I really like the idea of a top-tier audit firm entering into an ongoing agreement to audit the protocol. As @sukernik stated, historically, the burden of getting an audit has typically been on the contributor rather than the protocol. Establishing a structured process for making protocol changes and an additional review step by OZ will be valuable.
In my mind, one of the critical roles of governance is to ensure the protocol grows and, in doing so, balances security with innovation.
OZ’s proposal at a high level seems to be robust yet flexible to the protocol’s needs. Everyone is on the same page as to the goal of attaining an auditor. So lets skip to the elephant in the room: 1-year engagement, $4m base + another $4m assuming the protocol doesn’t experience a “Major security event.”
For $8m, Compound gets OZ, a team who is considered the best in the industry, who has audited the protocol extensively, a dedicated OZ advisor (they call them a Protocol Security Officer), tailored training resources, four workshops to educate the community on Compound’s security, a six-session training course (a course that could be used for onboarding full-time community members), all parameter changes and protocol changes thoroughly audited, and a threat detection system.
The services and resources provided here seem quite valuable, but when asked to put a number on it, $8m looks relatively high.
To date, there have been 67 governance proposals. Of which 39 occurred in the last year. If I am generous in counting, 15 of the 39 had protocol changes. That would put each of these at just over $500k each. Even if we were to say the protocol will make 25 code changes over the next year, that would average $320k. Lets also keep in mind many of these changes are pretty small in scope. I only expect 2-5 significant changes in a year.
30: Contributor Grants
32: Dai liquidations pt1
33: Remove automatic COMP claims and COMP speed refresh
34: DAI DSR
37: Sweep function
42: Migration to Gov Bravo
47: Oracle Improvement
49: Upgrade ctokens
50: Comptroller upgrade
59: Dai liquidations pt2
60: Address Whitelist for Governance
62-65: Split COMP rewards
I know it is a relatively new concept that DAOs hire services providers and that OZ is the best, but $8m seems very high. Not to mention a performance fee based on their ability to secure the protocol is laughable. If Compound experiences a “Major Security Event” and OZ (or any auditor) checked the code, they should not expect to get paid further.
@OZSecure Lets get some clarity on the pricing. A couple of weeks back, I did some back-of-the-envelope math and came up with a $3-$5m range (which I thought was already really generous).