Hey all,

Trail of Bits has a proposed solution in the works for the issue that Larry Sukernik described. We are aware that there’s an active vote on Open Zeppelin’s proposal. Please vote “no” on this governance proposal if you’d like to consider how Trail of Bits would provide these services before deciding on a vendor.

In advance of a finished proposal from us, I’d like to lay out why I think Trail of Bits could be the right choice for this job, a few key ways that our proposal will differ from Open Zeppelin, and why I think the performance fee may not provide the intended incentives.

Introducing Trail of Bits

Trail of Bits has worked extensively with Compound over nearly 1,000 hours of security review through four focused engagements covering their governance, core protocol, and internal security procedures. Many firms in DeFi, including MakerDAO, Balancer, Uniswap, and Rocketpool trust our expertise to help secure their code, and you can find many more in our Publications repository. We’ve succeeded in finding vulnerabilities in highly verified systems and providing the best solutions regardless of whether we invented them. We’re relentless about raising the baseline in the communities we work, and have developed and made freely available some of the most-used security tools, reference guides, and security research in the industry.

Trail of Bits is differentiated from other firms by our diversity of experience and expertise. We work on securing software wherever the risks are high in the technology, defense, and finance industries and employ a wide-ranging team of experts in programming language theory, cryptography, cloud-native software, and low-level exploitation to do so. Roughly one-third of our firm works on fundamental research in their field through long-term contracts with DARPA on automated program analysis, zero-knowledge proofs, and software verification. Access to these competency areas improves our ability to consult with all of our clients, and particularly on blockchain systems.

Trail of Bits proposal preview

At our core, we’ll be proposing many of the same services as Open Zeppelin. Therefore, I’ll keep these sections brief by focusing on the key differences in our approach.

Security review of governance proposals

Trail of Bits believes this is the most important service provided by the proposal. We plan to review all governance proposals, including parameter changes, new token integrations, and more extensive code changes. For each proposal, we will fully describe any identified security issues, including scenarios for abusing the issue and specific recommendations to address it.

• Reviewing the security of a proposal after voting has already begun is too late. We will begin reviewing new proposals after it becomes clear they are seriously considered by users on the Compound Discourse.
• Proposal authors will receive a one-on-one counseling session. We will host a video call with the author to understand their goals and provide immediate feedback. These video conversations will ensure information is effectively shared.
• We will review and report any identified security issues. These issues will take the standard form of a description of the issue, a scenario for abusing it, and a recommendation for addressing it. We will work with proposal authors to validate any fixes that result from these reports.
• We will contribute a “Security Considerations” section to every proposal. The absence of specific security issues does not ensure the safety of a proposal. We will contribute a standardized section to reviewed proposals that informs developers and users of limitations, risks, monitoring guidance, or other considerations.
• We will help define security properties for the proposal. Human review is necessary but insufficient to provide for the security of DeFi systems. We will work with the authors to provide reasonable security invariants alongside the proposal.
• We will provide our analysis directly to the community. Prior to a vote on any governance issue, we will host a public community call and walk attendees through any specific issues we discovered and the documented Security Considerations.

Community training and continuous improvement

Trail of Bits will develop scaffolding for proposal authors to write safer proposals and provide continuous training and guidance to improve the quality of proposals over time. In particular, our approach takes after the Security TAG process for improving the CNCF security baseline by engaging directly with developers.

• We will iterate on public guidance for developing secure proposals. This will consist of a template repository with testing and verifications tools pre-configured for different proposal types, prompts to elicit a self-assessment of the proposal’s security by its authors, and a public walkthrough for navigating the security review process with Trail of Bits.
• We will host bi-weekly workshop sessions or “office hours” with developers. These sessions will cover testing and verification tools, review previous DeFi incidents, and deeply investigate common areas of risk. As appropriate, these will be recorded and made available for community use.
• We will publish a minimum-security checklist for new proposals. Specific to Compound, we will describe the minimum viable due diligence steps we believe are required to make a reasonable governance proposal. Like our Token Integration Checklist, this checklist will include specific, actionable steps that authors can complete on their own, before circulating a proposal.

Security intelligence

Trail of Bits takes an expansive, intelligence-driven view of security monitoring. On-chain monitoring is important, however, if you are finding issues at the time that transactions are being processed then you are typically too late. Furthermore, on-chain monitoring tools have substantial limitations regarding the types of issues they can detect. Like human-only code review, on-chain monitoring is necessary but not sufficient to ensure safety in DeFi.

We will evaluate and recommend an on-chain monitoring vendor. We will evaluate on-chain monitoring vendors (including Forta), recommend the selection of one, and assist in configuring it appropriately. Furthermore, the code invariants developed through security review will be regularly provided to the owner of this system. The quality of your on-chain monitoring is directly dependent on the quality of your system’s specifications.

We will provide security intelligence and facilitate community engagement. We will facilitate community development of new attacks against Compound. Rather than wait to report a fully-developed attack to Compound, Trail of Bits will be available to co-investigate unproven potential vulnerabilities with reporters and prepare tailored remediations and fixes to Compound alongside their reports. With our earlier involvement, we will shorten the window of exposure for new attacks reported against Compound.

Pricing structure

Fees to Trail of Bits will be split into three discrete categories:

1. Quarterly retainer. Trail of Bits will be paid the equivalent of $1 million USD in COMP every quarter for one year to provide the baseline services.
2. Trail of Bits will be eligible for bounty awards in cases where it co-investigates and co-reports issues to Compound, outside of the retainer fees.
3. Performance fee. The motivations behind this fee are positive, however, the design as a binary all or nothing with factors outside the auditor’s control are not.

To be clear, we don’t have a perfectly designed performance fee incentive to propose at this time and desire additional time to work on this aspect of the proposal specifically. We’re eager to work with the community on a model that benefits everyone.

Finally, we are happy to cut the bounty co-investigation piece from this proposal and incorporate it into the Bug Bounty for Compound Proposals discussion. I included a discussion of it solely due to the mention of security monitoring by Open Zeppelin and because I see security intelligence as an inseparable part of security monitoring.

We’re very excited to hear your thoughts!