Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
OpenZeppelin's Security Council Research
Recorded: April 3, 2025 Duration: 0:59:21Space Recording
Short Summary
The Arbitrum DAO is making strides in governance and security, with discussions centered around the innovative Security Council and its role in decentralized decision-making. Key recommendations include enhancing member qualifications and maintaining a robust election cycle to ensure effective governance.
Full Transcription
AGM 1 you
hey good morning morning hey chariot Can we just give everyone some time to stream in and probably get started at 4.03 UTC?
Will you add Red Swan as a speaker, please?
Just in case.
Yep, we do.
Thank you. Thank you. Good morning, good afternoon, good evening everyone.
We'll be giving everyone maybe another two more minutes to join.
And then Frizen, who is now a speaker, I believe, will be hosting this call. Thank you. Thank you. All right, everyone.
Thanks for joining. We're going to get started as more folks trickle in.
I'm super excited to be here today. Thank you to the Arbitrum Foundation for hosting this call.
I'm going to be your primary moderator today to move the discussion along.
moderator today to move the discussion along. To briefly introduce myself, I'm Frison. I work on a
lot of different things in the space. I am the chief revenue officer of Tally, but I also serve
as one of the comms chairs for the Arbitrum ARDC, which leads research in the Arbitrum DAO and investigates
and produces kind of foundational research on critical topics to the Arbitrum DAO moving forward.
So one of the things we're going to talk about today is the Arbitrum DAO has a unique and kind
of very innovative and important element of its infrastructure called the Arbitrum DAO has a unique and kind of very innovative and important element of its infrastructure called the Arbitrum DAO Security Council.
And OpenZeppelin, who's a vendor in the ARDC, has put together a kind of deep research report on how the Security Council works and kind of the strengths and weaknesses
of the current implementation and how the Arbitrum DAO and others with similar Security
Council should be thinking about Security Council design going forward. So I'm going to lead a
discussion on that topic in this space, and hopefully all of you will come away with learnings about both the Arbitrum Dow Security Council and for other L2s and protocols who are thinking about security councils and governance, how they can best be designed.
So I'm going to be asking a lot of questions, and OpenZeppelin team, led by Jared, who led out this research on the OpenZeppelin side, will be doing a lot of talking about OpenZeppelin team led by Jared who led out this research on the
OpenZeppelin side will be doing a lot of talking about the research they did.
So that is what we're here for.
And we'll start, I already introduced myself, but I'll pass it over to Jared to introduce
himself and what his role was in this research.
Oh, hello, everyone.
Thanks for some.
Happy to be here.
I'm from OpenZeppelin.
My name is Jared, and I am a project manager
in charge of this particular task.
And today we also have Red Swan from OpenZeppelin,
one of our security researchers that contributed on this project.
Thanks for having us.
Yeah, absolutely.
Great to have you, Jared, and Red Swan.
So maybe a first question for you.
So security is, I would actually say,
even like the most important design principle in governance,
but I think it often goes overlooked in the discourse about governance in general. So why would you say it was important to focus specifically on researching the Security Council
at this stage of Arbitrum's evolution?
I can think of a few reasons. The first of which, decentralization and DAOs would be more of a security feature when
it has control over protocol level or ecosystem-wide contracts.
And with the evolution of decentralization in Arbitrum particularly. It should be conagulated. DAOs can grow and
change over time to become more than just a security mechanism. And sometimes you need
a security council to protect against potentially new and evolving attacks.
Awesome. That makes a lot of sense. Anything to add there, Red?
Oh, no. Jared, I think, said it perfectly. I'll chime in. Definitely would I have thoughts to share.
Awesome. Sounds great. Yeah, I'll just kind of float the questions to both of you, and whichever one of you wants to jump in is great.
is great. So could you, as a kind of next step in this discussion, could you walk us through
your approach to evaluating the current structure of the Arbitrum Security Council and talk about
some of the key aspects of your research methodology, like which stakeholders you
consulted with and any particularly challenging aspects of the Security Council to analyze during your research process.
