[APPROVED] [PROPOSAL #8] Set up a pilot audit sponsorship program for smart-contract projects looking to launch on Neutron

To the forum please, the goal being to build a publicly auditable trail on how the process was conducted to sponsor transparency and accountability in the Foundation’s activities :pray:

1 Like

Hey @Spaydh
Blaize Security here. Dropping answers on additional questions from the notion

First of all - kindly ask to add “Fuzzy testing” and “Test coverage” tags to expirience page - and we perform fuzzy testing by demand or necessity, check the existant coverage and perform own coverage by unit tests

As for questions:
0) Relevant experience
Our public reports are here: https://audits.blaize.tech
But as a security provider we have a significant part of work going under NDA. That’s why we cannot share public report from the Cosmos ecosystem. Though, we have a full-packed Rust team with several years of experience with Substrate framework, Solana and Near chains, Secret Network, Move chains (Sui/Aptos) and that experience also includes Cosmwasm experience and wotk with Cosmos IBC-compatible chains

  1. Native token payments

We are trying to keep our services affordable, thus, we do not have enough space for price change risk in order to perform our duties in front of employees. So we stick to stablecoins.

  1. Audit scoping
    For the astroport vault: 0.5-0.7 AW for cost, approx 1 week timeline
    exact estimation to be performed after formal request

  2. Extension and expiry
    As pricing is based on each individual audit - Blaize Security offers services as long as required. We can guarantee slots for at least 2 audits per month (with prioritized start and dedicated team) - extra slots can be negotiated during the quotation for each extra audit. Than extra audits will fall for general terms of lead time (with 1-2 weeks of waiting time at most) but under the discounted offering we shared. Guaranteed slots are fixed in time and expire right on the date (though they can be re-scheduled)

Dear Neutron Community,

Questions raised by Meson Labs were addressed directly to them on the 5th August. Due to transparency, we are also sharing in the public forum for the community visibility and further input considerations.

  1. Audit scoping
    Taking the astroport-vault for example, SCV would request a minimal consumption of 0.5AW to conduct a comprehensive audit. While in-line documentation is sufficient given the low complexity implied by the code, SCV notes that no tests and testing coverage is provided or available for the astroport-vault implementation. Available unit tests and minimal code coverage is suggested as part of our requirements described in the provided document file. (SCV - CosmWasm - Audit Preparation and Requirements.pdf).

  2. Extension and expiry
    SCV would extend under the same package terms up to 24AW. The minimal extension would be 6AW at discount. Purchases AW does not explicitly expire as we believe it is in the best Neutron community interest for its consumption and utilisation.

  3. Native tokens
    When using native tokens, SCV normally liquidates assets given the total AW efforts and the suggested fee price tag (per audit engagement request) as they are usually easily absorbed by the market given its total amount.

    Due to token price volatility, additional tokens might be required to match with the proposed AW fee until the end of the term. As audit efforts are calculated in AW against USD currency, SCV would return the remaining tokens at the end of the term back to any designated address specified by the community via governance.

    Token’s liquidation activity would be public since we expect to operate on the Neutron chain using a native address wallet controlled by SCV or via multi-sign on designated members suggested by the community or Meson Labs.

    Regarding token liquidation over time, we typically consider various factors, such as market conditions, token volatility, and business needs, before making any decisions. It’s important to note that our approach to payments in native tokens and token liquidation may be subject to change as the industry evolves and new regulations are introduced. We always strive to act in the best interest of our stakeholders while maintaining compliance and prudent financial management.

    That being said, We are open for suggestions when compensations are expected to be made in native tokens.

Once again, we appreciate the opportunity and the follow-up questions raised by Meson Labs.

Hi Neutron Community,

Philip here, co-founder of Oak Security.

Thanks for the follow-up questions @Spaydh. We have discussed them internally and extended our proposal to address all these questions.

Please find our replies in our updated proposal on page 13 and 14: Oak Security Neutron Ecosystem Audits - Proposal v0.2.pdf - Google Drive

Let me and my co-founder @stbeyer know if we should dive deeper into any of these points.

