Community Pool Proposal: Help fund audits of IBC middleware

IBC has proven to be incredibly valuable to the entire cosmos. I believe this value is greatly enhanced by its track record for exploits. Audits can help IBC remain relatively unexploited, by allocating the time and expertise of trained individuals to find vulnerabilities before they become an issue.

The PFM has a pro-bono audit scheduled, and I’m unaware of a scheduled audit for RIM. Given the importance and universal adoption of these modules, and the expense of audits, I think it makes sense that the community pools across many cosmos chains come together and contribute funds towards auditing these modules.

I’d like to start the conversation here over which teams have bandwidth for auditing, and getting estimates or expectations around cost. Given Zellic has already committed to auditing the PFM, these community funds could be retroactively paying them for their services.

Fortunately, audits have well defined scopes and measurable outcomes. As far as scope:

Relevant discussions:

5 Likes

Totally agree, love this initiative @evan!

I think it makes sense that the community pools across many cosmos chains come together and contribute funds towards auditing these modules.

This would be ideal, and I hope it’s feasible to defeat the free rider problem with enough community coordination and goodwill. Most chains that rely on IBC as their main interoperability solution understand how critical infra is and the current audit coverage gaps.

Regarding launching a public audit RFP process to be funded by the community pool, I believe some prior examples can inform us what has worked in the past.

In the Cosmos ecosystem, the Neutron pilot audit sponsorship can be a good recent example that has worked effectively.

More broadly, the Compound DAO did an innovative public process back in the day to retain a security firm to audit the Compound DAO and codebase continually.

The Neutron example is closer to the RIM audit, as it’s a single package scope and a more lightweight process overall, which I believe better suits a younger community like Celestia and a potentially multi-community pool effort.

1 Like

as an update, we have a response from Zelic over the cost of the audit for RIM!

Celestia_RIM_Zellic_Proposal_20240416.docx - Google Docs

per the proposal

$27,500 in USD or USDC stablecoin to provide a total of 1.1 engineer-weeks of availability. This payment is inclusive of all services defined in the proposal.

My understanding is that the audit for the PFM is roughly equivalent in the number of hours required, and therefore we can double this payment to retroactively pay for that audit.

I think the next steps are to coordinate with other chains. I have started this process with individuals who have already expressed interest. I can also prepare a governance proposal for Celestia.

Lastly, Zellic has indicated that accepting TIA directly is fine, so we should just be able to include an address verified from their socials in the gov proposals.

1 Like

Great to see this initiative, I just wanted to follow up if the audits have been confirmed - is there a date for the RIM audit to begin?

The audits have not yet been scheduled, and their confirmation is presumably blocked on the results of the proposal. The proposal will likely be up by the end of the week. Zellic will be providing an address publicly on their github / socials, and then we will proceed.

Who would be best to include in a channel with the auditors to schedule any calls and answer any questions about the codebase?

1 Like

perfect, I will follow up with you on slack for coordination on codebase questions

1 Like