Of course. So we took more of a risk-based approach. And so we started with what's at stake.
Then we mapped potential attack services across technical, social, and governance dimensions.
We studied the vulnerabilities and exploits of similar systems to understand proven attack
vectors, effective defense mechanisms, analyzing both simple and complex attack scenarios. We evaluated potential solutions, not only on their effectiveness,
but their enforceability and longevity. Some of these come at a cost, and so that was also
considered as a trade-off. And so we weighed those very heavily in our decision.
heavily in our decision.
So the process led to these recommendations to strengthen security while still preserving
the path toward greater decentralization.
And we designed these so that they can be implemented at the DOS described training,
whether in part or as a package, and will remain relevant even as the ecosystem matures.
So as per sources, our research drew from a comprehensive review of existing documentation
on the Security Council, its processes, including arbitral Constitution, the Security Council framework, the centralization roadmaps.
We analyzed the relevant forum discussion topics to identify any potential concerns that the community has already raised and potential suggestions to consider about security councils and governance in general.
And we also leveraged our experience with down governance and security councils and other
ecosystems.
We were asked to coordinate with Fred.
We were told he was conducting similar or parallel research on the election process
in an effort to avoid duplication of effort.
But we did not, we deliberately did not reach out to specific
stakeholders so that we could form independent recommendations to maintain, you know, objectivity
and avoid any potential bias.
As for the most challenging to analyze, I might be speculating a bit here, but I would expect it to be quantifying the trade-offs between security and decentralization, particularly with the veto-only model.
model um there are you know known and unknown unknowns to consider uh as you know attacks
evolve and threats evolve over time um however we were able to identify uh intermediate steps
that could be taken before the veto only model is implemented that we thought justified deferring implementing a VTIL-only
model until a later point.
Awesome.
That was a great overview of kind of the process and the key pieces of it.
Thanks, Jared.
So, yeah, enough about the process.
I want to kind of dive into the findings.
Don't want to keep everyone waited with big breath on the Security Council recommendation.
So we'll jump right in.
There's a few different categories of findings that the OpenZeppelin team included in their
research report, including qualities and capabilities of Security Council members, structural recommendations
for potential changes to the Security Council implementation, and then considerations around
implementation of changes and the impact of those. So we're going to kind of talk through each of those categories of recommendations
with the team. So we'll start with the key findings around qualities and capabilities.
The first question there is, your research identifies three essential qualities for
Security Council members. Impartiality, trustworthiness, and competence.
Which of these qualities would you say is the most challenging to evaluating candidates?
I would say this is probably easily trustworthiness. It's quite subjective
compared to the other recommendations or qualities that we find important.
This one is really in the eye of the beholder and the community members that nominate the candidates.
We talked a little bit about accountability and what would be at stake reputationally and found that whether you think you know this candidate or not
could be really important in the decision,
but ultimately you need to be able to trust them
to do the right thing,
even if they're potentially incentivized not to
or could be compromised.
So there's a lot of facets in determining that.
You know, technical competency could be part of it
when it comes to, you know,
securely managing keys and avoiding potential risky scenarios.
But I think from a DAO member's perspective,
that is,
plays with this choice.
That's probably the most difficult to evaluate, but one of the most important.
Well, I'm glad you brought up trustworthiness as sort of a key quality and a difficult one to assess. I certainly agree as someone who votes in the
Security Council election that that's one that's harder to get a handle on. One of the things you
mentioned is actually in your recommendations is limiting anonymous members to three on the council.
So maybe this is related in some way to trustworthiness, but what were the considerations behind this specific recommendation to limit the number of anonymous members on the council?
So we're aware of the current KYC process, and we've had experience with other DAOs, and we looked at recent potential attacks and we're seeing
trends now where privacy without it might increase the risk to some of the security
members and ultimately to the funds that they protect and the assets that they protect and
the communities they're protecting for. So we considered whether anonymous members could provide some security properties
that would kind of complement some subset of well-known members. And we found that pseudonymity actually probably offered the best balance of accountability with the privacy that can protect a reputation with this identity and are doing
the right thing might also be somebody else.
