and weaknesses in the code that could compromise the security or functionality of Arbitrum projects. Nethermind Security team will work closely with your project team via multiple sync calls and communication channels to ensure the audit is completed efficiently and effectively. The project team will have full visibility of the audit process, and findings will be discussed on the go, so projects can start working on the fixes as soon as we find a problem. We are taking an agile approach to our auditing process, enabling our team to deliver value to our clients much faster and with increased transparency.
Our smart contract audit service includes the following:
Moreover, we can also provide the following:
Costs
The total amount of funds we are requesting for this proposal is $5M, payable in ARB tokens. $3M will be allocated towards Cantina and $2M will be allocated towards Immunefi. For simplicity’s sake, if we receive a total grant of $5M, Cantina will receive $2.4M for any security/auditing services to provide it’s guilds (Spearbit + Nethermind) each receiving $1.2M, Cantina receiving $600K, while Immunefi will receive the remaining $2M for any bug bounty program services and payouts. Please refer to the following for a cost breakdown and justification for each party:
Immunefi:
Cantina:
Spearbit:
The weekly average security review cost from Spearbit in turn will be $48,000 weekly. This number is subject to change or fluctuate depending on the needs of the protocol. Using this as a base, we can anticipate performing 25 weeks of comprehensive security reviews leveraging the best talent web3 security has to offer. Assuming each security review will span 2.5 weeks, this results in 10 security reviews by Spearbit for core Arbitrum protocols.
Nethermind:
$1.2M (payable in ARB) for providing:
Nethermind will allocate 3 auditors per audit, lasting on average 2-3 weeks. We expect to provide between 20 and 25 audits at the cost of $1.2M. For any other aforementioned services the same rate of $8.000USD per person per week applies
Distribution of Funds
We are proposing that the grant funds are distributed to each party in multiple installments of $250K USD (payable in ARB). Every incremental grant distribution after the first installment is based upon previous milestones that each individual party is responsible for attaining. Said party is also responsible for keeping track and delivering results to the DAO. Please refer to the following breakdown for additional details on milestones and distribution for each party:
Immunefi:
Cantina:
The rest of the payments can be as follows:
Payment #2 to Cantina: 600K USD
Payment #3 to Cantina: 600K USD
Payment #4 to Cantina: 600K USD
Payment #5 to Cantina: 600K USD
Disclaimer: Immunefi, Spearbit, and Nethermind are all aware of the current RFP process for security providers. We wanted to release the initial proposal we had created in order to raise awareness and receive feedback from the community. We all absolutely plan to participate in the RFP process. Let me know if there are further questions.
Team
Henry Shen
Omar Bheda
Peter Kecman
Outline
This proposal dictates the agreement between Spearbit, Immunefi, and Nethermind as industry-leading security service providers across the web3 ecosystem to provide comprehensive bug coverage and security services to the Arbitrum ecosystem. This includes but is not limited to providing subject matter expertise from the best professionals in web3 security to conduct:
Spearbit & Nethermind
Immunefi
Motivation
The core motivation and purpose for driving comprehensive bug coverage and security review services beyond basic smart contract security services is to position protocols building on Arbitrum for operational excellence. We strongly believe that to maximize the security posture of the Arbitrum ecosystem a far more holistic and comprehensive approach to security is needed. We’ve highlighted these areas below and why we believe that providing full security coverage and advisory services from beginning to end will enable the Arbitrum ecosystem to scale far more quickly and efficiently.
vCISO Secure Development Advisory Services: This service aims to provide protocols and projects building on Arbitrum with subject matter experts in secure web3 development lifecycles in the form of a virtual CISO or external consultant that can focus on system architecture and guide development teams towards security best practices. Spearbit and Nethermind have provided similar advisory services to other leading protocols such as Optimism, Worldcoin, and Polygon ID to re-evaluate complex design choices or architecture from a security mindset. These technical advisory services are best represented anecdotally by:
“an ounce of prevention is worth a pound of cure”
Smart Contract Security Reviews / Audits: We intend to provide comprehensive and high-signal bug coverage of Arbitrum protocols through protocol security reviews by industry-leading security researchers/auditors. Spearbit, Immunefi, and Nethermind are home to many of the top 50 web3 security professionals in the ecosystem and are ready at a moment’s notice to employ the absolute best talent available to secure mission-critical protocols building on Arbitrum. With each partner providing their unique approach to security audits, we will further ensure that Arbitrum ecosystem projects have diverse security options to choose from. We believe industry-leading protocols deserve no less than the best security talent available, and we vouch to provide this for the Arbitrum ecosystem.
Web2 Security Reviews / Penetration Testing: With the advent of numerous protocols and projects being exploited by traditional attack vectors, it has become evident and increasingly clear that there is a pressing need to address the security concerns inherent in the traditional web2 frameworks that protocols are utilizing within the web3 ecosystem. In addition to provisioning comprehensive smart contract security solutions and coverage, we believe in providing full-suite application, cloud, and network penetration testing.
Incident Response and Monitoring: Through harnessing advanced analytics and deep blockchain expertise, this service provides real-time surveillance of web3 ecosystems to detect and mitigate potential threats. In the event of an anomaly or breach, we can provide rapid incident response measures with swift remediation, safeguarding your assets and reputation. We want to enable all builders on Arbitrum to navigate the web3 landscape with confidence, knowing that they are backed by the pinnacle of security vigilance and response readiness with Spearbit, Immunefi and Nethermind.
Crowdsourced Security Competitions: Through Cantina, a web3 security platform incubated by Spearbit, protocols can conduct crowdsourced security competitions to maximize the value added to their security posture by optimizing for maximum code coverage with high-signal security findings and less spam.
Bug Bounty Programs: Bug Bounty Programs allow projects to leverage security researcher communities to improve their protocol’s security over a continuous period of time. The core aspect of a bug bounty program is the bug bounty, which is a financial reward given to security researchers in exchange for any known vulnerabilities. Bug Bounty Programs are vital to a project’s risk management strategy and should always be implemented as a last, added layer of security.
Formal Verification: Formal verification can identify flaws that could potentially lead to exploits before our clients’ smart contracts are deployed. Nethermind’s formal verification team works in tandem with project engineering teams to define a standard specification detailing the behaviors of their smart contracts. Once defined, our formal verification experts can verify that the implementation satisfies these specifications. Furthermore, Nethermind Security has expertise in developing Interactive Theorem Proving (ITP) infrastructures and Automated Theorem Proving (ATP) tools, enabling us to reason about smart contracts precisely.
Rationale
Spearbit, Immunefi, and Nethermind are teaming up together to provide comprehensive security services and bug coverage for the entire Arbitrum ecosystem, given our track records within the Arbitrum ecosystem and other ecosystems like Optimism, zkSync, and Starknet. We also wholeheartedly believe that receiving diverse feedback and opinions is paramount to an ecosystem’s security posture. Spearbit has work experience and a track record in many other ecosystems and with core actors such as Optimism, Polygon, Coinbase, zkSync, OpenSea and many others. Immunefi also works with other notable ecosystems, such as Optimism, Avalanche, Polygon, LayerZero, Scroll, etc., in hosting bug bounty for their protocols and Dapps. Nethermind, with its core development, infrastructure, cryptography research, development, and security expertise, provides a unique mix of skill sets that is hard to come across in a single organization. Their partners include the likes of Ethereum Foundation, Starknet, Gnosis Chain, Lido, Obol, and many others, with Nethermind Security being one of the leading security auditors in the StarkNet ecosystem, as well as working with Polygon, zkSync, and Worldcoin, among others. Our 35,000+ security researcher community does not discriminate against any type of project, allowing Arbitrum projects to receive diverse opinions and feedback from various types of security researchers worldwide. Immunefi is able to run a bug bounty program for any type of project (defi vs. consumer-facing Dapp) regardless of ecosystem or coding language (ETH, Cosmos, Avalanche, etc).
As mentioned earlier, Immunefi is currently working with the Arbitrum Foundation/Offchain Labs team to run an Immunefi bug bounty program for the Arbitrum protocol itself. Immunefi currently provides comprehensive bug coverage to 22 Arbitrum projects and has identified at least 5 other Arbitrum projects that are onboarding onto Immunefi in the near future. These 22 Arbitrum projects have received a total of 930 bug reports, with 118 bug reports resulting in a payout to a security researcher. Out of the 118 paid bug reports, 18 paid bug reports were labeled as critical, meaning that the bug identified would have resulted in direct theft of funds or protocol insolvency. The total cumulative payout amount across these 22 Arbitrum projects totals $2.2M USD to date.
Overview of Stakeholders
Spearbit: Spearbit is a distributed network of industry-leading security researchers tackling the most complex and mission-critical protocols across web3. We provide smart contract security services for industry-leading protocols and actors such as Optimism, OpenSea, Polygon, Coinbase, zkSync, and many more.
Spearbit has:
Immunefi: Immunefi is a Web3-focused bug bounty platform that protects over $60 billion in user funds. We work with many notable names across L1s, L2s, DeFi protocols (such as LayerZero, Cronos Labs, Polygon, Arbitrum, Boba Network, GMX, SushiSwap, etc.) in hosting bug bounties for their protocols. We host bug bounties for any type of blockchain project, regardless of coding language, ecosystem, or type of project (defi vs. creator economy). We utilize a community of over ~35k security researchers who use our platform to hunt for bugs within our clients’ protocols.
Nethermind: Nethermind is a blockchain research and software engineering company empowering enterprises and developers worldwide to work with and build upon decentralized systems. Our work touches every part of the web3 ecosystem, from core development and fundamental cryptography research through security to application-layer protocol development. As one of the core contributors to the development of Ethereum, our execution client represents a significant portion of synced nodes. In addition, we are active builders of the Starknet ecosystem, delivering a node implementation, block explorer, Solidity-to-Cairo transpiler, and formal verification tooling.
With our agile and academic approach to smart contract security, we have established Nethermind Security as a leading auditor in the Starknet ecosystem. Furthermore, we have been working with a number of leading actors in the Ethereum ecosystem, such as zkSync, Gnosis Chain, Polygon ID, Worldcoin, Risc Zero, Gyroscope, and others. Nethermind Security utilizes the experience and knowledge of other teams within Nethermind, such as the research team, smart contract development team, and protocol engineering team, among others. As of now, Nethermind employs over 220 professionals.
Nethermind Security has:
Key Terms
Secure Development Advisory Services: An industry-leading security expert in the secure web3 development lifecycle will be assigned to designate focused attention to the architecture and development of a protocol before launching.
Smart Contract Security Reviews / Audits: A comprehensive review of your protocols' architecture, including smart contracts and dependencies.
Web2 Security Reviews / Penetration Testing: A review of your traditional infrastructure, including any web applications, frontends, network architecture, and any other relevant endpoints comprising your web2 infrastructure.
Incident Response and Monitoring: A service offering real-time monitoring and threat mitigation in web3 ecosystems using advanced analytics and blockchain expertise. With prompt action to anomalies or breaches, we protect your assets and reputation, ensuring you can operate Web3 securely and with peace of mind.
Crowdsourced Security Competitions: A crowdsourced security review conducted through Cantina, seeking to maximize code coverage and leverage as many eyes as possible in order to perform a security review.
Cantina: An efficient web3 security marketplace incubated by Spearbit that provides protocols with full transparency and access to top web3 security service providers as well as high-signal crowdsourced security reviews called competitions.
Bug Bounty: A bug bounty is a financial or monetary reward given to security researchers for successfully discovering and reporting a vulnerability to the project’s developer.
Bug Bounty Program: A program that allows projects to leverage security researcher communities to improve their protocols’ security posture over a continuous time period.
Security Researcher: Skilled computer experts who use their technical knowledge and expertise to identify vulnerabilities within a project.
Managed Triage Service: A 24/7 premium Immunefi service that allows projects to reduce the time and effort spent reviewing and triaging bug reports.
Formal Verification: Formal verification is a rigorous method to mathematically prove or confirm the correctness of software systems through exhaustive analysis based on logical rules and models, ensuring their adherence to specified requirements or properties.
