[APPROVED] [PROPOSAL #8] Set up a pilot audit sponsorship program for smart-contract projects looking to launch on Neutron

The following document proposes a framework for setting up a pilot program to sponsor audits for less established teams looking to launch smart-contract applications on Neutron. This document is a draft, which is published here to solicit feedback and collaboratively improve the proposed solution, RFQ, request process and selection criteria for both auditing firms and eligible projects.

Community feedback is not only welcome but highly encouraged. Feedback may be submitted via this forum thread of by making suggestions to the collaborative draft of this document which can accessed via this link: [RFP] Audit Package for Neutron's Ecosystem - Google Docs

This document has been drafted with the following objectives and constraints in mind:


  • Support high security standards within the ecosystem
  • Support less financially established teams in deploying on Neutron
  • Secure better terms by purchasing in bulk and for the entire network
  • Contribute to reinforcing ownership within Neutron’s subdaos long-term


  • DAO resources are denominated in NTRN, which is still fairly illiquid
  • The network’s community, subDAOs, infrastructure and process are nascent and still fairly undefined.


Help ensure a high degree of security throughout Neutron’s DeFi ecosystem by setting up a pilot audit sponsorship program.

Problem Statement

Ensuring a high degree of security throughout Neutron’s DeFi ecosystem is crucial to the long-term success of the platform. Hacks and exploits can drastically slow down progress, damaging not only the platform’s reputation but also its liquidity. Unfortunately, many teams within the ecosystem lack the resources to have their contracts audited by reputable firms. As it stands, there is an urgent need for an mechanism to support these teams on Neutron.

Proposed Solution

To address this issue, we propose initiating a pilot audit sponsorship program.

We propose to secure a package deal for five to ten audits from a firm offering high-quality services at a competitive price. This entails conducting a Request for Quotation (RFQ) process to gather offers from reliable auditing firms, and submitting all offers to the Neutron DAO for selection via an on-chain multi-choice proposal. Once an agreement is executed with a firm, the auditing resources could be allocated to projects upon request, following a systematic process described below.

At this stage, the most practical solution would be to rely on the Neutron Foundation to execute this pilot program on behalf of the DAO. This would not only simplify the establishment of legally binding agreements with the selected provider, but also provide a practical short-term solution for how to handle payments, since providers are likely to request at least a portion in stablecoins rather than NTRN.

In the long run, however, it seems reasonable to delegate these responsibilities to an on-chain subsidiary of the Agora such as Security subDAO. Security subDAO is not an admin multisig as it is under the ultimate control of the Agora, but it has the unique power to pause other subDAO contracts, the Treasury, and the Reserve contract in case of emergencies. Eventually the Security subDAO could take ownership of the RFQ and contracting program, sponsoring audits to enhance the security of Neutron’s DeFi ecosystem.

Proposed Request for Quotation

The Neutron Foundation is looking for a reputable firm to provide auditing services to teams looking to deploy decentralised financial applications built as smart-contracts on the Neutron network. The RFQ is intended as an opportunity for firms to compete for an audit package deal to be ratified by the Neutron DAO via an on-chain, executable, multi-choice proposal.

Eligible applications will be primarily built on Neutron and composed of CosmWasm smart-contracts written in Rust. Applications may or may not feature integrations with IBC and/or Neutron’s custom Cosmos SDK modules (written in Go): CRON, Token Factory, Interchain Transactions, Interchains Queries, etc.

The proposed timeline for the process is as follows (subject to change):

  • July 1st to July 10th: the proposed RFQ is reviewed and amended on the forum.
  • July 10th to July 24th: submission period, firms are welcome to share proposals to the DAO through the forum.
  • July 24th - August 7th: the best offers from each firm is attached to an on-chain proposal and submitted to the DAO via a multiple choice

Proposed Evaluation Criteria

  • Mastery of the stack and relevant experience/references
    • Cosmos SDK
    • Cosmwasm
  • Auditing method
    • Manual auditing
    • Automated auditing
    • Tools and testing frameworks
  • Track record
    • Please share any third party assessment of your firm’s work
    • How many projects did the firm audit?
    • How many audited projects were exploited?
  • Quote structure
    • Package price
    • Payment terms and accepted denominations
    • Discount
    • Number of weeks
      • Initial review
      • Bugfixes support duration
    • Timeline
    • Reallocation of spare audit slot mechanism
  • Other value adds

Proposed Request Process

If an audit package is approved by the DAO and subsequently executed between Meson Labs and the Auditor, the following process may be used by teams developing DeFi applications primarily on Neutron to request the attribution of an auditing slot for the contracts they intend to deploy on Neutron.

Step 1: apply for the auditing slot via this thread on the Neutron forum. Applications should include the following, as well as any relevant additional information:

  • Project name and description
  • Team members and background
  • Project roadmap (general and on Neutron)
  • List of existing or planned deployments on other networks
  • Description of the general architecture of the project
  • High level project complexity and risk assessment
    • What are the least/most complex components of the project?
    • What are the potential risks, attack vectors and systemic risks associated with the project?
    • What risk could result from a vulnerability in the project?
    • What steps have been taken to mitigate the project’s risk?
  • Description of the current development stage of the project and deployment timeline
  • List of contracts with links to the source code
    • If applicable, list of components which are intended to be kept closed source and why
  • List of contracts deployed on testnet (we recommend using celat.one)
  • Auditing history
  • Funding history
  • Links to the project’s resources (as applicable): documentation, website, whitepaper, socials, etc.

Step 2: Meson Labs will review the application (taking into account any relevant community feedback) and return within 2 weeks with a motivated confirmation or rejection, which will be published on this thread of the forum.

