Does compound use Java / Java packages, has dev reviewed the log4j risk for compound and/or patched it. Very serious security vulnerability
A non-security-expert’s take; others feel free to amend or elaborate:
The protocol itself is only a set of smart contracts deployed on ethereum mainnet; there are no Java dependencies there.
The broader ecosystem built around Compound includes many front-ends, APIs, node services, etc that could in principle be vulnerable, but those would be outside of the purview of Compound governance and would need to be addressed by providers of services interfacing with Compound’s contracts. Crucially, an exploit at those layers cannot touch user funds unless said service has access to a user’s private key or seed phrase, which would be a separate security issue in its own right.
4 Likes