Partnership Proposal: Cyfrin CodeHawks Security Audit Contests for Compound
Summary
Cyfrin is a world-class security audit provider that has helped secure over $20B of DeFi TVL and worked with some of the biggest protocols and chains, including ZKSync, Chainlink, Linea, Swell, Ondo Finance, and Wormhole. In this proposal, we submit our candidacy to help maintain Compound Lab’s excellent security status through competitive audits on the Cyfrin CodeHawks platform.
Cyfrin CodeHawks offers competitive audits. These are a cost-effective, thorough, and industry-endorsed way to enhance protocol security. Unlike a traditional private audit, competitive audits offer a community-driven approach. Hundreds of security researchers review a codebase and compete to identify vulnerabilities, inefficiencies, and potential issues. Auditors who find vulnerabilities are rewarded through a prize pool established before the competition starts. By partnering with Compound Finance, we will build an active community of top auditors experienced in securing Compound Finance’s codebase.
Cyfrin CodeHawks
Competitive audits pull together the best security researchers worldwide to secure
protocols and their users. Contestants are rewarded for finding the most unique vulnerabilities, encouraging more creative and in-depth analysis, and uncovering more vulnerabilities in less time.
With an average of 54% more submissions than its competitors and 15% more High/Medium severity vulnerabilities found, CodeHawks positions itself as the optimal destination for maximum engagement and best results.
In recent weeks, CodeHawks has hosted contests for Chainlink CCIP, Biconomy, and Sablier.
Our ecosystem of products allows us to direct hundreds of experts to our contests to provide thorough analysis and improve and secure protocols.
Cyfrin Ecosystem
Home to some of the best smart contract security researchers in the market and one of the strongest Developer Experience teams in the industry, Cyfrin professionals have backgrounds with Chainlink, Alchemy, Google, Apple, Meta and other industry-leading organisations.
In addition to providing world-class audits, Cyfrin contributes to Web3 security by providing security tooling and services to assist at every stage of development.
Alongside CodeHawks, our ecosystem includes:
- Cyfrin: Our Security Researchers dedicate their time to meticulously analyze protocols, ensuring a comprehensive and detailed review.
- Cyfrin Updraft: Our Developer Relations team educate 10,000+ users on smart contract development through step-by-step tutorials on our education platform.
- Solodit: Our comprehensive security research platform aggregates security vulnerabilities, bounties, contests and resources from many blockchain security firms.
- Aderyn: Our open-source static analyser for Solidity codebases helps protocols, engineers, and security researchers find weaknesses in their codebases by continuously scanning projects during development. It offers real-time feedback and vulnerability detection.
Private Audit Contests
Whilst building a suite of products for projects and security researchers to improve the security landscape, we have built relationships with many of the top auditors in the space. Private Audit Contests allow projects to leverage auditors in our community in a private setting.
For private contests, top auditors are invited to participate in an audit contest without publicising the codebase. These contests allow projects to work with auditors they trust, capturing a public contest’s competitiveness and crowdsourcing nature.
Motivation
According to the REKT Database, as of July 2024, total losses in the DeFi sector exceeded $80 billion. In 2022 alone, DeFi experienced hacks resulting in over $3.8 billion in losses. In 2023, although funds stolen decreased to $1.7 billion, the number of individual hacking incidents actually grew from 219 in 2022 to 231 in 2023.
This is a security problem, a best practices problem, and a branding problem—rightfully keeping institutions and users away from a world-changing technology. Failing to address this issue undermines the very efforts to bring Web3 mainstream.
Proposal
This section outlines the terms of an exclusive agreement between Cyfrin CodeHawks and Compound Labs for security services:
- Start Date: 1st October 2024
- Term: Q4 2024
- Technical Account Manager: Yes
- Fee Structure:
- Prize Pool: We recommend at least US$35 per line of code for each contest, but this is at
Compound Lab’s discretion. To be paid in USDC. - Hosting Fee: CodeHawks will receive an additional 10% of the prize pool to cover hosting fees.
- Prize Pool: We recommend at least US$35 per line of code for each contest, but this is at
- Payment terms:
- 100% of the Prize Pool and Hosting Fee at the signing of the agreement for each contest
- Scope of Services:
- Cyfrin CodeHawks Competitive Audits
- Engagement Process:
- Compound Labs will provide a codebase to Cyfrin CodeHawks and confirm the scope of the audit.
- Cyfrin CodeHawks will market the contest on social media, and our CEO, Patrick Collins, or another member of the Developer Experience team, will host a code along to help drive auditors to the contest.
- Solo auditors will examine the codebase for a pre-determined amount of time and submit any vulnerabilities found to Cyfrin CodeHawks.
- Once the auditing period concludes, the community judging period will start, followed by the lead judging period. During this period, the Cyfrin CodeHawks team or appointed judges will review the submissions. This will validate the findings, rank them based on severity, and prepare for the appeals phase. The length of this period is primarily determined by the number of submissions received.
- For 48 hours after the initial judging, auditors can raise concerns and appeals about the decisions made during the judging phase. This window allows the community to ensure transparency and fairness.
- After addressing escalations, the final results are announced, and rewards are distributed to auditors based on the quality and significance of their findings. Payouts are distributed within 72 hours of the escalation period’s closure.
- The Cyfrin CodeHawks team will compile and meticulously organize a list of all High, Medium and Low-severity findings for Compound Labs. This compilation will enable Compound Labs to effectively prioritize and address these critical vulnerabilities.
- Timeline:
- CodeHawks will advise Compound Labs on the length of each contest, but this is at Compound Lab’s discretion.
- The judgement process is typically 2 weeks but depends on the number of submissions.
Next Steps
We’re excited about working with Compound Labs and look forward to hearing from the community!