Step 3: If selected for an auditing slot, contact information will be shared in private messages in the forum so that the project may be introduced to the firm which will perform the audit. Meson Labs will enter the agreement with the firm based on the governance approved terms and handle payments on the project’s behalf.

Step 4: Once completed, the audit report must be published publicly. Projects and firms may chose the venue for publication (e.g. github, website, etc) freely, but the report must be linked in this thread once published.

Proposed slot attribution criteria

  • Application type:

    • Baseline: any DeFi application
    • Priority: high-risk, TVL intensive DeFi applications such as bridges and lending protocols.
  • Completion:

    • Feature-frozen codebases with extensive test coverage that have been successfully deployed on testnet and are pending mainnet deployment
  • Open Source:

    • Baseline: all on-chain components are open source. Closed source on-chain code is not eligible.
    • Priority: all components are open source.
  • Financials

    • Baseline: any project that has not yet received an audit sponsorship from this initiative.
    • Priority: Neutron grant recipients and pre-seed, pre-token projects


Neutron documentation: https://docs.neutron.org/

Neutron codebase: Neutron · GitHub


Dear Neutron community,

On behalf of SCV-Security, we are submitting our RFQ.

The proposal is accessible via this link.

Please, do not hesitate in reaching out to us in case of questions.

We want to thank the community for the opportunity and for the trust in the SCV-Security.



Hi Vini, thank you for the proposal!


Last call for proposals

1 Like

Hi, Neutron community!

Please find the proposal on behalf of Oak Security here.

Looking forward to your thoughts and questions!

1 Like

Hi, Neutron community,

On behalf of OtterSec, our submission for the RFQ is here

Thank you for your consideration and let me know if there are any questions!


Jun | OtterSec


Informal Systems has had a great experience working with the Neutron core team on ICS onboarding and the chain security. We’d love to work with the ecosystem projects launching on Neutron as well, and you can find our proposal for that in the following document

1 Like

Hello. First off all thanks for the work on this problematic. With the submission period and the low number of applications i propose to extend this period and to communucate more in a specific way to reach the audits firm. I dont have an idea but it can be something like audit forum, twiter auditor spaces…

The RFQ were created almost a month ago, firms had from July 10th to 24th to submit their. Only one firm did meet the deadline. Apart from SCV and OAK none of submitted proposals is really addressing RFQ requirements.

1 Like

Hello, yes i can understand but if you don’t have information about an invitation to tender, you can’t apply. @Spaydh will be able to tell us, but I don’t know if the information has been circulated outside the forum.

We only found out about this RFQ on the 24th, hence the delayed submission.

There were twitter announcements from the Neutron twitter account operated by Meson Labs and my account, but you’re right, discoverability of this forum is a major issue right now. I personally tried to help with the distribution by DM’ing all of the firms I had channels with as well as any security-related team I know and asking them to distribute the RFQ. I believe about 10 auditing firms were reached this way.

The application window is now closed, but last minute proposals may still be considered if submitted to the forum before the multi choice proposal goes on chain (no guarantee provided though). Meson Labs will review the proposal, make a recommendation on this forum and prepare the on-chain proposal soon.

Thank you to all of the firms who participated so far: SCV-Security, Oak Security, Otter Sec and Informal security. The tentative date for the on-chain prop is August 1st.


Thanks for your feedback. I thank you too for the means already put in place. I imagine that postponing the deadline won’t necessarily bring more applications. I just hope that if it becomes necessary in the future to issue another call for tenders, that we’ll find more channels to get the word out. In my opinion, the more quality audit firms there are, the more secure the blockchain will be.

Hi @Won_Jun_Choi, it seems that the document is restricted and requires permission. Please make the document public.

Hi, Neutron community,

On behalf of Blaize.Security, web3 security provider, here is our submission for the RFQ

Thank you and looking forward for further cooperation!

Head of Security, Blaize

1 Like

Hey folks, a quick update on the next steps for this RFQ.

Initially, my intention was to submit all proposals to a multiple choice proposal to the main dao, unfortunately the UI for this has not yet been released and therefore it would make it extremely hard for DAO participants to actually vote on the proposal (forcing everyone to use a command line interface). Given the high deposit (which is not burnt for failed proposals), I propose to keep things simple: Meson Labs will review the proposals and make a recommendation which will be shared here for feedback.

Then, assuming feedback is positive, it will be submitted to the DAO in a single choice proposal for approval/rejection.

Apologies for the delay, was out of office for the past few days. The link should work now. Thanks

Awesome, thank you ser!

Meson Labs has conducted its initial review. The results can be found in this public database. New proposals from other firms will not be considered for this sponsorship package (but may be considered for future ones).

Initial Review

Overall, we found the proposals to be very strong, and we are honored by them. We noted that at least two of the firms which submitted proposals were not Cosmos-centric firms, which we take as a positive sign that Neutron and Cosmos are generating interest outside of the usual firms.

While the information contained in each proposal gives a strong understanding of each firm’s value proposition, it does not allow for direct comparison at this stage. Therefore, Meson Labs has included follow-up questions for each of the proposer to its initial output.

These follow-up questions can be found in the third tab of the database, here.
@vini @Thyborg @Won_Jun_Choi @Blaize.Security @stbeyer

Next Steps

Meson Labs intends to proceed with a formal recommendation and an on-chain proposal once the requested information has been provided. We propose the following, tentative timeline:

  • Deadline for additional information: Friday 11th August
  • Meson Labs formal recommendation: Monday 14th August
  • On-chain proposal: Wednesday 16th August
1 Like

Thank you !

What would be the best way to address Meson Labs questions ? Should it be addressed in the public forum ?

1 Like