Hello everyone,

We’ll use this thread to provide updates on all our work.

Updates for Aug 25 - Sep 20

Here’s a report of what the SSPs have been working on in the past month. The update covers the period Aug. 25th to Sept. 20th.

Past work

Onboarding Completion

On September 8th, the onboarding process/knowledge transfer was completed. We’d like to thank OpenZeppelin for their support in this process.

Proposals

We ensured the security of all the following proposals that were executed or are pending:

472
474
475
476
478

For some of the proposals we notified the proposers of misconfiguration issues, which were fixed.

Security Reviews

In collaboration with OpenZeppelin, we reviewed the Compensator contract. The goal of the project is to provide a reward system for the delegators to encourage governance participation. The review aimed to onboard the team to the Compound ecosystem and its underlying assumptions. We were able to identify an important number of issues which deemed the project not ready for deployment.

Architectural Recommendations

We have worked together with Woof! to provide architectural recommendations on upcoming features.

Pause of Compound V1

On August 29th, Compound V1 was paused. No funds are at risk, and no other system (V2 and V3) is affected. We’re closely working with the Foundation to determine the best way forward.

Monitoring

zeroShadow completed the deployment of their monitoring stack and alert system. This will let us quickly detect abnormalities in the operation of the protocol.

Community Multisig

Certora and ChainSecurity were added to the Community Multisig signers.

Future work

In the next month, the plan is to review the Bytecode Repository by Woof!. A cross-chain smart contract bytecode repository system that enables secure, versioned, and audited contract deployment across multiple networks using Chainlink CCIP. We’re very excited about this module as it will improve the process of secure smart contract deployment.

We will also be auditing the new features being developed by Woof! and continuing to review all governance proposals.

We’d like to thank the community members who reached out to us with their recommendations on how to better communicate our work.

Your input is always welcome!

Email: ioannis.sachinoglou@chainsecurity.com
Telegram: @IoannisSachinoglou_ChainSecurity

Proposal Updates Oct 1st.

After receiving feedback from the community, we’ll try to update this thread more often with our assessment of pending proposals.

Since our last update, we have reviewed the following proposals:

479
480
481: This proposal fixes a minor issue we uncovered in proposal 475. However, as the problem was minor (see proposal description), we agreed to continue with the execution of the proposal and simply push a fix later.
482

Ongoing Security Reviews

We also have an ongoing audit of the Bytecode Repository.

Proposal Updates Oct 7th

483: canceled due to a wrong parameter encoding that would make the proposal revert. More details can be found here.

Proposal Updates Oct 8th

The following proposals have been reviewed and no issues were found:

484
485

Proposal Updates Oct 10th

486: The proposal has been reviewed and no issues were found.

Proposal Updates Oct 11th

486: was cancelled to be replaced by 487.
487: increases the transferred COMP amount of 486 to 4507 COMP.

Proposal Updates Oct 15th

488: The proposal has been reviewed and no issues were found.

Compound Proposal Decoder

To help the community better understand governance proposals, we open-sourced one of the tools we built to review them. You can read more about it here or check the repo.

Proposal Updates Oct 23rd

489: The proposal was reviewed last week and no issues were found.
490: The proposal has been reviewed and no issues were found.

Proposal Updates Oct 31st

491: The proposal has been reviewed and no issues were found.

Proposal Updates Nov 9th

The following proposals have been reviewed and no issues were found:

492
493
494

USDC, USDT, USDS Comets Pause

Last week, withdrawals and borrows from the USDC, USDT and USDS comets were paused. The SSPs reviewed every action taken to ensure the security of the system.

Proposal Updates Nov 11th

The following proposals have been reviewed, and no issues were found:

495
496
497
498

Proposal Updates Nov 20th

495: was cancelled due to a small typo in the description of the osETH/ETH CAPO price feed.

The following proposals have been reviewed and no issues were found:

499
500
501
502
503

Proposal Updates Nov 24th

504: The proposal has been reviewed and no issues were found.

Proposal Updates Nov 28th

The following proposals have been reviewed, and no issues were found

505
506
507
508
509: This one corrects the typo found in proposal 495.

Proposal Updates Dec 2nd

The following proposals have been reviewed, and no issues were found:

510
511
512: This repeats proposal 489.

Proposals 506 and 507 have been cancelled as some parameters require revision after discussion.

Proposal Updates Dec 4th

The following proposals have been reviewed, and no issues were found:

513
514
515

Proposal Updates Dec 10th

Proposal 517 has been reviewed, and no issues were found.

Proposal Updates Dec 16th

Proposal 518 has been reviewed, and no issues were found. Note that Tally wrongly indicated that the proposal would fail. The issue has been resolved.

Then why is Proposal 518 not executing?

Hello everyone!

Here’s a small update on our work since our last update.

Proposal Updates

We detected some misconfigurations for proposals 518 and 519 and we had to cancel them. In particular:

518 could not be executed due to the new Fusaka hardfork that was recently introduced and limits the gas consumption per transaction. The tooling we relied on was not updated, so it took us longer to identify the issue. The Tally warning mentioned in my previous message was unrelated. The proposal will be split into smaller chuncks (see 520) so it can be executed. This should address @FairAndSquare’s question.

519 was cancelled due to a misconfiguration in the payload and was replaced by 521.

We’re working internally to prevent such proposals in the future.

520 and 521 were reviewed with our updated tooling and were successfully executed.

Discord Security

We improved Discord’s security by introducing a CAPTCHA bot for new users. The changes are already in place. Feel free to reach out with your feedback. You can read more details here.