Code4rena comes to Cosmos: first audit contest is a $100k+ challenge to hack Gravity Bridge

sock
sock
Aug 18 · 4 min read

On the heels of crossing $1.6 million in awards for Solidity audit contest competitors, Code4rena is partnering with Althea to bring decentralized smart contract security audits to the Cosmos ecosystem.

Althea is gearing up for the launch of the Gravity Bridge, a highly anticipated Ethereum-Cosmos bridge that will be the most secure, efficient, and decentralized bridge between the two ecosystems.

One of the last items to complete before rolling out the Gravity Bridge is an audit and code review of its smart contracts.

Who you gonna call?

In the blockchain world, we’ve seen massive hacks of smart contracts resulting in hundreds of millions of dollars lost and shaken confidence. More projects launching on Cosmos this year means greater attention on the ecosystem and more money in the sights of malicious hackers.

With a shortage of blockchain security auditors and wait times for reputed firms upwards of 6 months, Cosmos’ uniqueness makes that dearth of auditors even more strained.

Even though there are few Cosmos auditors, there are unquestionably a large number of people who are passionate about Cosmos, knowledgeable about security, and familiar with common smart contract exploits.

The field is ripe for a decentralized model — and, in fact, such a model might even compare with the results from top audit firms.

Blockchain security researcher Sebastian Banescu recently gave a talk titled Lessons learned from over 300 security audits. One of those lessons?

“More auditors, more issues found.”

It’s not surprising that the complex and emerging nature of smart contract development means that getting more eyes on a project significantly increases the number of security findings.

Code4rena’s model

Code4rena (“C4”) is built on the 👆 simple concept well stated by Sebastian Banescu: more auditors, more issues found.

C4 uses a novel competitive mechanism that allows for anyone to help secure protocols and platforms without having to be a full-time professional auditor. This approach is designed to increase the depth and breadth of an audit while incentivizing security researchers to find the highest-risk and rarest bugs.

Here’s how a C4 contest works:

  • Wardens protect the ecosystem from threats by auditing code.
  • Sponsors create prize pools to attract wardens to audit their project.
  • Judges allocate awards to wardens based on performance.

Most contests run 1–2 weeks.

After sponsors review findings, an independent judge determines final severity. The entire prize pool is distributed with larger payouts for higher risk vulnerabilities.

Rather than taking the approach of ‘first person to turn in the bug gets the bounty’, the C4 model rewards everyone’s contributions even if there are multiple submissions of the same bug.

Each bug found has an assigned pool which is split among everyone who finds it. For each additional person finding the bug, the bug’s total share is decreased by 10%. This prevents sybil attacks and ‘homework sharing’ while encouraging people to team up.

The results

Code4rena’s community-driven model has proven to be an approach on par with top auditors in the industry while highly lucrative for competitors.

In its first 6 months, C4’s model has been used by the Ethereum community to help make 22 projects more secure with over $1,683,470 awarded (or soon to be awarded) to security researchers for their findings.

ElasticDAO’s LSDan put it this way:

“This result far exceeded previous experiences I’ve had with 2–4 week-long audits by individual companies. I highly recommend the Code4rena competitive audit approach for anyone starting a new project.”

In fact, several projects have found the results so useful that they have come back for additional audit contests.

Code4rena’s goal

We’re aiming to help level up the security of the entire Cosmos ecosystem using a rigorous process that increases the quality of audits by attracting and incentivizing a swarm of reviewers to find as many rare and high risk vulnerabilities as possible in short, focused windows.

We’re also working to create an environment that helps everyone grow in their ability to secure the ecosystem. The C4 community’s top auditors have said Code4rena has proven to be the best way to level up their security skills and knowledge as all of our contests’ contracts and findings are made open and reviewable after sponsors have mitigated.

Gravity Bridge will be the first Code4rena Cosmos contest, kicking off a two week audit on August 26 at midnight UTC.

You can compete for your share of the $100k+ prize pool by joining the ranks of our Cosmos wardens. Just hop into the #i-want-to-be-a-warden channel in C4’s Discord server to register.

Looking to sponsor a C4 Cosmos audit contest for your project?

Just join the #i-want-to-be-a-sponsor channel in our Discord.

Follow @c4_cosmos on Twitter for the latest on upcoming Cosmos audit contests.

Find out more about the Gravity Bridge visit gravitybridge.net.

Code4rena

Hack DeFi. Compete. Get paid.