Hexens x Compound Collaboration Proposal

Proposals
1

Hexens x Compound Collaboration Proposal

Summary

This proposal outlines a strategic partnership between Hexens Cyber Security and Compound Finance aimed at bolstering security through continuous audits, real-time security monitoring, a fully-managed bug bounty program via Hexens’s Remedy platform, and comprehensive and continuous code analysis using Glider, Hexens’s proprietary security query engine. The primary objective is to mitigate risks, safeguard funds, and ensure the integrity of the Compound protocol and all interconnected projects.

1566×504 527 KB

Background

Hexens has established itself as a leader in blockchain security, providing extensive audit services and innovative solutions for L1s, L2s, and DeFi protocols. With the increasing complexity of growth within Compound Finance, a more integrated and continuous approach to security is crucial. Hexens’s deep expertise in smart contract and blockchain security and DeFi ecosystems makes it an ideal partner for Compound Finance.

  • Nearly 200 performed audits for the leaders in the market of DeFi and Web3, such as Polygon, Eigen Layer, Lido, Layer Zero, Fuel, Socket, RISC Zero, TON, 1inch, Pancakeswap, and financial institutions like Nubank, among others.
  • $80B+ net worth assets under protection.
  • Hexens team finds high and critical vulnerabilities in 90% of performed security reviews, including cases of the scopes assessed multiple times before by other security teams.

1600×852 221 KB

  • Hexens hiring approach for security auditing positions is unmatched. We hire only one out of 200 candidates for engineering positions.
  • Created the "Whitehat appreciation reward", a fund that dedicates 10K to any hunter who finds a critical or high vulnerability in the code assessed by Hexens in a bug bounty flow.

Glider: Advanced Query Engine

Glider is Hexens’s advanced security tool that scans smart contracts for all known and recorded vulnerabilities, exposing hidden threats that could devastate Compound and its ecosystem. With its powerful Python-based queries, Glider uncovers potential exploits that could lead to catastrophic financial losses and irreparable damage to your reputation.

One-of-a-kind, Glider considers any source code as data by precompiling billions of instructions across multiple EVM chains in CFG/DFG graphs, and finding addresses of smart contracts that contain a logic described by a query.

Key features include:

  1. Deep Code Inspection : Glider is a framework that allows a researcher to describe taint, variant and data flow analysis scenarios and code patterns and then matches them on a codebase of any size and complexity. Use cases are limitless, and we are currently focused on security applications of the technology
  2. Automated Analysis : Driven by the best community of security researchers, Glider efficiently scans large codebases to identify known issues and suggest improvements, streamlining the development and compliance processes. Unlike other tools, it can scale its queries from the size of one smart contract up to, but not limited to, the size of a whole Ethereum ecosystem.
  3. Integration with Audits : Enhances Hexens’s continuous audit process for thorough and precise security assessments.
  4. Continuous Growth: Glider’s knowledge database is continuously evolving and all the queries stored in a database are continuously used to ensure that it does not face any of the previously known attack surfaces, vectors, and risks.

For more details, visit Glider Documentation.

Remedy: 360 Security Platform

Remedy, Hexens’s 360-degree security platform, supports a managed bug bounty program to identify and address vulnerabilities. Key aspects include:

1600×799 121 KB

  1. Bug Bounty Program : Encourages ethical hackers to report vulnerabilities in the Compound protocol.
  2. Improved transparency using ZK: Remedy gives programs a trustless mechanism to prove the duplicacy of a report using ZK circuits and a commit/reveal scheme. Moreover, every change in a program is logged and acts as a versioning mechanism, improving the bug-reporting process's transparency.
  3. Managed Triage Services : Verifies reported issues, assesses severity, and coordinates remediation, ensuring timely and effective responses.
  4. Security, Compounded: All the described services are free for Compound and its interconnected projects during the length of the partnership.
  5. One Day Protection: In the coming months, Remedy will evolve into a next-gen platform by providing unmatched notification for being exposed to any of the novel hacks that are taking place on the Ethereum ecosystem. For free.

For more details, visit Remedy Platform.

Together, Hexens, with its products Glider, and Remedy, offers a comprehensive and integrated approach to securing the Compound protocol, combining continuous audits, real-time monitoring, advanced code analysis, and a robust bug bounty program to significantly reduce security risks and enhance protocol integrity.

Proposal Scope

The following outlines the services and activities Hexens will provide to secure the Compound protocol:

Resource Allocation and Team Breakdown

  • Committed resources : Hexens will commit 8+ security professionals, forming two teams, that will concurrently work to safeguard the protocol.
  • Multiple teams : two dedicated security teams (a minimum of 6+ researchers total).
  • Team breakdown: At least one senior researcher, one junior security researcher, and one mid-level security researcher per team, plus a technical writer for published reports.
  • Dedicated account management: provided by Hexens’ Engagement Management Lead and Hexens’ senior security staff.

Continuous Audits and Security Reports

  • Continuous Audit Process : Hexens will implement an ongoing code assessment for all newly developed scopes. A dedicated team of security researchers will continuously review proposed changes, using both manual code reviews and a wide range of security tooling to identify vulnerabilities, thereby protecting user funds and maintaining protocol integrity.