So we did consider autonomy in that as well and found that because of the reason you can't, and autonomy for just pseudonymous members doesn't mean that there aren't influences that control members that are well known, but we wanted to limit that to three.
And you'll see this three in other places as well, particularly with the Security Council members representing the same organizations. And the reason why is you want to still have a majority threshold available
in case that they are operating under the same influence. But we do think it offers some
unique security properties that the dialogue might want to consider in our advisor.
might want to consider an advisor.
Great.
Thanks, Jared.
And then last question on qualities and capabilities of Security Council members.
Your report emphasizes technical competency for Council members.
What specific technical skills are most critical for effectively serving on the Security Council?
Yeah, this is a great question.
I think this is more objective to evaluate, but we did identify some potential issues
issues with that.
with that.
So we looked at what does the Security Council member
need to do to be most effective?
They need to be able to do their job quickly.
So they need to be proficient at what it is they're doing.
Most of the time, it requires either signing a transaction,
so being able to evaluate whether the transaction
is malicious or not, being able to decode that
with multiple tools so that they don't have to trust
a single interface to mitigate some attacks we've seen recently,
and be able to potentially propose solutions to fix the problem and contribute to finding a solution.
Although we don't believe that security is only the responsibility of the Security Council.
So I guess those are probably the top that come to mind.
I'm sure we've recommended a few more that are escaping at the moment.
All right.
Frist, can I jump in with one thing here?
Yeah, please do.
Yeah.
So this actually, so there was, when we got this question, there was this big kind of question about whether there should be an actual test to gauge the skills of potential candidates for the council.
And we went back and forth on this, like, for a long time about what we thought about actually, like, how do you measure the competency?
And if you look at the report, we landed on, like, tests.
We eschew tests.
We think that they should not be used to, like, measure.
But technical skills can definitely be signaled, right?
And so in the report,
we go through quite a bit about how if you put up a test,
what's going to happen is people are going to start using that
to just say, hey, I did the test.
I got one point better.
And so this, we'd like to think that competency,
technical competency is something that is very concrete,
very specific. And in the report, we put several skills that we think are really important
that everyone should demonstrate but we strongly suggest that the community not use these as like
you know if you can't do this then that disqualifies you or you know i've i've done this specific
done this specific qualification from this specific school or company, that means I'm
better. And so again, this is going back to how trustworthiness is hard to measure, right?
Like vote should be difficult and measuring the competency of the group is the most important
aspect and not just an individual's individual technical skill.
Does that make sense?
Absolutely.
Yeah.
Jared, did you want to follow up on that?
Yeah, this kind of reminds me of the core values from the Constitution as well and openness
and considering how implementing specific testing requirements might introduce
biases that could exclude some people.
So that's why we make these recommendations more for the substantive signals that could
demonstrate to the community members making a decision that they have high confidence
that the security member can competently perform their role.
Great. Well, thanks for spending some time with me on qualities and capabilities of Security
Council members. Hopefully that gave the listeners a good kind of sense of what the
A good kind of sense of what the research recommendations were in that area.
What we're going to do now, actually, we're about to move to structural recommendations for the Security Council,
but we have a special guest who has arrived as a speaker,
someone who knows a lot about Security Councils in the Arbitrum DAO, Christoph from L2Beat.
Go ahead, Christoph.
Hey, hello.
So I wanted to refer to this last point
because in my opinion, it's super important
because it has strong implications
if somebody doesn't have technical capabilities
of analyzing the transaction by themselves.
We have those thresholds in Security Council.
And something that we are afraid of is that, for example,
we have the threshold of 9 out of 12,
so that anything that wants to be pushed through Security Council in Arbitrum needs to get 9 out of 12 signatures from Security Council.
