I encourage the Compound community to adopt a more formal process for adding new collateral assets. Each new asset adds existential risk to the entire protocol, yet in some cases the governance discussion has omitted important security questions.
Before creating a governance proposal (like #56) to add new collateral, at a minimum we should answer the following questions about the asset:
- Who audited the collateral token contract? What security issues were raised in the collateral token’s audit reports? Are any of these relevant to its use as collateral in Compound?
- Can the collateral token contract be upgraded? Who is authorized to make an upgrade? Can an upgrade happen instantly or is there a time-lock delay? Under what scenarios could an unauthorized upgrade occur? How many people or organizations would need to be compromised?
- Does the collateral token contract have a fixed supply? If new tokens can be minted, are there any scenarios where tokens can be minted without proper authorization? (For example, centralized wrapped assets like WBTC and USDC may be vulnerable to insider collusion or external hackers.)
- Are there any large token holders? Who are they and what security procedures protect their accounts? If a single holder owns enough of the token to use it as collateral to borrow a significant fraction of Compound assets, then a hacker who steals these tokens may be able to “sell” them on Compound by supplying them as collateral and “borrowing” clean assets. The existence of this exit ramp may in itself increase the incentive to hack such large wallets.
- How much CEX and DEX liquidity exists for the collateral asset? This liquidity supports the liquidation process when the collateral asset is seized (and probably sold). Deep liquidity also defends against market price manipulation with the intent of triggering a cascading liquidation event.
For reference, recent examples of collateral discussion: