Two years ago, the Compound DAO selected OpenZeppelin to be its security partner focused on providing security audits, advisory and monitoring services. Just as we did at the end of 2022, we’d like to look back at the past year and highlight how our work has improved the protocol’s overall security stance.
Auditing
Our audits have continued to remain a busy part of our partnership without any gaps of work in our backlog as we’ve worked to support new market deployments, grant projects and other code changes to the protocol.
Our audit accomplishments include the following:
- Completing a total of 13 audits/security reviews that consisted of 70 weeks of auditor time and an additional 17 weeks of additional preparatory and follow-up work
- Reporting 99 total issues raised in our reports that include 3 Critical and 2 High issues
- Auditing protocol changes that were passed in seven governance proposals including new markets launched on three chains: Polygon, Arbitrum and Base. We’ve also performed work to prepare for future market launches on ZK Rollups, Linea and Scroll, in 2024
- Performing audits for two CGP grant projects: CometWrapper and Wido along with providing security feedback for several other projects that did not qualify for an audit such as Paytr
- Updating the asset listing process to accommodate Compound V3 changes and the potential for listing collateral dependent on L2 bridges
- Supporting incident response with triaging for whitehat and bug bounty reports that required validation of a reported issues’ impact or feasibility
We’re very proud of the audit work we’ve done to safeguard Compound. That being said, we are always accepting feedback from community members to continue strengthening the security posture of the protocol. Over the last year, we have been incorporating more advanced invariant testing and simulation techniques to validate the safety of the codebases we’ve received for Compound to augment existing testing suites wherever possible.
Advisory
Our security advisory has continued to develop new protocol security processes, tested and improved incident response readiness and provided overall security guidance in a flexible manner depending on the protocol’s needs.
Our advisory work this past year includes:
- Supporting Incident Response Preparedness
- Participating in the SEAL Chaos incident response drill with the Pause Guardian Multisig to test the protocol’s incident response preparedness
- Joining the Pause Guardian Multi-sig as a new signer to better coordinate rapid response to live security incidents and developing incident response policies
- Setting up a pager system for the Pause Guardian to quickly alert multi-sig members and improve overall response time for emergency security incidents
- We’ve also been involved in successfully resolving a live bug impacting the Base WETH market that was reported by a white hat in mid-November. More details on this issue will be disclosed in the coming week.
- Participating in the Grants Program for Security Tooling
- Serving as a Domain Allocator for Security grants with 4 security grants successfully completed and $80K paid out during the last program.
- We will continue to be managing the Security grants domain in the renewed CGP 2.0 program slated to being on November 30th.
- We’ve also pushed for changes that will involve OpenZeppelin more directly in evaluating grant proposals across all other domains that have a security impact on the protocol.
- Publishing Security Policies and Advisories for the Community
- Providing a security advisory report on the Hundred Finance Exploit and its potential impact on Compound V2
- Posting CIP-2: Protocol Contribution Policy to improve quality assurance measures for upgrades and provide guidance for new protocol contributors
- Advising and supporting CIP-4: Upgrade Compound v2 Oracle To Disable UAV including an audit of the final changes to be deployed that will improve protocol oracle security
Overall, our security advisory work has made great strides in improving both quality assurance measures and incident response preparedness for the protocol validated through incident response drills based on realistic conditions. We plan to continue these improvements with further drills to find new areas of improvement that can be made.
Monitoring
Our security monitoring suite, the majority of which was already built in 2022, has provided greater visibility and alerting for protocol activity, governance and potential security issues that has greatly enhanced the protocol’s ability to identify and respond to threats.
Our accomplishments with our monitoring suite this year include:
- Deploying six market monitoring feeds for the following Comet markets:
- Mainnet WETH: #weth-market
- Polygon USDC: #polygon-usdc-market
- Arbitrum USDC: #arbitrum-usdc-market
- Arbitrum USDC.e: #arbitrum-usdce-market
- Base USDC: #base-usdc-market
- Base WETH: #base-weth-market
- Performing updates to the following monitoring bots:
- Governance Monitoring was refactored to use Tally API after the Compound V2 API was deprecated
- Multi-sig Monitoring was refactored with various minor improvements
- Oracle Price Feed Monitoring was refactored with various minor improvements
- Our Oracle Price Monitor bot successfully detected multiple instances of the UAV Price Anchor being activated and rejecting prices over the past year. This includes one instance with cSUSHI on June 10th that required the Pause Guardian to prepare pausing if prices didn’t return to normal. This helped prompt the discussion for CIP-4 to be proposed that will deactivate the UAV price anchor and eliminate this recurring issue that our monitoring has detected.
- Finally, we have several more key improvements to our monitoring stack rolling out this month to improve our support for new markets and cross-chain governance activity:
- New monitoring alerts
- Comet Market Liquidation Risk
- Bridged Proposal Integrity
- L2 support for existing monitoring alerts and automation
- Market Activity
- Pause Guardian and Privileged Actions
- Governance Events and Automation
- Collateral Asset Monitoring
- Faster deployment for new markets and networks
- Other various enhancements for improved reliability
- New monitoring alerts
You can expect to see several of these monitoring improvements rolling out by the end of this week. All other improvements will be completed and available to the community on the Discord feeds by the beginning of 2024.
In Summary
Overall, we feel that 2023 has shown a significant improvement in Compound’s security stature as a result of our work. There were no live incidents that caused disruptions to protocol operations, much less a loss of funds, despite the fact that the DAO now operates eight segregated lending markets across four different blockchain networks. That’s up from just two markets operating solely on Ethereum mainnet from the same time last year.
We’ve successfully taken the lessons learned from 2022 with the cETH Price Incident and other prior issues to implement improvements that ensure that Compound remains one of the most secure lending protocols as it continues to expand to new blockchain networks. We must also give credit to the support and great working relationships we have with Compound Labs, Gauntlet, the Pause Guardian, the CGP committee and many other community members for the success our partnership has enjoyed. That being said, we believe that both OpenZeppelin and the community must remain vigilant and we’ll continue to seek ways to improve Compound’s security and our own work in 2024.
With the community’s support, we look to continue leading these efforts to make Compound as secure as possible while remaining a successful lending platform and robustly decentralized community.