And this threshold is set, you know, there is a reason why it's 9 out of 12.
Like, I encourage you to check our Lucadonos article on why do we have this threshold for the stages requirements
on L2Bit because there is a math behind it that justifies this particular threshold.
And if we, you know, if we, but this threshold assumes that each Security Council member is
equal, that each Security Council member can independently
and will independently assess each action that they need to take, that each Security
Council member will be able to independently by themselves assess the transaction and make
decision on their own. And there is this big if, if a Security Council member is not able to independently assess
the transaction, then this threshold is not being met.
If this Security Council member needs to rely on information from any other Security Council
member or from the foundation, then the security guarantees that we are assuming
that are in place for the security council are no longer met and that's the issue that we kind of see
with security councils like we need better ways of assuming that security council members can
actually do their job it's kind of like if we had a legal security council, but with three people that are
not lawyers, that cannot assess what exactly are they reading, and they need to ask their
friends, lawyer friends, to figure out what exactly is happening. I'm not saying anything
against it, but simply I believe that from our perspective, our stance is that each Security Council member should have a minimum set of technical capabilities
that would allow them to analyze the transaction independently of all the other Security Council members
and by themselves.
If this is not met, then the security council that the security
guarantees that are assumed from security council are simply not mad like this is an issue
we totally agree i think red has a comment sure yeah oh yeah sorry i didn't want to give the
impression that the bar isn't super high right in the report we we we es we issue like a test. And in the report, we talk about how we believe that tests are biased.
And but there are substantive signals that we believe that people need to demonstrate the community to be considered capable.
Right. Like completely agree that there is a high bar and it needs to be met.
If I didn't make that clear.
if I didn't make that clear.
And we did outline a few of those substantive signals
in the recommendation specifically
to demonstrate that they can actually perform a job.
Examples I'm reading the amount,
submitting a signed nested transaction
for a testnet multi-sig operation,
demonstrating how to verify transaction data on chain,
either through a video or some live performance,
evaluating a proposal
transaction payload and explaining which actions will be performed, tracing a constitutional
proposal execution call and describing the paths and state changes. We even considered potentially
creating transactions that should not be signed for consideration on testament testing but we did not think that we should set the minimum bar
because we we do expect the the dow to kind of help evaluate what those are i understand that
it does it is logical to provide a test but um we didn't identify the minimum subset
that would qualify a candidate beyond these things.
And we thought that that might bring the bar down.
And we know that it could still potentially be subjective.
And so we made these recommendations so that the DAO
could make the best choice of what is demonstrated.
So if I can recommend something, like I would like, I understand the challenge, but we need,
like we need a minimum subset of skills that need to be met by security council members,
because there is a risk that if somebody is not, you know, I understand that DAO, you know,
DAO people could not be competent enough to like individually assess this. Like I understand that DAO people could not be competent enough to individually assess this.
I understand that a lot of people are not technical enough to simply be able to assess this.
That's why we need those minimum requirements so that we don't end up in a situation
that there is a person in the Security Council that does not meet those minimum requirements. I cannot imagine, and unfortunately, what we are seeing,
not necessarily in this Security Council, but in general,
in Security Councils, we see people that cannot really understand
the transaction that they are signing.
They cannot reconstruct the payload.
And if someone like that is in the Security Council, that basically they effectively lower the threshold.
Understood.
I still think that creating a test for those would be challenging,
but I understand the need for it.
All right.
Well, thanks for jumping in with that discussion point, Christoph.
Sounds like we have some ongoing discussion that we need to do about how to make sure
that we have some sort of concrete abilities test taking into account the challenges mentioned
by the OZ team.
And before we finish the call today, we'll talk some
about implementation next steps, so we can circle back to that point then as well. But for now,
we'll jump to the next section, which is about structural recommendations. So first question
there is, your research recommends allowing organizations as council members, but with specific one event
multi-sig configurations. Can you talk about this recommendation and what advantages it
might provide or could provide over a situation where only individual members are allowed?
