[PROPOSAL #687][Passed]Replicated Security 3rd Party Audit

I think that this thread is going to form a very valuable resource for information about audit organizations who are capable of auditing Cosmos code.

I would like to formally and bluntly request that we rule out any auditor who has not previously worked on Cosmos code because I do not believe that they would be able to make an effective audit on a reasonable timescale.


Is a contest between auditors feasible ?

I’ve seen Axelar ($50k - april2022), and Gravity ($100k - august2021) doing this that way.

I honestly don’t know if it’s efficient, but i think it’s worth exploring this path. Isn’t it ?

I don’t really think so and I think that we’re already talking about a higher ticket price

Yeah yeah, it has to be way higher for what we’re talking about here.
Was just curious about the concept.

Fair points raised here. I’m in agreement with what you’ve said and we should focus on those who have some familiarity with the Cosmos stack.

I think having a twitter space to iron out some of these details would be beneficial given the timeline we need.

Finally a potential CF allocation that makes a lot of sense.

As long as there are no conflict of interest, the auditor is chosen publicly and propositions of all potentials auditors are publicly shared can be seen by anyone.

The only issue I have is the timing with ICS release, we’d need to make sure it won’t block any process/ put any disorder in all current work done.

1 Like

We are trying to put it forward in a way that won’t inhibit any progress or timelines for ICS. There already was an audit conducted on ICS by a separate team at Informal so this 3rd party audit would just be supplementary. Always better to have a second look-through and opinion on the code especially of this scale.

1 Like

I think we may have missed something so far: if there is to be a 3rd party audit of ICS, it will require some degree of participation from Informal to submit the material, provide additional context to the auditor and possibly implement bug fixes.

@jtremback would your team be ready to collaborate with a 3rd party auditor if an agreement can be reached for the Cosmos community pool to sponsor the audit?


Yea, we can collaborate on the audit of course. The report from the Informal audit team should be done very soon and the 3rd party auditor can use that as a basis to determine what to look into further.


Thanks Jehan, that’s great to read! @Damien should we pick this up and move forward with the last preparations and proposal?

1 Like

Yeah - preparations are underway. Expect an update very soon for the proposal

1 Like

Great news! Thanks for leading this initiative.

I support this proposal because third-party auditors offer a broad perspective and knowledge of best practices for conducting audits. They maintain ongoing, up-to-date awareness of current and pending regulatory requirements that the project should consider.
But the crucial point here is that we have to be very serious about the choice of auditors and here I agree with Jacob’s thoughts.
So the variants are:

Long due update here. We’ve been working really hard to make sure everything is good to go from our end.

In the time since we last posted and after taking in some of the discussions from those who contributed, we have opted to go for Oak Security to conduct the audits for the Interchain Security (ICS) code.

We believe given their experience that they are currently the best suited. You might ask why haven’t we gone with an open-tender proposal instead of us choosing a validator?

Well, the answer is simple really. That process is too time consuming and currently the pool of possible auditors in the space is rather limited so this was the best approach. Given some more time when auditors will join the space, we would have surely gone with that approach.

This proposal aims to use community pool funds to commission a third-party audit for the Interchain Security code. This audit is to be conducted by Oak Security, one of the most-reputable auditors in the space.

The quote provided ranges between $85K - $120K and has a timeline of around 2.5 - 3.5 Weeks for the audit. They will require 50% upfront to start the audit. Therefore, it is in the community’s best interest to get the on-chain proposal process going.

Since this is a community pool spend proposal, we want to ensure the community that the funds will arrive at the designated recipient by creating a multi-sig.

The multi-sig should comprise of:

  • Damien (Simply Staking)
  • Jehan (Informal Systems)
  • Zaki (Core Cosmos Contributor)
  • Jacob (Notional)

Breakdown of Fees:

With this proposal, We (Simply Staking) will be the main point of contact with Oak which means that we will handle all things related to answering their questions and queries. For this work, we seek a compensation fee of around 15% of the final quote. The fee will be calculated after the full invoice from Oak and any unused funds will be returned to the pool.

