This is Rex from DeFiSafety. As I indicated in an article I wrote about the Compound Proposal 62, I believe this latest proposal is trying to solve the wrong problem. What Compound (and other protocols) need is not more 3rd party review but rather more staff. The Proposal 62 needed a PM and an internal software and process quality staff more than a third party auditor.
Protocols need more on the internal team watching and reviewing tasks before they present the results to an external auditor or a DAO. Based on my analysis of 62, the dev was mostly on his own. He wrote the code, wrote the tests, ran the tests, put the code on the testnet and asked the community to review and test. I never saw any evidence of actual community review. Finally, an external auditor looked it over and the result went to the DAO. I did write to the dev to get his comments on the article, but I did not get a response.
There did not seem to be an internal quality person or a PM. There did not seem to be internal dev process that might have said dev can’t write his own tests.
I believe a large protocol like Compound should have at least one internal QA person, a PM and a written process.
Is there a reason I have missed why protocols do not build internal staff? Could the staff be a target of regulatory attacks? But if that was true, it would be true of the auditors too, especially if they take over tasks that would be internal in the corporate world.
Another weakness I see is a lack of internal process documents. An example of this is that latest bZx EOA failure. The dev should not have used his main computer to execute trades on a major protocol account (remember Hughs’s exploit?) and the account should have had a multi-sig. There should be a public process document where bZx says how things should be done. In the case of COMP 62, the process should not have allowed one dev to do the entire requirements/code/test process on his own.
Actually, that inspires me. DeFiSafety can write a process doc, get community content and allow individual DAO’s to vote the document into their process. Perhaps Compound community could contribute?
I am not against more auditor participation and have nothing but praise for all the auditors in the chain of messages. DeFiSafety is not bidding for any work. We do not do consulting to protocols. Our goal is revenue from DeFi users so when we rate protocols like yours we are not in any conflict of interest.
However, our team watches DeFi protocols every day and thinks about problems from a process quality perspective. Please take this as our comments from that perspective. We are always available for discussions.