Cyfrin CodeHawks - Security Partnership

Partnership Proposal: Cyfrin CodeHawks Security Audit Contests for Compound

Summary

Cyfrin is a world-class security audit provider that has helped secure over $20B of DeFi TVL and worked with some of the biggest protocols and chains, including ZKSync, Chainlink, Linea, Swell, Ondo Finance, and Wormhole. In this proposal, we submit our candidacy to help maintain Compound Lab’s excellent security status through competitive audits on the Cyfrin CodeHawks platform.

Cyfrin CodeHawks offers competitive audits. These are a cost-effective, thorough, and industry-endorsed way to enhance protocol security. Unlike a traditional private audit, competitive audits offer a community-driven approach. Hundreds of security researchers review a codebase and compete to identify vulnerabilities, inefficiencies, and potential issues. Auditors who find vulnerabilities are rewarded through a prize pool established before the competition starts. By partnering with Compound Finance, we will build an active community of top auditors experienced in securing Compound Finance’s codebase.

Cyfrin CodeHawks

Competitive audits pull together the best security researchers worldwide to secure
protocols and their users. Contestants are rewarded for finding the most unique vulnerabilities, encouraging more creative and in-depth analysis, and uncovering more vulnerabilities in less time.

With an average of 54% more submissions than its competitors and 15% more High/Medium severity vulnerabilities found, CodeHawks positions itself as the optimal destination for maximum engagement and best results.

In recent weeks, CodeHawks has hosted contests for Chainlink CCIP, Biconomy, and Sablier.

Our ecosystem of products allows us to direct hundreds of experts to our contests to provide thorough analysis and improve and secure protocols.

Cyfrin Ecosystem

Home to some of the best smart contract security researchers in the market and one of the strongest Developer Experience teams in the industry, Cyfrin professionals have backgrounds with Chainlink, Alchemy, Google, Apple, Meta and other industry-leading organisations.

In addition to providing world-class audits, Cyfrin contributes to Web3 security by providing security tooling and services to assist at every stage of development.

Alongside CodeHawks, our ecosystem includes:

  • Cyfrin: Our Security Researchers dedicate their time to meticulously analyze protocols, ensuring a comprehensive and detailed review.
  • Cyfrin Updraft: Our Developer Relations team educate 10,000+ users on smart contract development through step-by-step tutorials on our education platform.
  • Solodit: Our comprehensive security research platform aggregates security vulnerabilities, bounties, contests and resources from many blockchain security firms.
  • Aderyn: Our open-source static analyser for Solidity codebases helps protocols, engineers, and security researchers find weaknesses in their codebases by continuously scanning projects during development. It offers real-time feedback and vulnerability detection.

Private Audit Contests

Whilst building a suite of products for projects and security researchers to improve the security landscape, we have built relationships with many of the top auditors in the space. Private Audit Contests allow projects to leverage auditors in our community in a private setting.

For private contests, top auditors are invited to participate in an audit contest without publicising the codebase. These contests allow projects to work with auditors they trust, capturing a public contest’s competitiveness and crowdsourcing nature.

Motivation

According to the REKT Database, as of July 2024, total losses in the DeFi sector exceeded $80 billion. In 2022 alone, DeFi experienced hacks resulting in over $3.8 billion in losses. In 2023, although funds stolen decreased to $1.7 billion, the number of individual hacking incidents actually grew from 219 in 2022 to 231 in 2023.

This is a security problem, a best practices problem, and a branding problem—rightfully keeping institutions and users away from a world-changing technology. Failing to address this issue undermines the very efforts to bring Web3 mainstream.