Specifications
Spearbit, Immunefi, and Nethermind are teaming up together to provide comprehensive security services and bug bounty coverage for mission-critical projects and applications.
Spearbit and Nethermind will be focused on providing a comprehensive “Swiss-cheese” approach to security for Arbitrum protocols, as shown below:
Specific examples of Spearbit provided services:
Specific examples of Nethermind provided services:
Immunefi will be focused on providing any services that are related to bug bounties and bug bounty payouts. Some specific examples of these Immunefi-provided services are the bug bounty platform offering, on-chain vaults for payouts, and managed triage services for incoming bug reports.
The roles of this team include but are not limited to:
Cantina: Under Cantina, Spearbit and Nethermind will operate as guilds to provide security services to relevant core protocols across the Arbitrum ecosystem. Cantina will also provide Web2 security expertise, incident response, monitoring, and reviewing for any other unique additional attack surfaces or vectors that are requested by the Arbitrum ecosystem.
Spearbit: Will conduct extensive end-to-end security reviews for core protocols building on the Arbitrum ecosystem to identify core issues and bugs that may arise in any and all attack surfaces. Spearbit will also provide advisory services to protocols pre-deployment to bake in security into the development life cycle.
Immunefi: Will provide end-to-end bug bounty coverage and services for the Arbitrum protocol and any Arbitrum projects. Aside from bug bounty services, Immunefi will also report bug bounty payouts on a monthly basis. These monthly reports will contain additional details, such as the amount of TVL protected, bug bounty payout amount, etc, to showcase Immunefi’s impact and the transparency of how grant funds are being used.
Nethermind: Will conduct thorough reviews of smart contracts to identify vulnerabilities and weaknesses in the code that could compromise the security or functionality of Arbitrum projects. Nethermind Security team will work closely with your project team via multiple sync calls and communication channels to ensure the audit is completed efficiently and effectively. The project team will have full visibility of the audit process, and findings will be discussed on the go, so projects can start working on the fixes as soon as we find a problem. We are taking an agile approach to our auditing process, enabling our team to deliver value to our clients much faster and with increased transparency.
Our smart contract audit service includes the following:
Moreover, we can also provide the following:
Costs
The total amount of funds we are requesting for this proposal is $5M, payable in ARB tokens. $3M will be allocated towards Cantina and $2M will be allocated towards Immunefi. For simplicity’s sake, if we receive a total grant of $5M, Cantina will receive $2.4M for any security/auditing services to provide it’s guilds (Spearbit + Nethermind) each receiving $1.2M, Cantina receiving $600K, while Immunefi will receive the remaining $2M for any bug bounty program services and payouts. Please refer to the following for a cost breakdown and justification for each party:
Immunefi:
Cantina:
Spearbit:
The weekly average security review cost from Spearbit in turn will be $48,000 weekly. This number is subject to change or fluctuate depending on the needs of the protocol. Using this as a base, we can anticipate performing 25 weeks of comprehensive security reviews leveraging the best talent web3 security has to offer. Assuming each security review will span 2.5 weeks, this results in 10 security reviews by Spearbit for core Arbitrum protocols.
Nethermind:
$1.2M (payable in ARB) for providing:
Nethermind will allocate 3 auditors per audit, lasting on average 2-3 weeks. We expect to provide between 20 and 25 audits at the cost of $1.2M. For any other aforementioned services the same rate of $8.000USD per person per week applies
Distribution of Funds
We are proposing that the grant funds are distributed to each party in multiple installments of $250K USD (payable in ARB). Every incremental grant distribution after the first installment is based upon previous milestones that each individual party is responsible for attaining. Said party is also responsible for keeping track and delivering results to the DAO. Please refer to the following breakdown for additional details on milestones and distribution for each party:
Immunefi:
Cantina:
The rest of the payments can be as follows:
Payment #2 to Cantina: 600K USD
Payment #3 to Cantina: 600K USD
Payment #4 to Cantina: 600K USD
Payment #5 to Cantina: 600K USD