Many thanks!

1 Like

Hi Neturon Community,

Replying here to address the follow-up questions.

  1. Lead times
    Typical lead times for new projects are between 3-5 weeks. For retainer clients, we can commit to a 2-week lead time SLA.

  2. Audit Scoping
    The average project is between 1-4 weeks. This contract is relatively straightforward. We would estimate 4-5 days + 1 day for a report if needed, or a total of around one AW.

  3. Extension and expiry
    Assuming proper notice, we’re able to extend the discounted rate for as many AW as needed.

  4. Payment terms
    Payment will be delivered as consumed.

  5. Participation scope
    We work closely with teams to provide cutting-edge security research and content. Examples of work we’ve done for other partners include novel formal verification frameworks, security-oriented tutorials for developers, incident response for ecosystem teams, and more. You can find examples of this content on https://blog.osec.io and the popular repositories on our GitHub: OtterSec · GitHub.

Please let me know in the thread if any points need further explanation.

Thanks!

1 Like

Thanks all, the follow-up period is now closed. Meson Labs will review and get back with a recommendation asap.

  • Reposting answers from Informal Systems, which were shared within times via Telegram:

FOLLOW-UP QUESTIONS

  1. Lead times

What are the typical lead times for your firm?

A couple of months for regular audits, a couple of weeks for partnership clients.

Can your firm commit to any SLA regarding lead times?

Yes

  1. Audit scoping

How many engineers would typically work on a CosmWasm-based project?

Two security engineers, a technical lead and a quality lead engineer. That team will also leverage the expertise of engineers for our product team (IBC, Hermes, Comet etc.)

What would you say is the distribution of and median audit duration for your firm?

About 4 person-weeks

How many estimated AW for an audit of this example contract from ApolloDAO? https://github.com/apollodao/apollo-vaults/tree/master/contracts/astroport-vault

We noticed the contract is a simple wrapper and that the contract’s functionality is in packages apollo_vault and base_vault. We could not find complete documentation or any scripts for e2e testing. A rough estimation for this project would 3-4 person weeks, i.e 1.5 or 2 weeks time involving 2 security engineers

  1. Extension and expiry

Up to how many AW would your firm be ready to extend the package terms?

Package could go up to 16 weeks per quarter

Are there any explicit or implied expiration dates for the AW secured via the package?

We allow for a couple of AW to carry over to the next quarter

  1. Native tokens

How does your firm typically handle payments in native tokens?

Yes, (see initial proposal document for details)

Does (and how does) your firm typically liquidate tokens?

We usually don’t liquidate partnership tokens, and stake them instead

Would you be open to distributing the liquidation, and if so, how long?

Yes, we would distribute the liquidation over the course of several years and wait for adequate market conditions

  1. Miscellaneous

Could you please make the public audit report list?

We use Confluence to keep track of our audits. For the purposes of the RFP, we updated this GitHub repository although it is still a work in progress and still incomplete

TESTIMONIALS

“Informal Security extended the audit scope twice on short notice and with a very high standard of work! I was impressed with the team”, Spaydh (General Manager, Neutron)

@informalinc and it’s not even close”, Aidan Salzmann (Stride co-founder) on Twitter, in response to a question from Jim Chang (Catalyst co-founder) on who might be the best auditor in Cosmos. “The team at Informal did an outstanding job auditing Stride, employing various levels of testing, ranging from basic code coverage to in-depth formal verification”

“Utilizing Informal’s auditing service proved invaluable to our team in several ways. […] Beyond a one-time audit, they consistently act as a dependable partner, supporting us throughout the different readiness stages of the software”, Ismail Khoffi (Celestia CTO & co-founder)

"We have worked with Informal Systems on an ongoing basis for over a year, and continue to do so. […] We appreciate their timely updates, responsibility and flexibility when scope or requirements change”, Chris Goes (Anoma co-founder)

