Hi everyone, the OpenZeppelin team has been working on a security recommendation for how to handle asset listings that the community needs to consider before moving to list FRAX.
We’ve learned in our ongoing audit of the Compound protocol that the security risks for listing new assets are greater than most of the community might be aware. We’ve also found that a prior Critical issue related to an asset listing already existed and we’ve already worked with the Compound Multisig and the team behind the affected asset to ensure it is patched without incident. We’ll be releasing the complete Compound Audit Report and more details on the bug that was patched in the coming weeks.
Given what we’ve now learned, we believe that asset listing proposals such as this should receive more security attention going forward. We recommend that the community hold off on listing new assets for now as we work to put together a more detailed policy to ensure asset listings do not cause integration issues that could endanger the protocol. One option is to have OpenZeppelin audit each listing proposal although we need to consider the impact this might have on our existing backlog of protocol changes and the priority to assign to each one.
I will follow up early next week with more detailed guidance on a path forward for the FRAX proposal. I understand that it may be frustrating to hold off on listing new assets right now so I ask for your patience as we work to create security processes that will protect Compound while also minimizing proposal wait times as much as possible.
If any of you want to learn more or share thoughts on securing asset listings, please don’t hesitate to reach out to me.