Audits are a key part of the security lifecycle of crypto protocols. Unfortunately, they’re not enough. Range and Oak Security are partnering to extend audits into long-term security monitoring and threat protection, providing a step towards an end-to-end security solution for Cosmos projects.‍

Performing smart contract and protocol audits are an established best practice before launching a system into production, especially if millions of dollars will be handled and are therefore at risk. However, as we’ve seen in examples like the Euler hack, security incidents are possible even after multiple audits.

There are several reasons why:

• Audits provide no guarantees. Manual security audits and automated static analysis tools are key requirements and can vastly improve the security standpoint of a protocol. However, they do not guarantee that a codebase is error-free. Audits by top-tier firms like Oak Security can actually go beyond simply finding bugs. They can give recommendations improve the maturity of a codebase. Still, even after such audits, the code is not guaranteed to be perfect and bug-free.

• Codebases are dynamic. When a protocol goes through an audit, the codebase is frozen, meaning it stops being updated by the engineering team. The audit report reflects the state of that protocol at that specific time. However, the reality is that protocols, especially in the Cosmos ecosystem, are constantly updated. These moments of upgrades are a critical point where new vulnerabilities can be introduced.

• Changed parameters can get a protocol rekt. Audit firms like Oak Security highlight recommendations on parameters that can cause hazards to a protocol. Despite the audit, a community can pass a governance proposal to change a parameter that leaves the protocol insecure.

• Third party dependencies and integrations introduce uncertainty. Changes in third-party dependencies, such as an oracle, another protocol, a bridge or another L1, can change the security profile of a project. These can also bring unexpected behavior due to new attack vectors that are unknown at the time of the audit, such as L1 protocol changes and emerging paradigms such as flash loans. Future attack vectors are, naturally, out of the scope of audits.

The way to mitigate these shortcomings of security audits is customized, in-depth, real-time security monitoring across the full development lifecyle. This approach will:

• Uncover and prevent potential vulnerabilities and attacks that a code review might miss.

• Adapt to changes and upgrades in the codebase, making sure that the invariants highlighted at the audit time still hold.

• Detect risky changes in any parameter potentially introduced by a software upgrade or governance proposal.

• Monitor the correct functioning of third-party dependencies such as price oracles.

The answer is to set up an effective customized security real-time monitoring system using a tool like Range. The key word here is the “customized” part. And that’s where this partnership comes in.

Security auditors can get a very deep understanding of a protocol when they perform an audit. They can define invariants that should not be broken and expose dependencies and parameters that could leave the protocol vulnerable. Security auditors are perfectly positioned to define the best way to customize monitoring.

With this partnership, audits evolve from being a static security snapshot on a codebase to a natural extension of long-term security monitoring. The key to building resilient protocols is a secure in-depth approach across the full development lifecycle; design, development, audit, testing, deployment, monitoring and incident response. 

Together, Oak Security and Range are working to provide the first end-to-end security coverage in the Cosmos ecosystem. With Oak Security and Range joining forces, Cosmos SDK chains and CosmWasm projects can boost their security with an end-to-end security solution completely adapted to their needs.