Sir, of course. I think the biggest benefit is potential response time. An organization
representing a council member could have multiple signers covering multiple shifts for the fastest
response. Obviously, each of them would be able to independently perform the role, but
they might also have additional expertise that when combined could
provide a better skill set to make decisions or come up with solutions.
There's also built-in succession handling.
So if that member is not available anymore or unavailable for a certain period of time,
the organization can manage that.
They would still need to comply
with the current verification process,
but the benefits of the enhanced response capabilities
outweigh the potential attack surface risk
of having multiple people represent the same signer,
even in a one-of-a-multi-sig configuration.
Well said. Thanks, Jared. And then as another next question about kind of structural recommendations for the Security Council, the report recommends kind of maintaining the existing model where the Security Council has kind of broad emergency action powers over the contracts that the DAO controls, which include the kind of arbitrum roll-up, smart contracts,
the governance contracts, and the arbitrum treasury. And the report recommends kind of
maintaining the status quo versus, for example, switching to a veto-only model where the Security
Council doesn't have the power to do emergency upgrades, but they can veto anything that the DAO proposes.
So what considerations led to your conclusion or to recommend that the Security Council maintain its emergency action powers?
Sure. We definitely considered how the vetoITO only model offers benefits
when it comes to decentralization.
It reduces the attack surface of compromised council or council numbers.
However, it does
it does affect response time
with the processes that they would have in a VITO only capability.
And it also creates risk that,
or allows risk that there could be something
that happens very quickly
that can't be responded to in a certain amount of time
with only a veto model.
And with the stakes as high as they are,
even in the wellest of likelihoods and the potentially
unquantifiable unknown unknowns. We identified specific recommendations that could potentially
improve or be developed in parallel with the decentralization efforts prior to implementing the VTOL only.
So we recommend it to defer the decision and reevaluate at a later time.
Yeah, any thoughts on that, Red or Chris, since you're up here?
Now I get to ask you what you think.
Go for it, Chris.
Yeah, so I've got a question before that, because you mentioned that you were suggested to contact Fred,
but I didn't get fully, did you finally talk to Fred
and did you get his ideas in this report or not?
No, actually, we were asked to contact Fred to avoid duplicating effort.
We were told that he was working on the election process.
We did get a response from Fred, but it wasn't about the details of his research.
Okay.
Okay.
Because like, I've been talking a lot with Fred, and Fred is one of
the guys who actually designed
or was
involved in designing the current
system.
I think
that Vito only
is too weak.
We need
possibility to
react in case of emergencies.
Like what if there is an
emergency on the network?
Like we need at least
some kind of a halt mechanism
or something like that.
But I'm yet to read all the
recommendations, so I will not comment on that right now.
Yeah, ultimately we came to the same conclusion. There's too much at risk to recommendations, so I will not comment on that right now.
Yeah, ultimately, we came to the same conclusion, there's too much at risk to restrict Security Council powers to veto
only. But we did consider it, it might make more sense in the
future, if there are other mechanisms in place that could
react more quickly.
All right, well, thanks for jumping in on that, everyone. The next question
I have about the structure of the Security Council is about terms. So the Security Council is elected
and in the current model, members serve for 12 months and half of the members rotate off every six months.
So there's an election every six months.
And your report recommended maintaining this implementation of terms.
So why did you recommend maintaining this approach to terms?
And how does it balance versus like, you know, you're kind of recommending continuity in this approach.
How did that compare in your analysis with perspectives or other alternatives to Security Council member terms?
Council member terms? Yeah, great question. So we consider both shorter and longer terms
Yeah, great question.
than the current 12 month. And I think with the staggered election cycle, there's already two
elections per year, giving an opportunity to have a fresh perspective in the Security Council
and allow it to adapt over time with the expectations of the DAO.
There were some drawbacks with shorter terms as well as longer terms.
