OpenZeppelin Security Partnership - 2022 Year in Review

Overview

In December 2021, the Compound DAO selected OpenZeppelin to be its security partner focused on providing security audits, advisory, and monitoring services. As we approach the end of 2022, we’d like to look back at the past year and highlight how our work has improved the protocol’s overall security stance.

Auditing

Our continuous auditing services have greatly increased the coverage of security audits to cover all Compound changes and have reduced the time for governance proposal upgrades to receive audits prior to submission. Highlights include:

  • Completed 12 audits in total that included comprehensive protocol audits of both Compound V2 and V3.
  • Audited protocol changes that were passed in 7 governance proposals
  • Coordinated the resolution of an integration bug with TUSD that threatened a $88 million market and published a post-mortem.
  • Conducted a security review of the asset listing process and published a process for assessing the technical risk of adding new token markets.
  • Supported the community-led resolution of the cETH price incident and published a post-mortem that includes security recommendations to avoid future incidents

Advisory

Our security advisory has filled a key leading role in the coordination of protocol security initiatives that include identifying areas of security improvements and providing guidance on how security should be considered in community decision-making. Highlights include:

  • Coordinated the scheduling of audits and security support for the Compound community with regular participation in biweekly community calls and forum updates
  • Participated in discussions with the Pause Guardian Multisig members for incident response preparedness and strategy
  • Signed up to be a Domain Allocator for Security Grants in the new Grant Proposal by Questbook (currently pending adoption)
  • Drafted and proposed a Compound Improvement Proposal (CIP) process to improve coordination of off-chain processes including new security recommendations. Currently pending a Snapshot approval.
  • Used OpenZeppelin Defender to automate the queuing and executing of governance proposals to improve UX and reduce the wait time for passing proposals

Monitoring

Our security monitoring solution provides greater visibility and alerting of protocol activity, governance and potential security issues that greatly enhance the protocol’s ability to identify and respond to threats. Highlights include:

  • Reviewed potential security threats to both Compound V2 and V3 to draft security monitoring recommendations for community review and discussion
  • Implemented a decentralized monitoring solution for Compound using 13 Forta bots that monitor Compound markets, governance, access control, listed assets, oracle feeds and specific attack vectors.
  • Integrated monitoring feeds into Discord channels and a public Datadog dashboard for easy consumption by community members using OpenZeppelin Defender. We added specific alerts for proposal votes and quorum thresholds to improve governance participation.
  • Supported the response to the cETH price incident with custom monitoring for watching protocol risks while markets remained frozen.
  • Currently building out support for monitoring to support multiple Compound V3 instances for assets across different EVM networks

Going Forward

While 2022 has been a successful year for the Compound OpenZeppelin security partnership, there is still more to be done following the community’s upcoming decision to renew our partnership. The cETH Price Incident shows that more security improvements are needed to fully safeguard the protocol starting with the adoption of a CIP process that will pave the way for better security processes.

The plans we have in mind for 2023 involve delivering more robust security recommendations and solutions that enable all Compound contributions to follow a multi-layered, defender-in-depth quality assurance process that starts in the early stages of development all the way up to auditing, deployment, and post-deployment monitoring and threat response capabilities. With the community’s support, we intend to continue leading these efforts to make Compound as secure as possible while remaining a robustly decentralized community.

More details on these plans for 2023 will come shortly ahead of our renewal proposal and we welcome the community’s feedback and suggestions on what we could improve upon or add to our current partnership offerings.

2 Likes