1600×817 142 KB

  • Audit Methodology : All Hexens audits consist of two teams of at least two senior researchers running in tandem. Parallelization doubles this amount. In addition to identifying the vulnerabilities, we also comment as to the quality of the code, logic, etc and provide a detailed executive summary.
  • Security Reports : Detailed reports will be provided for each proposal, outlining identified issues, potential vulnerabilities, and recommendations for improvements. These reports will be publicly disclosed with Compounds prior consent. Follow-up reports will confirm the implementation of recommended fixes.
  • Transparency and Commitment: All the security issues identified by Hexens’ engineers and a wider community of security researchers through Remedy, will be stored on-chain under ZK proof and will be partially disclosed to the community to ensure the traction, commitment, and robust security of Compound protocol.

Embedded Security Team

  • Role and Integration : Hexens will embed a security team within the Compound ecosystem, see Team Breakdown above, to manage continuous audit activities, deliver security reports, and conduct governance workshops. This team will collaborate closely with the Compound community to address security concerns proactively.
  • Agile Delivery Timelines : The embedded team will follow agile methodologies to ensure timely delivery of audits, reports, and recommendations, adapting quickly to changes and new threats.

White Glove Service

  • Personalized Support : Hexens will offer personalized support to the Compound community through one-on-one consultations, tailored security solutions, and hands-on assistance during critical periods. A dedicated account manager will ensure prompt and efficient service.
  • Quick and Constant Communication : The Hexens team will maintain constant communication through multiple channels (Slack, Telegram, email, video calls), providing immediate assistance when needed. Regular updates will maintain transparency and build trust.

Real-time Monitoring and Glider Dashboard

1444×472 93.5 KB

  • Glider Dashboard : A comprehensive Compound Security Dashboard will be created using Glider, integrating vulnerability monitoring data and providing real-time security insights. Customizable features will track specific security metrics desired by the Compound contribution team, ensuring proactive security management.
  • Transaction Monitoring : Hexens will use the best transaction and event monitoring solutions to provide real-time alerts and enhance post-deployment security.
  • Automated Alerts : Automated alerts will be triggered in case of detected vulnerabilities, ensuring quick response and mitigation.

Code Analysis with Glider

  • Deep Code Inspection : Glider's engine will allow for a detailed examination of smart contract code to identify vulnerable scenarios and patterns in the code.
  • Automated and Performance Analysis : Glider queries will be run continuously, with the best performance imaginable. It can scale to a whole blockchain-size codebase.
  • Integration with Audits : Glider’s tools will be integrated into the audit process for more thorough and precise security audits.
  • Comprehensive Reporting : Audit reports will include insights from Glider's analysis, providing a comprehensive overview of the smart contract's security posture.

Developer Support and Training

  • Training Modules : Training sessions and resources will be provided on using Glider’s tools, helping developers follow best practices for secure coding.
  • Ongoing Support : Continuous support will be available to help the Compound development team integrate and use Glider’s solutions effectively.

Community Engagement and Education

  • Workshops and Training : Regular workshops and training sessions will educate the Compound community on security best practices and findings from continuous audits.
  • Documentation : Development best practices will be documented, along with security checklists and detailed guidelines for new proposals.

Incident and Emergency Response Advisory

  • Recommendations and Plans : Recommendations will be provided for improving the Compound team’s ability to respond to security incidents. Incident response plans will be developed, including detection, containment, and recovery procedures.
  • Emergency Drills : Periodic drills will test the incident response plans, identifying weaknesses and providing opportunities for improvement.

Collaboration with Other Security Providers

  • Coordinated Efforts : Hexens will coordinate with other security providers and auditors elected by the Compound DAO, ensuring comprehensive coverage and avoiding duplication of efforts.
  • Knowledge Sharing : Joint workshops, webinars, and collaborative research projects will be organized to enhance the overall security posture

Bug Bounty and Managed Triage Services

  • R.xyz Bug Bounty Program : A bug bounty program will be launched to incentivize the discovery and reporting of vulnerabilities, encouraging security researchers and ethical hackers to identify potential issues.
  • Managed Triage Services : Managed triage services will verify reported issues, assess their severity, and coordinate timely remediation.

1600×870 168 KB

Fee Structure

  1. Q3 2024 : $800,000 payable in COMP based on its value on the date of the completion of the trial period.
  2. Payment Terms : 50% at invoicing, 50% at completion.
  3. Trial Phase: One quarter.

Expectations and Timeline

  1. Duration : A one-quarter trial engagement to establish a foundation for continuous security and demonstrate the value of the partnership. At the conclusion of the trial phase, Hexens will propose to extend the partnership to an annual basis.
  2. Communications : Timely responses (within 24 hours during work days), quarterly forum posts with partial findings disclosing, and regular status updates.
  3. Deliverables : Regular audit reports, security monitoring enhancements, and the launch of the Security Dashboard by the end of the first quarter.

Conclusion

This proposal aims to strengthen Compound Finance’s security infrastructure through a strategic partnership with Hexens. By adopting continuous audits, unmatched security tools, real-time monitoring, and proactive advisory services, Compound can significantly reduce its security risks and enhance protocol integrity. Hexens’s expertise and resources will provide a comprehensive security solution to support the Compound protocol from the architecture design and development stage up to the production stage.

We look forward to the Compound community’s feedback and the opportunity to collaborate in securing the future of decentralized finance.

The community can refer to this proposal here.

1 Like
2

Thanks for your proposal!

In my view OZ has done a good job working with the protocol over the past few years. But I am happy to hear from other providers who are interested to provide audit, security, and monitoring services to Compound. Will review the post more and let you know if I have any comments/questions.

I’d encourage any other providers who may be considering a bid to make a public proposal as well.

3

Thanks for your response! Let us know if a demonstration of the tools would be helpful!