Shorter terms, although they might allow more frequent community input or representation,
they create higher operational costs to have these elections to select potentially new members and it could cause some knowledge loss or some relationship disruption that could be less effective for
the security council as a whole.
We also did consider that this is an election and that it is a paid position and so people may be focusing
on their re-election in the shorter term instead of focused on their role. So the longer terms
would potentially reduce the number, the overhead of operations for the elections
would potentially reduce the number,
the overhead of operations for the elections
and the election fatigue and all the considerations
of the voters and the people facilitating.
But it could also enable more long-term optimizations.
It might be less responsive to changing preferences
of the community.
And it's possible that council members,
in order to kind of maintain objectivity,
might not stay updated with certain changes in the ecosystem
and could create the situation of complacency.
But we thought that the current term length
was a great balance,
especially with the static election cycle
that offered the frequent enough input from the community
at the balance of the operational overhead
without compromising security if we were to change it.
of security if we were to change it.
Great. Thanks, Jared. And as a reminder, Red, Chris, feel free to raise your hand and jump in any time.
But thanks for covering that, Jared. I think with that, you know, we've been on for over 30 minutes, so I want to start kind of moving towards the wrap-up stage
and maybe give folks a chance to ask questions as well.
So in the next section, we're going to talk about implementation and impact.
So we've kind of talked about your recommendations around member qualifications,
and we also talked about your recommendations around the structure of the Security Council. So considering those recommendations, we
kind of want to talk through what you think implementation could look like and
how to prioritize that. So the first question is which of the recommendations
in your report would you recommend prioritizing for immediate or rapid implementation?
So it would be quite easy, hopefully, to ratify some definition of governance attack.
Well, maybe not easy, but definitely important because it could be quite subjective.
And it serves as or provides a foundation for the Security Council's mandate
how to protect from that specific type of attack.
Next I think probably implementing technical proficiency demonstrations or if the DAO chooses
to implement a standardized test that would probably be the next concern since there is a possibility that in future elections
less qualified members may be candidates for security council roles and it could compromise
the trust assumptions of the security council threshold and then probably
And then probably maybe the organizational membership recommendation for using multi-sigs to represent organizations.
Great. Thanks, Jared.
And then I guess thinking maybe more about the other side of the coin.
So are there recommendations in your report where you foresee challenges kind of with implementation or where there's maybe tradeoffs or friction around actually putting the recommendations into in practice in the Arbitrum Security Council?
recommendations into in practice in the Arbitrum Security Council.
Yeah, this is a bit about having a bit outside the scope or beyond the research that we did for the implementations and specifics for challenges for Arbitrum to do it.
for Arbitrum to do it.
I would be just speculating and I guess speaking to the definition of governance attack, fortunately
I know that other contributors in ARBC have been working on research for that as well,
so that might be easy to consider soon. But still, it's quite nuanced,
because it does potentially require some judgment or interpretation by Security Council over
time. So making it clear enough so that everyone agrees on what the definition is, could be
a bit challenging.
Great. Well, thanks, Jared.
So I think with that, we'll kind of move to close.
So... Excuse me, Chris, can I jump in with a question?
Yeah, please do.
Jared, I wanted to ask you, because, sorry, coming back a bit to this voting cycle, because
I was leaning rather towards other conclusions.
Personally, my current stance is that having elections every six months is not a great idea.
I think we are constantly lowering the quality of the security council that we have in general.
I'm not speaking about this particular, but simply have it like, or at least the other way around.
I'm not seeing increased quality in security councils.
I see this simply as a nuisance.
But I'm wondering, as you
came to this conclusion that it's better to
maintain
this cycle that we have right now,
what are the risks that you are seeing
in other approaches?
And what should we be mindful
of when considering
other approaches to
security council elections and the cycles?
Great question. Let's see.
So I think we considered that, you know, security council members could be reelected.
So, um, I think the potential concern for the quality going down over time could be somewhat mitigated by things outside of changing the term duration.