“Informal challenged us to think about edge cases, and leveraged their immense understanding of Tendermint […]. I’d absolutely recommend Informal to anyone looking for a comprehensive audit that not only includes code checking, but also general mechanism design advice and high-level stress testing”, Maghnus Mareneck (Skip co-founder)

“Informal Systems has been great to work with and their auditing services have been exceptional. I have been most impressed with their team’s ability to ramp up on our large, complex codebase in such a short time”, James Jia (dYdX Project Lead)

“Quint :handshake:CosmWasm ; building contracts high level and correct by construction on top of the well established CosmWasm foundations […] is one of the most inspiring ideas I learned about at AwesomWasm”, Simon Warta (Confio co-founder) on Twitter

“I read through the tutorials yesterday and my mind was blown. This was the first time I’ve seen these patterns and not been overwhelmed by the cognitive overhead of the syntax”, Ekez (DAO DAO developer) on Twitter about his experience using Quint to model an IBC handshake

“Thanks to our great friends and TLA+ wizards at @informalinc for running a fine-toothed protocol comb through @namada’s Cubic Proof-of-Stake”, Anoma team via the Namada Twitter account, following the modeling in TLA+ of their PoS protocol

VALUE-ADDS

Informal Security brings several additional value-adds:

First, we are a major core contributor to Cosmos. On behalf of the Interchain Foundation, we lead product development on most pieces of the Cosmos stack, including Comet, IBC, Hermes and the Cosmos Hub. That means, among other things, that we become aware of security concerns across the ecosystem immediately.

Second, our security team is doing protocol design work and performing ongoing audits and on many of these pieces. That means we are in a privileged position to suggest fixes and patches to common vulnerabilities.

Third, we are also performing continuous audits on the Neutron core chain, so we also have an in-depth understanding of the entire Neutron stack, top to bottom.

Lastly, Informal has a track record in developing tools for formal modeling and simulation, notably through our generic formal specification language, Quint. We would work with Neutron dApps developer to formally specify the intended behavior of smart contracts in order to express, structure, and communicate the desired functionalities in an effective way

Dear all,

Thank you for your patience as we reviewed proposals and follow-up answers. We thank all firms for participating in the RFQ with such a high degree of quality in proposals.

As discussed above, we will now be proceeding with a formal recommendation to the DAO, which will remain on the forum for a few days before moving on-chain for approval/rejection by the DAO.

Recommendation

The Osmosis Grant Program’s 12 AW package resulted in roughly 6 projects being audited over the course of 6 months. This seems like an appropriate baseline to support the initial adoption of the network, assuming that eligible projects are carefully vetted.

Further packages can be secured at a later date once additional data on the program’s demand is available. Firms that participated in this RFP shall be prioritised for future packages.

While all participating firms have demonstrated a high degree of competency, we recommend proceeding with Oak Security’s proposal.

Beyond an overall well constructed proposal, Oak Security demonstrated the most relevant experience, with an extensive track record of 110 successful CosmWasm audits, including Astroport, Mars, Levana, CronCat, CosmWasm, DAODAO and others.

Oak Security scored well across all metrics:

  • Lead times for reserved slots are in line with best practice (we nevertheless denote longer than average lead times for non-reserved slots).
  • Audit durations: Oak Security shared the most detailed distribution of typical audit times, which, along with the example contract scoping exercise, place them among the best performing.
  • Engineering resources per audit
  • Oak Security’s rate is the third best proposed rate, and includes options for partial NTRN payment with clear mechanisms to manage market outcomes.

We therefore recommend the 12AW package from Oak Security: 12 Audit Weeks - 326,400 USD

Out of Scope Recommendation

Additionally, we recommend that the DAO considers granting the Security SubDAO a limited NTRN budget to sponsor urgent audits related to applications launches or DAO contract upgrades.

We believes that SCV Security would be the most appropriate firm to engage for this purpose given their extensive CosmWasm experience and willingness to settle invoices in native tokens.

This recommendation is out of scope of this RFQ/RFP process, and, assuming firms are willing to engage with the subDAO, should entail an additional proposal.

