Idea: NexusMutual Audit Council

In my opinion there is a missing feature in NexusMutual which has not really been on the radar yet.

Motivation
From my point of view most projects are interested in getting cover in order to become more trusted. Effectively they buy trust, which as a result is used for (indirect) marketing with respect to their potential users or investors.

These projects get audits from multiple other parties (e.g. trail of bits, open zeppelin, peck shield,…) in addition to purchase cover or introduce shield mining. And that’s the point where NexusMutual could bundle this “trust” package - especially for completely new or early stage projects.

Idea
What if we introduce the concept of an “audit council”, which would collaborate on performing or digesting audits, publishing results and so on? In the long term, participating in this audit council could be incentivized by e.g. nxm community rewards or small part of shield mining rewards whatever.

Benefits

1. The benefit for interested parties (i.e. shield mining) is they would also get a cutting edge audit analysis (good selling point to attract other projects)
2. The risk assessors can get a statement / recommendation from the “audit council”
3. The mutual would attract more projects and as a result more capital and increase participation.

Great idea. If I recall correctly I read somewhere that the Nexus team is trying to motivate audit teams that conduct the security audit for the protocol to also put their money where their mouth is and stake against the protocols that they audited and found secure.

While this helps with making staking a real risk indicator, still this does not help the community to find out whether this is actually the case or stakes have been bought by extra rewards or the project is just more well-known in the community and assumed to be more secure.

Thus, I agree that it would be extremely helpful to install an audit council, probably in a kind of standardised fashion, i.e. a assessment template and research checklist on how to conduct the audit.

This would make it easier for more people getting engaged and actually assess the projects they are staking against. All submissions from community auditors could be weighted to come up with a score for the project.

As you proposed the community auditors could be rewarded, but should be probably not too high, since for Stakers it should be reward enough to contribute to the common assessment. An open question to me would be how to ensure that the audit has a sufficient quality and members do not just submit any assessment in order to earn the reward.

I completely agree that the council should establish some sort of quality standards regarding methodology, tools and coverage.

Just to validate if there is demand for such an audit council and if the whole idea would attract multiple projects for shield mining, I would suggest to not having any rewards (besides the regular staking and shield mining rewards) in a first MVP stage.

In my opinion the very first step would be to coordinate all auditors in this mutual:

1. Approval of the NexusMutual team that this is something they are not against or would even support the idea (e.g. by bringing people together, put it on the roadmap etc.)
2. An “Audit Council” channel/category in NexusMutual discord
3. An “Audit Council” category in this forum

I had a related thought that the Community Fund could also issue grants to adhoc working groups (like your Audit Council) who write up a risk analysis on specific risks. Would contain smart contract audit type information where appropriate but also other risks, like required for Custody Cover. So it’s likely a combination of different skill sets.

Nexus members would benefit from more comprehensive analysis to inform staking decisions. We could provide links to the analysis on the appropriate staking pages.

Nexus members could decide on which projects to analyse themselves as they see market opportunity. But also, should allow newer projects to fund directly as you suggest.

Lots of overlap with your idea, so I’m generally very supportive.

Happy to set up channels/categories.

Sounds great and thanks for making it possible. I’m going to prepare a Github repo and some documents to get a “crowd” audit started regarding BadgerDAO.

By the way - I would not insist on the name “Audit Council”