The following document proposes a framework for setting up a pilot program to sponsor audits for less established teams looking to launch smart-contract applications on Neutron. This document is a draft, which is published here to solicit feedback and collaboratively improve the proposed solution, RFQ, request process and selection criteria for both auditing firms and eligible projects.
Community feedback is not only welcome but highly encouraged. Feedback may be submitted via this forum thread of by making suggestions to the collaborative draft of this document which can accessed via this link: [RFP] Audit Package for Neutron's Ecosystem - Google Docs
This document has been drafted with the following objectives and constraints in mind:
Objective
- Support high security standards within the ecosystem
- Support less financially established teams in deploying on Neutron
- Secure better terms by purchasing in bulk and for the entire network
- Contribute to reinforcing ownership within Neutron’s subdaos long-term
Constraints
- DAO resources are denominated in NTRN, which is still fairly illiquid
- The network’s community, subDAOs, infrastructure and process are nascent and still fairly undefined.
Summary
Help ensure a high degree of security throughout Neutron’s DeFi ecosystem by setting up a pilot audit sponsorship program.
Problem Statement
Ensuring a high degree of security throughout Neutron’s DeFi ecosystem is crucial to the long-term success of the platform. Hacks and exploits can drastically slow down progress, damaging not only the platform’s reputation but also its liquidity. Unfortunately, many teams within the ecosystem lack the resources to have their contracts audited by reputable firms. As it stands, there is an urgent need for an mechanism to support these teams on Neutron.
Proposed Solution
To address this issue, we propose initiating a pilot audit sponsorship program.
We propose to secure a package deal for five to ten audits from a firm offering high-quality services at a competitive price. This entails conducting a Request for Quotation (RFQ) process to gather offers from reliable auditing firms, and submitting all offers to the Neutron DAO for selection via an on-chain multi-choice proposal. Once an agreement is executed with a firm, the auditing resources could be allocated to projects upon request, following a systematic process described below.
At this stage, the most practical solution would be to rely on the Neutron Foundation to execute this pilot program on behalf of the DAO. This would not only simplify the establishment of legally binding agreements with the selected provider, but also provide a practical short-term solution for how to handle payments, since providers are likely to request at least a portion in stablecoins rather than NTRN.
In the long run, however, it seems reasonable to delegate these responsibilities to an on-chain subsidiary of the Agora such as Security subDAO. Security subDAO is not an admin multisig as it is under the ultimate control of the Agora, but it has the unique power to pause other subDAO contracts, the Treasury, and the Reserve contract in case of emergencies. Eventually the Security subDAO could take ownership of the RFQ and contracting program, sponsoring audits to enhance the security of Neutron’s DeFi ecosystem.
Proposed Request for Quotation
The Neutron Foundation is looking for a reputable firm to provide auditing services to teams looking to deploy decentralised financial applications built as smart-contracts on the Neutron network. The RFQ is intended as an opportunity for firms to compete for an audit package deal to be ratified by the Neutron DAO via an on-chain, executable, multi-choice proposal.
Eligible applications will be primarily built on Neutron and composed of CosmWasm smart-contracts written in Rust. Applications may or may not feature integrations with IBC and/or Neutron’s custom Cosmos SDK modules (written in Go): CRON, Token Factory, Interchain Transactions, Interchains Queries, etc.
The proposed timeline for the process is as follows (subject to change):
- July 1st to July 10th: the proposed RFQ is reviewed and amended on the forum.
- July 10th to July 24th: submission period, firms are welcome to share proposals to the DAO through the forum.
- July 24th - August 7th: the best offers from each firm is attached to an on-chain proposal and submitted to the DAO via a multiple choice
Proposed Evaluation Criteria
- Mastery of the stack and relevant experience/references
- Cosmos SDK
- Cosmwasm
- Auditing method
- Manual auditing
- Automated auditing
- Tools and testing frameworks
- Track record
- Please share any third party assessment of your firm’s work
- How many projects did the firm audit?
- How many audited projects were exploited?
- Quote structure
- Package price
- Payment terms and accepted denominations
- Discount
- Number of weeks
- Initial review
- Bugfixes support duration
- Timeline
- Reallocation of spare audit slot mechanism
- Other value adds
Proposed Request Process
If an audit package is approved by the DAO and subsequently executed between Meson Labs and the Auditor, the following process may be used by teams developing DeFi applications primarily on Neutron to request the attribution of an auditing slot for the contracts they intend to deploy on Neutron.
Step 1: apply for the auditing slot via this thread on the Neutron forum. Applications should include the following, as well as any relevant additional information:
- Project name and description
- Team members and background
- Project roadmap (general and on Neutron)
- List of existing or planned deployments on other networks
- Description of the general architecture of the project
- High level project complexity and risk assessment
- What are the least/most complex components of the project?
- What are the potential risks, attack vectors and systemic risks associated with the project?
- What risk could result from a vulnerability in the project?
- What steps have been taken to mitigate the project’s risk?
- Description of the current development stage of the project and deployment timeline
- List of contracts with links to the source code
- If applicable, list of components which are intended to be kept closed source and why
- List of contracts deployed on testnet (we recommend using celat.one)
- Auditing history
- Funding history
- Links to the project’s resources (as applicable): documentation, website, whitepaper, socials, etc.
Step 2: Meson Labs will review the application (taking into account any relevant community feedback) and return within 2 weeks with a motivated confirmation or rejection, which will be published on this thread of the forum.
Step 3: If selected for an auditing slot, contact information will be shared in private messages in the forum so that the project may be introduced to the firm which will perform the audit. Meson Labs will enter the agreement with the firm based on the governance approved terms and handle payments on the project’s behalf.
Step 4: Once completed, the audit report must be published publicly. Projects and firms may chose the venue for publication (e.g. github, website, etc) freely, but the report must be linked in this thread once published.
Proposed slot attribution criteria
-
Application type:
- Baseline: any DeFi application
- Priority: high-risk, TVL intensive DeFi applications such as bridges and lending protocols.
-
Completion:
- Feature-frozen codebases with extensive test coverage that have been successfully deployed on testnet and are pending mainnet deployment
-
Open Source:
- Baseline: all on-chain components are open source. Closed source on-chain code is not eligible.
- Priority: all components are open source.
-
Financials
- Baseline: any project that has not yet received an audit sponsorship from this initiative.
- Priority: Neutron grant recipients and pre-seed, pre-token projects
Resources
Neutron documentation: https://docs.neutron.org/
Neutron codebase: Neutron · GitHub