Security is paramount in the Cosmos Hub’s journey to becoming the leading blockchain ecosystem. Over the years, the Hub has faced challenges in maintaining a cohesive and proactive security strategy.
To address this, the ATOM Accelerator DAO (AADAO) launched a Request for Proposal (RFP) in late October 2024, seeking a dedicated security partner for the Hub. The outcome? A landmark $440,000 AADAO grant to Zellic, establishing a long-term partnership that will enhance the Hub’s security posture and ensure its resilience.
Why the RFP? Identifying Critical Security Needs
In the past 18 months, the Cosmos Hub has spent a total of $344,170 on one-off feature audits. However, these efforts lacked a unified strategy to address long-term security challenges. Moreover, previous security efforts revealed other concerns:
- Inconsistent Coverage: Key components like the Liquid Staking Module (LSM) were deployed without adequate security reviews, while others, such as Interchain Security (ICS), underwent disjointed, piecemeal audits.
- Outdated Audits: Core dependencies, such as CosmWasm, Cosmos SDK, Comet BFT and others, , may not have necessarily been audited recently, leaving potential vulnerabilities unchecked.
- Inefficiency of One-off Funding: Audits were often funded via standalone governance proposals, each requiring sourcing new quotes, creating delays and driving up costs.
These factors underscored the need for a long-term, proactive approach to security. AADAO sought proposals from four top-tier teams in the industry, chosen for their reputation and expertise with the Cosmos Stack. It was imperative to engage a partner ready to hit the ground running, without requiring months to acquire the necessary domain knowledge.
The Zellic Partnership: A Strategic Investment
Following this rigorous vetting and negotiation process, AADAO has selected Zellic as the Hub’s long-term security partner. Here’s why Zellic stood out:
- Proven Expertise: Zellic has a demonstrated track record of working within the Cosmos ecosystem, successfully auditing projects like Osmosis, Injective, and Celestia. For the Cosmos Hub, they have already delivered audits on the permissionless ICS feature Prop 954 and ICS with inactive val feature Prop 943.
- Comprehensive Audit Plan: Over 24 months, Zellic will audit:
- New features and periodic updates to Gaia (the Cosmos Hub’s binary).
- Critical dependencies like CosmWasm and the Cosmos SDK, prioritized by risk.
- Cost Efficiency: The $440,000 grant funds 20 audit weeks, priced 16% lower per week than previous one-off audits. Unused audit weeks will roll over for up to 2 years, ensuring flexibility and efficiency.
Proactive Security and Long-term Resilience
It’s no doubt this is a significant grant amount; however, it comes after weeks of careful planning and deliberation that began in October 2024, with an approach designed to address critical vulnerabilities and strengthen the Hub’s resilience through:
- Regular Audits: Scheduled audit weeks every two months to provide continuous and consistent security coverage.
- Critical Dependency Focus: Auditing foundational components like CosmWasm and others to mitigate risks across the ecosystem.
- Seamless Collaboration: While AADAO oversees the grant, Zellic will work directly with the Cosmos Hub’s engineering teams to ensure swift integration of findings.
By securing Zellic’s expertise, the Cosmos Hub is making a forward-thinking investment in:
- Mitigating Exploit Risks: Proactively addressing vulnerabilities before they can be exploited.
- Strengthening Developer Confidence: A robust and secure ecosystem attracts top-tier developers and projects.
- Protecting ATOM and Its Ecosystem: Enhanced security safeguards the Hub’s assets, reputation, and broader ecosystem.
This partnership establishes a foundation for continuous improvement, equipping the Cosmos Hub to navigate future challenges while solidifying its position as a leader in blockchain innovation.
Final Thoughts
The Zellic partnership sets a new standard for blockchain security within the Cosmos Hub, shifting the focus to a structured and continuous approach. While AADAO cannot dictate how engineering teams implement audit findings, the hope is that this collaboration fosters a security-first mindset that benefits the Hub and its broader ecosystem.
With Zellic as a trusted partner, the Cosmos Hub is well-equipped to navigate future challenges and solidify its leadership position in the blockchain space.
About the Atom Accelerator DAO
Atom Accelerator DAO (AADAO) is a governance-mandated DAO of the Cosmos Hub. We have been formed and mandated to drive value for the Cosmos Hub & ATOM, supporting initiatives that either directly create economic impact or produce value that can drive its growth. From this, our current primary mandates are public grants & venture grants.
Atom Accelerator’s venture arm, strategically invests in promising early stage web3 founders & startups both within and outside of the Cosmos Hub’s ecosystem. Offering expertise, guidance, and support as experts within the Cosmos ecosystem while driving value towards Atom.
In 2023, we deployed $3.8 million in grants to 39 recipients – resulting in, among other things – a $22m USD airdrop to the Community Pool, an AEZ Accelerator program to expand the AEZ, a successful hackathon with 42 project submissions bringing innovations to the AEZ – and many other key initiatives. Read about them in our 2023 Impact Report.
