[PROPOSAL #943][PASSED] Funding ICS with Inactive Validators 3rd Party Audit

EDIT 24/7: Added Multisig address.

Authors: Simply Staking

TL;DR - Simply Staking will commission Zellic to conduct a third-party audit of the ICS with Inactive Validators feature. This will follow a similar format and process as our third-party audit conducted last year on Replicated Security (Prop 687) and this year on Hydro (Prop 927).

Background

This proposal aims to use community pool funds to commission a third-party audit for the ICS with Inactive Validators codebase.

Starting with the introduction of ICS 2.0 (aka Partial Set Security) in the v17 upgrade, only validators from the Cosmos Hub’s active validator set can opt-in to validate on consumer chains. This signalling proposal enables validators outside of the Cosmos Hub’s active validator set to validate on consumer chains.

For more information, we advise you to review the forum post.

As we saw in one of our proposals regarding an audit of key Cosmos Infrastructure (ICS) in Proposal #687, it Is always key to get a second set (or more) of auditors who had no involvement in the designing and building of the code to audit the codebase. This will allow for unbiased vulnerabilities to be disclosed (if any).

Details of Funding Request

This audit is to be conducted by Zellic, one of the most reputable auditors in the space. With the scope of the audit already known to the auditor, they (Zellic) have presented a quote and timeline for the audit. Zellic is seeking $45,000 for the audit of the ICS with Inactive Validators codebase with an estimated timeline of 2 Weeks to complete.

We believe that the terms and quotes presented by Zellic are fair and ideal. It is a relatively small request for an audit of this importance.

Management

Since this is a community pool spending proposal, we want to ensure the community that the funds will arrive at the designated recipient by creating a multi-sig.

The multisig should be comprised of various reputable parties:

  • Damien, Simply Staking
  • Jehan, Informal, Inc
  • Brian, Informal, Inc

The multisig address is: cosmos1eq62mta47ltpmncknzf70v3z70vn834fxxq5ra

Breakdown of Fees

We (Simply Staking) will be the main point of contact with Zellic, meaning we will handle all things related to answering their questions and queries. We will also act as the main coordinator for building and maintaining the multisig to ensure a smooth transfer of funds from the multisig address to the designated recipient (Zellic). For the work with Zellic and the multi-sig coordination, we seek a compensation fee of around 10% of the total ask.

Funding

Zellic Quote: $45,000 + 20% price buffer to account for the volatility of the ATOM token during the voting period: $54,000

Simply Staking Fees: $4,500

  • Community consensus via forum and on-chain proposals
  • Sourcing vendor quotes
  • Coordinating vendor payments and milestones
  • Multi-sig coordination

Total ask: $59,500 ~ 9760 ATOM at $6.10/ATOM (prices as at 23/7)

All leftover funds will be sent back to the community pool.

Due to the Importance of this proposal, we are expediting this proposal and it will be up on the Forums for 1 week rather than the standard 2 weeks. We are asking for the support from the community to approve this.

Governance votes

The following items summarise the voting options and what it means for this proposal:

YES - You agree that this external audit should be funded.

NO - You disagree that this external audit should be funded.

NO WITH VETO - A ‘NoWithVeto’ vote indicates a proposal either (1) is deemed to be spam, i.e., irrelevant to Cosmos Hub, (2) disproportionately infringes on minority interests, or (3) violates or encourages violation of the rules of engagement as currently set out by Cosmos Hub governance. If the number of ‘NoWithVeto’ votes is greater than a third of total votes, the proposal is rejected and the deposits are burned.

ABSTAIN - You wish to contribute to the quorum but you formally decline to vote either for or against the proposal.

2 Likes

Would it be more efficient for the Hub to bulk buy XX amount of audits from a single vendor?

It should drive down the cost per audit, reduce admin overheads related to doing these one-by-one and will probably also give the vendor the opportunity to become more familiar with our overall codebase?

I saw this because it feels like this is the 3rd or 4th such proposal, and while we should fund these, I’m just wondering if we could streamline them for better value

Hey Syed!

I agree that a bulk buy of audits is more efficient than the current iteration. Discussions are being held for this exact purpose however these negotiations take some time and given the urgency of these audits, we have to continue with this format until those negotiations are completed.

Hope this helps!

2 Likes