Auditing Compound Protocol

We have three great proposals from three reputable firms - thank you all for posting proposals! Thank you @sukernik for organizing this - the $75K COMP grant seems fair.

Right now I’m leaning towards OpenZeppelin as my top choice. The revised proposal seems like a great value not only for Compound but for the whole ecosystem! OpenZeppelin’s Ethernaut was a tool I used to learn about smart contract exploits and how to avoid them. I can’t wait to see how the new Audit Suite will further improve smart contract security.

6 Likes

While the ChainSecurity proposal is interesting, I don’t think it meets the short term needs, so I’ve ruled it out for now.

I’ve evaluated the two proposals from Trail of Bits and from Open Zeppelin. Both are overpriced considering market rates, but both provide more value to Compound than they cost. I would be happy with either.

Focusing on the differences, rather than the similarities.

Trail of Bits

Pros:

  • Echidna customization/rules. Echidna is a good tool to have in the security toolbox. As a fuzzer it is worse at finding tiny errors than formal verification, but is much easier to use and reason about, making it overall better at finding big stupid hidden things you have done that have snuck past your unit test because you didn’t think of them…
  • External integration guide for safely integrating Compound. While Compound is not downright evil to safely integrate with (unlike Curve), it would be good to have a clear guidance for others here. It would be good for both the safety of the protocol, and for potential increase in future usage.

Cons:

  • ToB’s proposal is focused on building Compound’s ability to self audit and self manage security. While this is a good goal for most teams, the Compound protocol currently has neither a core developer group, nor it’s own in-house security group. Instead outside individuals code and make proposals, and may or may not be around to work with the later proposals of others. I think that in the current state of Compound, this focus is misplaced. (If I though Compound would be realistically building out a team in the next few months, this con would become a pro)

Open Zeppelin

Pros:

  • Not just auditing changes, but monitoring changes through the rest of their lifecycle, including deploys, on-chain configuration, and beyond.
  • Upstream monitoring. Compound’s security depends on the oracles behind it and the and security of the tokens it lists, some of which can be upgraded. It would be vital to know when changes are happening to upstream tokens.
  • In general, the OZ proposal focus more on OZ doing the work, rather than bringing a non-existent Compound team up to speed. I think this is more of what is needed at the current time.

I lean towards OZ.

5 Likes

Quick update.

OpenZeppelin, Trail of Bits, and ChainSecurity have posted their proposals:

I encourage everyone to review the proposals in depth in order to make an educated vote.

Best of luck to all of the vendors!

8 Likes

At Gauntlet, we are excited to see these proposals and believe that auditing is a valuable and necessary service for the Compound protocol. We are abstaining from this vote as it is difficult to weigh in from a quantitative perspective, which is what Gauntlet always strives for in its decision-making process. We look forward to working together with whichever provider the Compound community ends up deciding on, and are excited to collaborate on value-add proposals such as risk parameter recommendations and listing new assets.

1 Like

Congratulations on a successful governance proposal @OZSecure!

As a first order of business, who will be our Security Advisor, and how might we contact them regarding scheduling upcoming audits?

7 Likes

Hi @jared

My name is Michael Lewellen. I’ll be the Security Advisor for you all on behalf of @OZSecure.

Based on the Next Steps outlined in our proposal, our first goal will be to define a security process that proposal authors can follow leading up to an audit and submission to the DAO for a vote. This will start with engagement in the next community call and one-on-ones with key community members. After collecting feedback from everyone, we’ll then propose a process that will go through refinements with the community before being finalized.

While we work on defining this process, I’ll share a draft version that I’ve been working on based on our usual audit process in a separate forum thread as I believe it deserves its own dedicated discussion.

I’d love to start talking to key members of the community including yourself although it might be slow going over the next week due to holiday plans. I expect that we’ll really ramp things up by Jan 3rd to start preparing for a comprehensive audit of the Compound Protocol.

Anyone that has protocol changes planned in the next future or would like to share feedback can contact me at the following:

I’m really looking forward to working with you and the rest of the Compound community!

7 Likes

Quick and final update on the process:

  • OpenZeppelin’s proposal won, receiving 1.4M votes. Going forward, OpenZeppelin will provide audit services to Compound protocol and its community. If you’re a community member who needs audit work done, I strongly encourage you to reach out to @cylon.
  • OpenZeppelin’s proposal is currently in a queue to be executed on-chain. Once that occurs, OpenZeppelin will receive COMP on a block-by-block basis.
  • In return for starting and facilitating the audit vendor selection process, Reverie will receive $75k COMP from the grants multisig.

Finally, I’d like to thank @dguido (Trail of Bits) and @Emilie_ChainSecurity (ChainSecurity) for participating in the process. I thought all the proposals were top-notch; Compound is lucky to have such great firms bid for the work!

12 Likes

@OZSecure what was the number used for blocks per year on your calculations?

I want to ensure that we keep the payment as expected in case we migrate over to Sablier as discussed below.

2 Likes

Hi @arr00, 6350 blocks / day

Source:

https://www.etherchain.org/charts/blocksPerDay

Price: 265 COMP/USD

Please let me know if you need anything else!

2 Likes

Nice Information, thanks for sharing such valuable information