From that 15% a fee would be distributed to the multi-sig members as a form of compensation for undertaking this task with the utmost due diligence and care.

All payments are to be sent out to the recipients once the whole process is complete.


Due to the time between tranches of payments to Oak and price fluctuations of the ATOM tokens, we are including a buffer of 25% on top of the higher-end quote price. This would reduce the risk of not having $ value equivalent in ATOM tokens to cover the cost of the audit.

$160,000 - Oaks higher quote + 25% price fluctuation buffer

$18,000 - 15% cut to be taken by Simply Staking and other multi-sig members.

Total ask: $178,000 (assuming higher-end quote and fee).

All leftover funds will be sent back to the community pool.

NOTE: ATOM figures will be calculated when the proposal goes live due to price fluctuations and may include buffer to account for these changes over the duration of the proposal and audit.

Looking forward to hearing your thoughts! We aim to post this sometime early next week.

The forum post above has been updated and edited to reflect these updates.


just to confirm - this audit will not delay proposing v9 upgrade this or next week/delay ICS launching?


Thanks for raising this point!

No this does not affect any timeline for ICS release and the v9 upgrade.


What is the expected amount of time required to earn that $18k with the 4 people listed?

I am always surprised by the amounts paid to people (and we always see the same people in the groups… which is kinda curious if you ask me). I do agree that we need to pay people properly. But now we have a proposal on chain to fund Notional for 3 years with a huge sum of money and I see Jacob in here being compensated as well. While the prop on chain secures the availability of notional for their hours spend on the Hub? So why pay twice?

1 Like

@LeonoorsCryptoman Thanks for the contribution.

So the majority of the fee is going to be directed to us (Simply Staking) as we have spent many hours doing the necessary research, contacting the relevant parties for quotes and multi-sigs etc and we will also be the main point of contact for Oak during this process. We will also be in charge of releasing the report in an efficient and transparent manner.

With respect to your other point, we chose people who we trust and have a good rapport with in order to streamline the process we would need to collaborate with.

I hope this answers your concerns.


Thank you for taking the time to moving this situation further.

Can we get the official invoice as written by OAK security that shows the higher and upper bound?
Is there a reason there is a range and not a set fee?
Can we get information regarding the distribution of funds amongst the multisig members. I applaud you for being honest and taking something for yourself but am not clear in why the multisig members deserve a fee at this stage.
What is the guarantee that OAK wont just ask for the high amount because they know the community pool spend went through anyway? if this is the case the community pool wont get the return of the funds.
I assume payment is due in USDC, including a buffer will help realise that the payment can be executed.

Would be great if you could answer the above questions, with those answers provided you have our full support!


@Ertemann thanks for the contribution! Allow me to answer some of your questions and concerns:

I have asked for an official invoice recently, in the meantime I can supply you with what they told me in my exchanges with them:

"Happy to provide a quote for an audit of ICS.

As a rough first estimate, based on the current main branch of the GitHub - cosmos/interchain-security: Replicated security (aka interchain security V1) is an open sourced IBC application which allows cosmos blockchains to lease their proof-of-stake security to one another. repository and possible integrations into other repositories, we would require 2.5-3.5 weeks for this audit, with a fee between $85k and $120k."

This is a fair question to be making. The multisig members are being paid due to requiring them to confirm that the audit was completed as described, prior to distributing of funds. And due to them having incredible expertise and a busy schedule, a fee for their time was quite justified to us.

Another fair question however those were the quotes provided. Unfortunately they can charge what they wish for in that range. The other option would be to not have the audit proceed which isn’t ideal so anything in that price range should be reasonable and accepted by the community.

This is correct at the time of writing. 50% is to be given to them at the start as a reservation and the other 50% after the audit is checked and completed so we needed to account for a price buffer due to the time in between those two payments.

Hope this helps answers some of your concerns!