It’s great to see this proposal from OpenZeppelin, who has generally been a great partner to Compound Labs over the last few years. The scope of the proposal is quite large however, and includes services which Compound Labs has never used before, and therefore cannot attest to the value of. Audits have never been a silver bullet, and never will be, so personally I think it’s important to think about and balance all of the quality assurance resources we have available. This should probably include things like formal verification and investment into the tools developers actually use to build and test the protocol themselves.
While the price tag seems extremely high, I would like to clarify what exactly would be covered by the continuous security audits? Would this include all new contracts developed by the community and adopted by governance?
Logistically speaking, when can a proposal be submitted for audit? If we are truly just monitoring proposals that have been made on-chain, that seems not nearly enough time for an audit and a response to the audit. In that case, what would the actual process of scheduling an audit look like? What sort of lead times should the community expect?
I think it’s important we understand the answers to these questions in order to understand the offering. Thanks to everyone on this thread!