Update 15/03 - Put Proposal On-Chain and changed the post below to be more in-line with what went live on the proposal.
TL;DR - Commissioning Oak Security to conduct a third-party audit of the Interchain Security (ICS) code with a similar scope as to the audit conducted by the Informal team.
This proposal aims to use community pool funds to commission a third-party audit for the Interchain Security code. This audit is to be conducted by Oak Security, one of the most-reputable auditors in the space.
The quote provided is $102K and has a timeline of around 2.5 - 3.5 Weeks for the audit. They will require 50% upfront to start the audit. Therefore, it is in the community’s best interest to get the on-chain proposal process going.
Since this is a community pool spend proposal, we want to ensure the community that the funds will arrive at the designated recipient by creating a multi-sig.
The multi-sig should comprise of:
- Jehan (Informal Systems)
- Zaki (Core Cosmos Contributor)
- Jacob (Notional)
- Kai (Neutron)
Breakdown of Fees:
With this proposal, We (Simply Staking) will be the main point of contact with Oak which means that we will handle all things related to answering their questions and queries. For this work, we seek a compensation fee of around 15% of the final quote. The fee will be calculated after the full invoice from Oak and any unused funds will be returned to the pool.
From that 15% a fee would be distributed to the multi-sig members as a form of compensation for undertaking this task with the utmost due diligence and care.
All payments are to be sent out to the recipients once the whole process is complete.
OAK Quote: $102,000 + 15% price buffer to account for volatility of the ATOM token during voting period : $117,300
Simply Staking + Multi-Sig Fees: $15,300
Total ask 11,050 ATOM @ $12 per ATOM ~ $132,600
All leftover funds will be sent back to the community pool.
TL;DR - With the proposal for Replicated Security (Interchain Security V1) due to go on-chain by the end of month, we believe there is a need for a Third-party audit of the code to supplement the in-house audit from Informal Systems to ensure that the code is sufficiently tested and supported by both internal and external audits.
Interchain Security being implemented on the Hub is right around the corner, with a Proposal projected to be submitted on-chain sometime in January.
Interchain Security, which has been developed by Informal Systems, is an important milestone for the Hub, introducing replicated security which allows multiple chains to inherit the same security of the Cosmos Hub validator set via IBC.
Since the announcement of its release, there have been rigorous tests on testnets (both private and public) to make sure there are no bugs or security issues that can lead to systemic risk.
There was also an audit conducted to ensure this code is fit for launch. The audit was conducted by a separate team within Informal Systems. While we have the utmost trust in Informal Systems and the work they have performed, we believe having an additional audit by a third-party auditor would provide further reassurances and gets us closer to the best practices within the traditional technology industry.
We (Simply Staking) are proposing the use of community pool funds to commission this third-party audit. This would ensure that Interchain Security (ICS) will have the backing of an internal and an external audit to give peace of mind to the consumer chains, ATOM holders, and the wider ecosystem.
Some things that need to be finalised during discussions before this proposal is put up on-chain include:
The form of the proposal. This includes how an auditor is to be chosen which could be done through mutual agreement in discussions, list and poll method or even through an ecosystem wide tender for work.
Whether ICS code should be enabled before the audit is completed or not
The funding mechanisms for the audit. How much the auditor should be paid and how the funds are managed and distributed should be clearly defined beforehand.
Criteria for the audit. The auditor should be given an idea of what they would need to audit. This can be done by a person/entity with the option of getting paid for it.
Formation of an Audit Committee.
Please note that this is an early draft with no budget given and no auditor named. This has been done on purpose so that we can have an engaging discussion as to whether this is something the community wants before diving into the specifics of the matter.
We would love to hear your thoughts and opinions on the matter expressed above.