@jared as we said on the community call this week, OpenZeppelin would be open and happy to work with other auditors where appropriate or desired by the DAO. We agree that the community will best benefit from a codified robust process that does not involve vendor lock-in, and we have tried to make that clear in our proposal. We are also open to working closely with firms like Certora if and when Formal Verification is required by the DAO. Overall we view partnerships and codified processes as critical to a layered security approach to ensure the security of the DAO and complementary to our continuous audit proposal.
Please find our revised proposal summary below:
OpenZeppelin’s Updated Proposal Summary
The Compound DAO’s long-term security requires a comprehensive and continuous set of audit and security solutions to prevent loss of funds and protect its reputation resulting from risks to the Compound protocol, specifically those introduced by community-proposed upgrades
OpenZeppelin will provide dedicated continuous audit services for all Compound governance proposals and will work with the Compound community to develop comprehensive security requirements and to implement best practice security monitoring.
OpenZeppelin's services will be coordinated by a dedicated Security Advisor who along with the OpenZeppelin team, the Compound DAO and the community will work to:
- Improve the overall process to ensure the security of community proposed upgrades to the Compound Protocol
- Provide continuous audits and dedicated resources to respond rapidly to all community proposed upgrades and changes
- Coordinate the creation of documented security checklists and requirements that can be shared with all proposal authors
- Implement an open security monitoring and security dashboard solution that will allow the community to validate security
- Integrate, support, and analyze other possible future important security program components such as formal verification, bug bounties, and white hat monitoring approved by the DAO.
The combined effort of the OpenZeppelin team, the Security Advisor, and the Compound community will thereby reduce potential security risks and further assure the DAOs trusted reputation.
OpenZeppelin has revised its original proposal to focus on community feedback and excludes performance fees. OpenZeppelin’s fee will be the equivalent of $1 million USD in COMP every quarter for one year, to provide these services. This fee covers all services defined in the proposal. Please see our full revised proposal here :
We believe that no other firm in the market can bring the same breadth and depth of offerings to the DAO. We provide best-in-class continuous auditing and security advisory services; established leadership in secure development and secure operations; and external relationships and partnerships at a cost to value no other firm can match.
Next Steps
Assuming a vote begins on Dec 6th and OpenZeppelin’s Governance Proposal is selected by Dec 13th, the Compound community can expect the following timeline:
- Proposal Security Process (starting on Dec 13th) - the Security Advisor (SA) will immediately engage with the Compound community to create a well-defined process for auditing protocol changes prior to being proposed. This will include a regular and agreed upon set of KPIs and communication plan to update the community on a regular basis, including but not limited to community calls.
- Comprehensive Compound Audit (starting in January): A team of dedicated OpenZeppelin security auditors will perform a comprehensive review of the currently deployed smart contracts. Many of whom have worked with Compound smart contracts in prior audits.
- Continuous Audits (starting in February): With the Proposal Security Process defined and a Comprehensive Audit complete, OpenZeppelin will be fully prepared to provide audits on all protocol change proposals. Note: We can begin auditing proposal changes earlier but given the lack of protocol changes currently pending, we expect February to be the ideal time to start.
- Security Requirements (starting in January): the SA and assigned members of the OpenZeppelin team will engage with Compound Labs and the Compound community to gather current security requirements and begin building comprehensive security requirements documentation and checklists.
- Security Monitoring: (starting in January): the SA and assigned members of the OpenZeppelin team will begin bi-weekly community workshops to gather requirements and share progressive design and implementation plans on comprehensive security monitoring and building a security dashboard.
We would be honored to partner with the Compound DAO to not only deliver continuous auditing but to also work together to be leaders and innovators in how to securely and efficiently run an effective DAO security program!