I’m the security guy for OUSD. Currently we are the #8 holder of cUSDT and the #10 holder of cUSDC, and growing rapidly - yesterday 29 million stables were deposited into OUSD. I don’t want something happening to that money. My goal here is that Compound not lose a pile of money suddenly.
The Compound codebase needs a first tier audit. It is madness to continue the current ad-hoc deployment of new code changes. This is one of the biggest protocols in Defi. It is vital that each code change pass a serious code review.
As far as I can tell, everyone here is in agreement on the need for an audit, and the need for code change reviews.
Beyond that, Compound’s single collateral pool design means that a security failure of any listed coin could empty all the liquidity of all Compound lending pools. Both coins that destroyed CREAM, and the coin that could have destroyed AAVE, would have wrecked Compound had they been listed here. Compound governance’s strong bias for not listing coins has probably saved the protocol.
A listed coin is a much a part of the security of Compound as the Compound codebase itself. Listing a new coin requires a high bar of security and economic analysis. It’s an integral part of the security of Compound.
Individuals making code contributions can’t be expected to negotiate, schedule, and pre-fund an audit of their own code that then may or may not even be approved for payment. Even for good teams with existing auditor relationships, it is difficult to quickly get an auditor lined up to review code changes. If we want Compound to have any development velocity, there needs to be a friction free way of getting excellent code reviews on all changes that is not up to the individual contributor. Both of these proposals provide that, and this is good.
This capability is not cheap no matter how it is done, and that is okay.
One long term alternative is for Compound to build out their own internal security team to handle the majority of the security work.
The proposals from OZ, Trail of Bits, and Certora all assume that Compound has an internal development/security team. This isn’t the case as far as I can tell from forum lurking. Compound development currently seems to be individuals making ad-hoc proposals, and no one really checking them, outside sometimes getting a random external audit.
Four million dollars, even in this market, does buy a substantial amount of developer/security time. The ideal mix of internal and and external from both a cost and security perspective probably isn’t being 100% external.
But while the long term solution may be different, it is urgent to put Compound on a better security footing. I’d run a version of one of these proposals for a year and use that time to plan and build out the longer term solution.
It would be good for external security proposals to reflect the current Compound security staffing, rather than that of a typical project.
I am strongly against any form of “performance fee”. That seems like it would reward gaming the system, more than just doing the job and getting paid / earning the reputation. I think performance fees have has strong downsides. It’s a distraction for everyone involved. The auditors don’t want to be the ones that signed off on the code change that got one of the largest defi projects hacked. That’s enough.
Unless someone has an epic, genius idea, let’s just nix anything to do with performance bonuses.
If an auditor is willing to do so, denominating the payment amount in COMP would be an alignment that would be good, and easy to do. If not, I understand.
I don’t have any friendships with anyone at either OZ or Trail of Bits. I’ve had audits by both. Both were professional, competent, and reasonably through.
I preferred the OZ experience, but I know other people who have preferred working with Trail of Bits. I’m assuming your experience and strength of audit is based on which individuals are assigned to your audit team.
In either case, either company is first tier and capable of providing a good team.
The two proposals are currently at the same price. Of the two current proposals, the OZ proposal offers more, and I lean that way.
Both proposals would make a marked security improvement over the current situation. In my opinion, given the funds in Compound, both bring more value than they cost.
Both the OZ proposal and the Trail of Bits are obviously overpriced, and also contain low value filler to pad the dollar value of the proposal.
Because these proposals are currently overpriced there’s a lot of weird dynamics going on in this thread from both parties, as they try to get the cash cow, while not getting into a bidding war and driving the price down.
How to properly negotiate in this open forum is beyond the scope of what I’m willing to think about on my Thanksgiving day off.
Compound needs an audit, needs a system for auditing future changes, and needs it now. We should have a deadline, and go for it.