Um, I think that a year commitment is, is quite a bit, but it's a reasonable amount of time that someone
can make a commitment to be responsive.
I think the biggest risks that you might see is that these type of emergencies, and
the best cases, don't happen very frequently.
And so election term doesn't necessarily equate
for making sure that members maintain engagement.
That would be something else to consider over time.
But if the role is not exercised frequently
during the term, then you could risk potentially having members that are not as responsive when the time comes.
But can it be addressed by like some, you know, fire drills to maintain responsiveness?
like some, you know, fire drills to maintain responsiveness.
And, you know, like, so why not a year?
Like you mentioned that a year-long term could be good enough.
So why not a year-long term and half a year instead?
I'm sorry.
We recommend terms of 12 months, which you said half a year instead.
Oh yeah, sorry, but we have...
Yeah, frequency of the election.
So why 12 months? Why do you recommend 12 months in particular? and there is no catch by the way
like I'm just curious
you know
I'm thinking that
simply as
you know
we as L2Bit
we are also going through those cycles
and it seems that
it's you know it's almost every now
and then there is some election in in the uh in the security council so i was thinking maybe if
we had it like only once a year or even less often it could be better for the overall result but i i
assume that you think that it wouldn't be beneficial.
So I'm wondering why.
There's trade-offs on both sides.
In my previous response, I mentioned the potential for
people to be less responsive or less engaged
and the commitment duration.
It's a significant commitment duration i understand the overhead operationally to have these elections and i do think that the
staggered election um offers um you know a good balance between frequent input. But this was specifically about the terms.
If you were to remove the staggered election
to reduce the number of terms and you still
allowed for existing numbers to be reelected,
I think you could maintain the current term light and reduce overhead of operations at the cost of
potentially community input on membership which is probably well outweighed by
the capabilities of the security numbers but changing, I mean, keeping the term length,
we don't recommend shorter because potential election
distraction.
And as a person that has this role takes it very seriously,
they're practicing this.
And there could be some knowledge loss
or they've built some tools to help them do these
things quickly that won't be available for new members.
So definitely recommend at least a 12-month term.
But yeah, staggered elections could be worth the trade-off for the operational overhead.
But we don't have an official recommendation on it.
Okay, thank you. That's an excellent question.
Yeah, thanks.
Great question, Chris.
Appreciate the back and forth.
So thanks, everyone, so much for attending.
I'm going to wrap up with one more kind of question to bring this all together.
So, or maybe two.
So first one is, what concrete, we kind of touched on this,
but kind of want to put a bow on it and bring it together.
What would you say if you want the kind of members of the DAO and the audience here to have one or two takeaways
in terms of what should the DAO do, what should the Arbitrum DAO do next as a result of the
recommendations in your research report for the Security Council, what would those one or two
things be? Yeah, this seems to be a similar question. I definitely think that the DAO should decide on what the definition of a governance attack is,
and make it clear to the Security Council members.
Next, I also think that technical proficiency demonstrations should be encouraged at the least,
maybe not even required, of potential candidates to demonstrate their competency in the role.
Great. And then as a closing question for community members, either people who are active in the Arbitrum DAO, looks like we have some folks here who are very kind of security and governance security
minded, but maybe not super active in Arbitrum yet.
For either of those groups who want to contribute to kind of Arbitrum governance security, what
is the most impactful way for them to engage with that?
And I kind of want to get your thoughts, Jared.
Also, feel free to jump in, Chris, and then I have some thoughts I can share on this as well.
We think that the most impactful way is to.
Bring security to the forefront.
If people identify potential attacks or vulnerabilities, they should disclose them.
They should talk about them on the forum.
Obviously, if it's confirmed,
not just potential and active or whatever,
but disclose it properly,
but bringing security to the forefront,
it shouldn't just be the responsibility
of the Security Council.
The security of arbitbitrum would be
greatly improved if the DAO continued to its security from all its governments.
