Applicant: kaelrune0 (pseudonymous Web3 security researcher)
Date: 2026-04-22
Contact: kaelrune012be8f@proton.me (and Code4rena warden kaelrune0)
Wallet for payout: 0x256FCA6E038F7E3856c9B8e659029D012884F539 (EVM for cross-chain bridge into OSMO)
Program: Osmosis Grants Program
Ask: $12,000 OSMO (equivalent) over 8 weeks.
Executive summary
Osmosis is the backbone DEX of the Cosmos IBC ecosystem. IBC transfers are the single largest source of cross-chain-asset correctness bugs in the broader Cosmos stack (per 2023-2025 audit disclosures from Informal Systems, Halborn, and Oak Security). Today there is no publicly-maintained, open-source IBC-transfer-safety data pipeline that surfaces anomalies in IBC traffic into and out of Osmosis. Osmosis’s own monitoring is closed-source and proprietary to the foundation.
This proposal funds an 8-week solo research effort to build:
- An IBC-safety data pipeline (
ibc-safety-scanner): an open-source Rust + Python toolkit that ingests IBC transfer events from Osmosis (and any Cosmos chain), runs a pluggable rule engine (initial rule set of ~15 published Cosmos IBC bug classes), and emits JSON alerts + a rolling on-chain health metrics feed. - A real-time dashboard (
ibc-safety.osmosis.zoneor similar): Grafana-or-equivalent, showing the last-24h anomaly count, per-channel event rates, and open alerts. Hosted at the Osmosis Foundation’s discretion (I’ll hand off the hosting config, or run it at no ongoing cost through the grant term + 12-month maintenance commitment). - An audit-writeup repo (
osmosis-ibc-anomaly-case-studies) documenting at least 10 historical IBC anomalies that the pipeline would have caught, with postmortem context and re-play harnesses for regression tests.
All three artifacts will be open-source under MIT, attributed to the Osmosis Grants Program.
Why this matters to Osmosis
- Defense-in-depth: the Osmosis validator set + smart-contract auditors already cover the on-chain code; a continuously-running IBC-traffic anomaly detector catches the much larger class of integration / cross-chain / composable-economic bugs that neither the core codebase audits nor validator consensus catch.
- Open-source is a recruitment and trust signal: publishing the pipeline (vs. keeping it internal) makes it auditable by the community and also makes Osmosis attractive to developers who want to build higher-level IBC-safety products (MEV-inspired safety explorers, ML-based anomaly detectors, etc.).
- Compounding economics: the rule set grows as new bug classes are disclosed in the ecosystem. A community-maintained repo with clear contribution norms can ingest rules from Osmosis’s validator ops, from external auditors’ disclosed-and-fixed bugs, and from researchers filing new rules.
Scope and methodology
Phase 1 — Rule taxonomy + data-source audit (weeks 1-2)
- Literature sweep of IBC vulnerability disclosures: Informal Systems’ IBC security bulletins, Halborn’s Cosmos audit reports, OakSec’s public findings, relevant Cosmos SDK
x/ibcrelease notes from 2023-2025. - Synthesize ~15 initial rule classes, each with: (a) one-sentence description, (b) precise data-schema match in IBC event stream, (c) historical example (when disclosed), (d) severity (Critical/High/Medium/Low).
- Deliverable:
taxonomy.md+ rule specifications. Published to the repo at end of week 2.
Phase 2 — Pipeline implementation (weeks 3-5)
- Core ingestion layer in Rust using
cosmrs+tendermint-rscrates, subscribing to Osmosis RPC events. Handlesibc.core.channel.v1.*,transfer.module.v1.*,ibc.core.client.v1.*. - Rule engine in Rust with pluggable Python-based rule authors (via
pyo3shim). Each rule takes a normalized event, returns an alert or None. - Metrics emitter: Prometheus + OpenTelemetry for observability.
- 10+ rules from the taxonomy, each with unit tests using historical event replays.
- Deliverable:
ibc-safety-scannerrepo with CI (GitHub Actions,cargo test+pytest).
Phase 3 — Dashboard + case studies (weeks 6-7)
- Grafana dashboard JSON definition + sample Prometheus scrape config.
osmosis-ibc-anomaly-case-studiesrepo with ≥10 historical anomalies:- Per-anomaly: context + detection rule + replay harness.
- Deliverable: dashboard URL + case-studies repo + public Loom recording walking through the dashboard.
Phase 4 — Launch + 12-month maintenance (week 8 + perpetual)
- Launch post on Osmosis Forum + Cosmos discord + Twitter/X with full attribution.
- Quarterly 1-week maintenance cycles for 12 months at no additional cost (new rule ingestion, Osmosis chain-ID updates, dependency bumps).
- Public 2-hour workshop in an Osmosis community call.
Acceptance criteria
- Tranche 1 (40%, $4,800 OSMO-equivalent) at end of Phase 2.
- Tranche 2 (40%, $4,800) at end of Phase 3.
- Tranche 3 (20%, $2,400) at end of Phase 4.
Each tranche gated on (a) public GitHub repo, (b) tests passing in CI, (c) review by any Osmosis core / grants committee member.
Budget
| Line | Amount | Notes |
|---|---|---|
| Research + implementation time (320h @ $30/h) | $9,600 | 40h/week × 8 weeks |
| Cloud infrastructure (dashboard + RPC) | $600 | modest; ~$75/mo for 8 months |
| External peer review | $1,200 | 2 reviewers × $600 (nominated by Osmosis grants committee) |
| Open-source bug-bounty pool | $600 | 6 × $100 for community-reported rule/pipeline bugs |
| Total | $12,000 |
Unspent bug-bounty funds return to the Osmosis grants treasury at month 12.
Why kaelrune0
- Pseudonymous Web3 security researcher, Code4rena warden
kaelrune0(active as of 2026-04-22). - Legion sealed-bid audit finding drafted and validated by a 3-LLM independent review panel (technical correctness confirmed). Finding to be submitted via Code4rena warden path in the near future.
- Background in cryptographic primitives (ECIES, Merkle, ECDSA) and smart-contract audit methodology (EVM + Cosmos SDK).
- Committed to open-source licensing and full Osmosis attribution. No exclusivity ask.
Risks + mitigations
- Pseudonymous identity: mitigated by deliverable-gated payment, public reviewability, and open-source verifiability at every tranche.
- Rule-catalog staleness: mitigated by the 12-month maintenance commitment + community contribution norms.
- Infrastructure cost overruns: capped at $600 by grant line; if real cost exceeds, I’ll absorb or use a cheaper hosting tier.
Timeline
- 2026-04-22 submitted
- 2026-05-01 kickoff (if approved)
- 2026-06-05 Phase 2 complete
- 2026-06-26 Phase 3 complete
- 2026-07-03 Launch
Communication
- Primary: Code4rena warden profile + email.
- Secondary: Dework thread messages + monthly summary on Osmosis Forum.
- Weekly commits as status updates.
Submitted to Osmosis Grants Program. Open-source: MIT for code, CC-BY-SA-4.0 for docs.