Arbitrum Governance · Technical Walkthrough

PR #375

Arbitrum Security Council Architecture.

How the abstract governance handbrake maps onto real contracts, bridges, roles, and emergency execution paths.

01 / 10

Based on annotations by Anay Patel, Atharva Kalyanpur, and Vinayak Chidrawar

02Architecture MapTwo Paths

The same protocol has a slow lane and a break-glass lane.

Standard DAO Route

Tokenholders decide. The system waits. Execution happens only after the timelock window.

01L2ArbitrumGovernorvote

02ArbitrumTimelockdelay

03L1ArbitrumTimelockbridge

04UpgradeExecutorexecute

Security Council Route

Nine signers coordinate offchain, sign through the Safe, and call the UpgradeExecutor directly.

01Detect emergencyminutes

029 of 12 Safe signaturesthreshold

03UpgradeExecutor.executeno delay

04Pause, patch, or custom actionone tx

03Standard Route · OriginL2ArbitrumGovernor

The L2 governor turns ARB voting power into a queued action.

Pipeline

Proposal creation, vote counting, delegated ARB balance lookup, quorum, and timelock control all compose in one governor.

Risk Controls

GovernorPreventLateQuorumUpgradeable extends voting if quorum is hit at the deadline. EXCLUDE_ADDRESS keeps locked treasury/Foundation tokens out of quorum math.

Selected references

contract L2ArbitrumGovernor is
  GovernorSettingsUpgradeable,
  GovernorVotesUpgradeable,
  GovernorTimelockControlUpgradeable,
  GovernorVotesQuorumFractionUpgradeable,
  GovernorPreventLateQuorumUpgradeable

// quorum denominator excludes non-voting pools
getPastCirculatingSupply(blockNumber)

This is legitimacy-first governance: open voting, explicit quorum, and a delay before power is exercised.

04Standard Route · DelayArbitrumTimelock

The timelock is both a user-protection mechanism and an emergency bottleneck.

The wait

// every normal proposal waits at least this long
uint256 private _arbMinDelay;

function getMinDelay()
  public view override
  returns (uint256 duration)
{
  return _arbMinDelay;
}

Why it exists

Users get time to inspect scheduled changes and exit if they disagree with the governance outcome.

Why it hurts

During a live exploit, the same delay can leave the protocol watching damage happen while the official fix waits.

Guardrail

updateDelay() is restricted so a malicious proposal cannot simply compress the delay to zero.

05Cross-Chain ExecutionL1ArbitrumTimelock

Arbitrum governance starts on L2, but critical infrastructure lives on L1.

Origin

L2 Timelock

The counterpart that governance trusts.

Bridge Check

onlyCounterpartTimelock

Verifies the L1 caller and L2 sender.

Route

L1ArbitrumTimelock

Executes locally or creates a retryable ticket.

Target

UpgradeExecutor

Runs the action with admin authority.

The bridge does not just carry messages. It defines which governance system is allowed to touch L1 protocol controls.

06Payload ConstructionUpgradeExecRouteBuilder

The route builder packages a governance decision for the chain where it must execute.

L1 Target

If the executor is on L1, the call can target the L1 UpgradeExecutor directly.

L2 Target

If the executor is on another L2, the call is wrapped as a retryable ticket using the magic address.

Important Boundary

The Security Council emergency route does not use this builder. It signs through the Safe and calls the UpgradeExecutor directly.

Routing signal

address constant RETRYABLE_TICKET_MAGIC =
  0xa723C008e76E379c55599D2E4d93879BeaFDa79C;

// if target == magic address:
// package calldata as bridge retryable ticket

// if inbox == address(0):
// execute on L1 directly

07Emergency Route · ActionsPause · Patch · Custom

The council's power is implemented as small action contracts.

I · PauseInboxAction

Circuit breaker.

perform() calls inbox().pause(). It freezes new L1-to-L2 submissions without moving funds.

II · ProxyUpgradeAction

Hot patch.

ProxyAdmin.upgrade() points a proxy at new logic while preserving state.

III · UpgradeExecutor

Arbitrary action.

A signed payload can bundle multiple operations into one atomic intervention when a pause is not enough.

08Emergency Route · AuthorityIGnosisSafe

The practical control surface is a 9-of-12 Gnosis Safe.

9 / 12

Distinct signer threshold

Safe interface surface

getOwners()      // all 12 members
getThreshold()  // 9 in production
isModuleEnabled(module)

addOwnerWithThreshold(owner, threshold)
removeOwner(prevOwner, owner, threshold)

execTransactionFromModule(to, value, data, op)

The Safe threshold prevents a single signer from acting, but it also creates a visible, high-value set of human keyholders.

09Membership SystemElections · Cohorts · Sync

Emergency power rotates through a slower governance process.

Nominee election

Anyone can start the election window and contenders register with EIP-712 signatures.

Foundation vetting

nomineeVetter can exclude or include nominees for compliance and safety.

Cohort replacement

SecurityCouncilManager replaces six members at a time.

Timelocked sync

Membership updates travel through the standard route, not the emergency bypass.

Safe update

SecurityCouncilMemberSyncAction reconciles owners and preserves the threshold.

Emergency execution is fast. Changing who holds emergency authority is intentionally slow.

10ClosingWhat The Code Makes Visible

The architecture is a bet on which failure mode Arbitrum would rather survive.

Speed

Minutes instead of days.

The council path can pause, patch, or dispatch custom execution while normal DAO governance would still be waiting.

Legitimacy

The slow lane still matters.

Elections, member sync, quorum math, and timelocks keep emergency authority connected to DAO process.

Risk

Trust moves, not disappears.

Human keys, Foundation vetting, legal pressure, and role compromise become part of the protocol's attack surface.

Security Councils are not a departure from governance. They are governance encoded as a controlled exception path.