Proposal

This section outlines the terms of an exclusive agreement between Cyfrin CodeHawks and Compound Labs for security services:

  • Start Date: 1st October 2024
  • Term: Q4 2024
  • Technical Account Manager: Yes
  • Fee Structure:
    • Prize Pool: We recommend at least US$35 per line of code for each contest, but this is at
      Compound Lab’s discretion. To be paid in USDC.
    • Hosting Fee: CodeHawks will receive an additional 10% of the prize pool to cover hosting fees.
  • Payment terms:
    • 100% of the Prize Pool and Hosting Fee at the signing of the agreement for each contest
  • Scope of Services:
    • Cyfrin CodeHawks Competitive Audits
  • Engagement Process:
    • Compound Labs will provide a codebase to Cyfrin CodeHawks and confirm the scope of the audit.
    • Cyfrin CodeHawks will market the contest on social media, and our CEO, Patrick Collins, or another member of the Developer Experience team, will host a code along to help drive auditors to the contest.
    • Solo auditors will examine the codebase for a pre-determined amount of time and submit any vulnerabilities found to Cyfrin CodeHawks.
    • Once the auditing period concludes, the community judging period will start, followed by the lead judging period. During this period, the Cyfrin CodeHawks team or appointed judges will review the submissions. This will validate the findings, rank them based on severity, and prepare for the appeals phase. The length of this period is primarily determined by the number of submissions received.
    • For 48 hours after the initial judging, auditors can raise concerns and appeals about the decisions made during the judging phase. This window allows the community to ensure transparency and fairness.
    • After addressing escalations, the final results are announced, and rewards are distributed to auditors based on the quality and significance of their findings. Payouts are distributed within 72 hours of the escalation period’s closure.
    • The Cyfrin CodeHawks team will compile and meticulously organize a list of all High, Medium and Low-severity findings for Compound Labs. This compilation will enable Compound Labs to effectively prioritize and address these critical vulnerabilities.
  • Timeline:
    • CodeHawks will advise Compound Labs on the length of each contest, but this is at Compound Lab’s discretion.
    • The judgement process is typically 2 weeks but depends on the number of submissions.

Next Steps

We’re excited about working with Compound Labs and look forward to hearing from the community!

The Compound protocol is community owned. I think that the target of the sale here needs a bit of course correction. I will assume that the proposal was intended to be for the protocol and community directly. For community proposals such as this, you’ll need to work directly with the Compound protocol’s community members and delegates, not solely with Compound Labs. That would also proceed with an onchain vote to initialize the program, like we’ve seen previously with OZ, Gauntlet, Questbook, AlphaGrowth, et al.

This post and proposal is a great start to improving the robustness of the Compound protocol. It is a step in the right direction to properly incentivize white hat security researchers to report potential bugs and exploits in a professional manner to minimize the risk of hacks and exploits.

Best of luck to you in your proposal and I think the community will appreciate seeing more involvement from professional security firms like Cyfrin to reduce the protocol’s and community’s security risks.

My questions are:

  1. What advantages are there to working with Cyfrin that add to the existing security services that OpenZeppelin already provides for the protocol?
  2. Why would a community member choose to vote for this proposal over the existing Immunefi proposal?
1 Like

Sweet! I’ve been looking up codehawks a bit myself, seem really good and Patrick seems like a nice dude.

2 Likes

Thanks for the feedback, Adam!

At Cyfrin, we encourage protocols to adopt a multi-phased audit approach. Leading protocols and chains are adopting this strategy to enhance their security levels. This proposal is not to replace private audits but to support them with a second audit round welcoming white hat hackers to apply their varying expertise.

The difference between Immunefi’s Bug Bounty offering and our competitive audits is that we attract white-hat hackers to review the codebase before mainnet deployment, whilst bug bounties support protocols after deployment. Therefore, this proposal does not disrupt the proposals mentioned and instead enhances the process, aiming to build a more robust protocol.

1 Like

Would you like to present in next week’s community call? It is at 9:30am PT in Discord on Wednesday September 4th.

Hi Adam,
Thank you for the response here, we are very excited to come on the community call.
Apologies for the delay, we were checking availability internally.
Would it be possible to join the call on Wednesday, September 11th? One of our key stakeholders who will be giving the presentation is out this week.
We look forward to hearing from you!

The call is biweekly so the next one after September 4th will be on September 18th.

1 Like

Sounds great! September 18th.

Looking forward to it!

We’re going to cancel this call due to conflicts with Token2049. Next call will be October 2nd.

No problem. We look forward to chatting with you on October 2nd!