I'm going to piggyback on that and say I strongly believe this viewpoint too. I mean,
that's why we put in the report that Arbitrum has built a fantastic network. They've built
a fantastic DA um and security
is not the responsibility like jared said of the security council they are merely the signers of
a transaction um you know we've seen other dow's that kind of just crumble apart because they don't
put security first and they don't see the path of, right? They're just seeing the here and now.
And yeah, making a strong culture of security and making this something that people are constantly
putting up on a pedestal, that's something we strive to, I think will serve the interests of the network, the community, the DAO in the long term.
I think that something that could be useful is that I've seen, for example, in Optimism,
is having some kind of a leader of the Security Council, like someone who is a spokesperson
to the Security Council and is a person of contact for the Security Council.
For example, I'm not sure if anybody on this call knows
if there is a security breach, some security risk,
how to contact Security Council.
Cliff, I think you might have muted everyone somehow. Yeah, my bad.
Fat fingers.
Sorry, Chris, to cut you off.
Jump back in, Chris.
We heard what you're saying about having a designated point of contact.
Leader, yeah.
Yeah, so, yeah, like, I don't know if anyone on this call knows how to contact security council
if they see something weird going on on chain especially if they might be suspecting that this
weird activity is coming for example from the arbitral foundation you know one of the reasons
why we have security council is to so that security you know the arbitral foundation like the the entity running the chain
uh cannot be cannot screw us basically uh so right now i don't think that we have a very good
uh procedures for that um and you know it doesn't need to mean that arbitral foundation is malicious
you know arbitral foundation can be somehow forced by the government authorities
to do something that might be weird.
I don't know if you remember Oasis situation,
where they were forced by court to upgrade the contracts
to simply lock some funds.
And this could happen.
So we should have ways of communicating with the Security Council independently.
And another thing, again, going to that,
I think that while Security Council members should be technical,
they should be capable of assessing the transactions, like the
things that they execute on-chain
by themselves, there is a
need, I do acknowledge that there is a
need for a legal understanding
of consequences
of certain actions.
And I believe that
we also should have a way, like some
way for
Security Council members to be able to consult a legal advisor for the actions that they are supposed to take.
Hopefully we'll never have to do it, but I would like for the Security Council member not to be concerned about what are the legal recurses of his actions or her actions when they need to do something under the pressure of time.
So these are two things that I think should be somehow addressed. Yeah, and that's it.
Great, thanks Chris. I actually, I think this point about having a designated kind of point person for the Security Council for stakeholders or the public to engage with is a really good one.
where I would like the current sort of resource hub for the Security Council, which is a section
of the Arbitrum DAO Governance Forum that's specifically dedicated to the Security Council.
So in that, on that link, you can keep up with Security Council elections, you can read about
any transactions the Security Council makes, you can create posts to ask questions or apply to existing
posts. So that's kind of where I'd point people as like the one sort of public place to go for
the Security Council. But I think, you know, from my perspective, your point is well taken, Chris,
about creating a more streamlined, you know, vehicle for feedback and communications.
vehicle for feedback and communications. All right. So I'll pause there. You know,
is there anything else you'd like to share the folks who are up here or anyone else who has
kind of really burning questions they want to ask before we drop? We probably have time for
one more comment or question.
or comment or question.
All right.
Well, I think with that, we can wrap.
I really appreciate everyone joining.
We do these Twitter spaces regularly
as part of the Arbitrum ARDC.
Anytime there's a new resource report
that's published by a member of the ARDC. Anytime there's a new resource report that's published by a member of the ARDC,
we'll do kind of an internal Arbitrum DAO call about it and then do one of these Twitter
spaces for the public to be able to join. So there's a couple of interesting reports
coming up, including one about incentives, which I think a lot of people are probably
interested in, and also vote buying kind of platforms and how they pertain to
risk in the Arbitrum DAO. So you can look forward to those Twitter spaces
coming up in the future. Thanks everyone so much for joining.
Thanks for having us.
Thank you everyone. Cheers.
