Zellic: Security Audits for the Cosmos Hub

This grant is to engage Zellic as a long-term audit partner for the Cosmos Hub. This project is a result of an RFP run by the ATOM Accelerator DAO to try and address the lack of formal audits of some of Cosmos Hub’s key dependencies, as well as the haphazard way new functionality on the Cosmos Hub has been audited.

Zellic aims to conduct comprehensive security audits of Cosmos Hub features and upgrades over the following 24 months. In consultation with the Cosmos Hub Engineering Team, Zellic will also review Cosmos Hub dependencies, such as CosmWasm, Cosmos SDK, etc. The first engagements are expected to occur in H1 2025 and will cover Gaia (the binary of the Cosmos Hub), along with key dependencies to be prioritized based on risk.

Over the past few months, Zellic has been engaged multiple times by Cosmos Hub governance to perform audits for the Cosmos Hub – including the Inactive Validator Set, Permissionless ICS, and by AADAO to audit the Liquid Staking Module. Zellic has established trusted relationships and has worked on various projects within the Cosmos ecosystem, including Berachain, Initia, Osmosis, Penumbra, Injective, Celestia, and others.

In the past 18 months, the Cosmos Hub has spent $344.2k on one-off feature audits, with no audits to dependencies. This cost an average of $27.5k per audit week. With this grant, AADAO is engaging Zellic on a 20 audit-week contract, costing 20% less per audit-week than the Hub has previously spent. Any unused audit-weeks will keep rolling over for a 24-month period.

While Zellic has been tasked with auditing our key dependencies in 2025 H1, we expect them to support the new Cosmos Hub engineering team with audits of feature launches from the second half of 2025. Version bumps of dependencies after the initial audit will also have “diff-audits” performed on them.

Zellic’s partnership with Cosmos Hub aims to enhance security, reduce the risk of exploits, and safeguard staked ATOM. This improved security is expected to attract more developers and projects to the Cosmos Hub and its ecosystem, thereby increasing ATOM utility and value. Ultimately, their audits will strengthen the long-term stability and confidence in the Cosmos Hub, protecting both its assets and reputation.

More about this grant

About Zellic

Zellic works with some of the largest L1s—Solana Foundation, Aptos Labs, and Mysten Labs—and L2s—StarkNet, Scroll, and Mantle—to identify bugs in networks, application layers, custom precompiles, and more. We review L1s and L2s, cross-chain protocols, wallets and applied cryptography, web applications, and more. We also have a dedicated zero-knowledge cryptography team, and work closely with projects like Scroll, Axiom, and Succinct Labs.

Zellic is led by Stephen Tong and Jasraj Bedi, who previously founded the #1 CTF team worldwide in 2020, 2021, and 2023. Our engineers bring a rich set of skills and backgrounds, including cryptography, web security, mobile security, low-level exploitation, and finance. We’re also a founding member of the Security Alliance (SEAL) led by samczsun.