Next Steps

This recommendation will remain on the forum for a few days before an on-chain proposal is made to ratify the decision. We welcome the community and participant’s feedback on the process, recommendation, and how they can be improved going forward.

If approved by the DAO, Meson Labs will work with the selected auditing firm to draft and execute the definitive agreement.

Thanks Spaydh,

If I could make a suggestion:

My suggestion is to permit projects to freely select firms endorsed by the DAO, rather than channeling the entire demand to a single firm. This change would facilitate projects in choosing firms based on their preference, past relationship and project needs.

As an example, we have clients launching on Neutron that cannot engage with us under the audit sponsorship because the framework does not allow it. This creates an unnecessary dominance and unfair competition.

While I understand that changes at this point might not be possible, I still wanted to express SCV’s position on this matter aiming to improve the framework by simply allowing projects to select firms themselves.

Once again, we truly appreciate the opportunity and look forward to the possibility of collaboration.

2 Likes

I just want to say that I really like this suggestion. I’m not exactly sure how we make it work with the package model but I like it, straight up.

The ideal case would be for projects to be able to choose their auditor.

2 Likes

Hi @vini, thank you for the feedback. You’re right, I would say that’s one of the main drawbacks of the current approach. We initially opted for this model as it seemed to be the best way to have a transparent process that would maximize the expected value for the ecosystem, which I believe it has achieved, but distribution of auditing orderflow and resources is also a desirable property imo.

I think your “auditing fund” idea could be implemented. An initial version of it might rely on granting Security subDAO a budget to support the ecosystem’s project, and a mandate to conduct an RFP process to lock in quote from auditors. The best offers would be selected as providers and audits would either rotate between firms or projects would select the adequate firm based on their auditing history and preferences.

I’d be happy to support a well thought out proposal roadmap the implementation of such a program.

1 Like

Thank you, @Spaydh!

Yes Indeed! I believe the audit sponsor program framework could be better suited and more flexible under the DAO. This would involve subsidizing each security audit engagement as they occur.

The DAO could endorse partner firms, enabling projects to request proposals based on their needs (perhaps two quotes mandatory). Subsequently, these proposals would be submitted back to the DAO for review and approval based on their context including, final price, allocation time, preference, etc.

I also think that, for auditing partners, maintaining a reasonable allocation of slots dedicated to Neutron’s projects would be essential, along with the possibility of offering discounts.

Thank you once again for the consideration and for enhancing the framework.

1 Like

The proposal has been submitted on-chain:
https://governance.neutron.org/proposals/8

1 Like

the best offers from each firm is attached to an on-chain proposal and submitted to the DAO via a multiple choice

Does that mean you will let people choose from different firms instead of giving them only one? What is the point of DAO so far?

That was the intention, unfortunately the UIs weren’t ready for this so we went ahead with a recommendation + signaling proposal. We expect to change the approach next time around.

Hi Neutron community!
Belsy from NYMLAB building Vectis here.

We would like to apply for the audit sponsorship program, please find the pdf answer the above questions from our team here.

Edit: 12th Sep 6:40am CET fixed typo.
https://cloudflare-ipfs.com/ipfs/QmSbAqVQfMfRqKce4Ki7JpRUsyW8b2aXvvpqne35wUb7jX

The proposal has been approved by the DAO:
https://governance.neutron.org/proposals/8

Meson Labs will be in touch to draft and execute the contemplated agreement.

Hi Belsy, thank you for your application!
It will be reviewed shortly once an agreement with Oak Security has been executed.

1 Like

Amulet Finance is excited to be launching on Neutron in 2023!

We are submitting this request for support with the auditing of the first Strategy contracts to be deployed on Neutron which will enable users to obtain self-repaying loans on staked assets. We would be grateful for early consideration of this application and look forward to answering any questions.

Neutron Audit Sponsorship Program Application - Amulet Finance

@Spaydh Please see the request by Amulet for sponsorship

Applications by Vectis and Amulet Finance have been approved for the audit sponsorship program.