IBC has proven to be incredibly valuable to the entire cosmos. I believe this value is greatly enhanced by its track record for exploits. Audits can help IBC remain relatively unexploited, by allocating the time and expertise of trained individuals to find vulnerabilities before they become an issue.
The PFM has a pro-bono audit scheduled, and I’m unaware of a scheduled audit for RIM. Given the importance and universal adoption of these modules, and the expense of audits, I think it makes sense that the community pools across many cosmos chains come together and contribute funds towards auditing these modules.
I’d like to start the conversation here over which teams have bandwidth for auditing, and getting estimates or expectations around cost. Given Zellic has already committed to auditing the PFM, these community funds could be retroactively paying them for their services.
Fortunately, audits have well defined scopes and measurable outcomes. As far as scope:
I think it makes sense that the community pools across many cosmos chains come together and contribute funds towards auditing these modules.
This would be ideal, and I hope it’s feasible to defeat the free rider problem with enough community coordination and goodwill. Most chains that rely on IBC as their main interoperability solution understand how critical infra is and the current audit coverage gaps.
Regarding launching a public audit RFP process to be funded by the community pool, I believe some prior examples can inform us what has worked in the past.
The Neutron example is closer to the RIM audit, as it’s a single package scope and a more lightweight process overall, which I believe better suits a younger community like Celestia and a potentially multi-community pool effort.
$27,500 in USD or USDC stablecoin to provide a total of 1.1 engineer-weeks of availability. This payment is inclusive of all services defined in the proposal.
My understanding is that the audit for the PFM is roughly equivalent in the number of hours required, and therefore we can double this payment to retroactively pay for that audit.
I think the next steps are to coordinate with other chains. I have started this process with individuals who have already expressed interest. I can also prepare a governance proposal for Celestia.
Lastly, Zellic has indicated that accepting TIA directly is fine, so we should just be able to include an address verified from their socials in the gov proposals.