OpenZeppelin Security Partnership - Q1 2023 Compensation Proposal

Simple Summary

As we approach the 1 year mark of OpenZeppelin’s security partnership with Compound and reflect on the past year’s success, we would ask the community to continue renewing our partnership on a quarterly basis going forward, starting with Q1 of 2023. We also ask the community to continue the same lump-sum payment structure as was done for Q3 and Q4 of 2022. Please see our motivations and additional details below.


In our original proposal, OpenZeppelin proposed a one-year partnership for $4M paid through a COMP stream that would be price-adjusted every quarter. However, since each quarterly price adjustment requires a new governance proposal, this has meant that we still need to solicit community support every quarter to maintain the payment terms of our partnership.

Moving forward, we would like to renew our partnership on a quarterly basis. This better reflects the reality of what can be enforced on-chain and lines up well with our existing payment structure of $1M per quarter.

This new arrangement effectively changes nothing else about our partnership terms except to clarify expectations. We would only ask that if any community members wish to propose any changes to our partnership terms, they notify us in the forum 60 days in advance of a quarterly renewal. This will ensure there is time to have a public discussion and we can plan for potential changes without interruption to critical parts of our security offerings.

2023 Initiatives Focus

While our current plan is to keep our service offerings the same as before, we would like to highlight some of the specific areas we plan to focus on going into 2023 for security auditing, advisory and monitoring.


We will continue to provide a dedicated auditing team at the same capacity as before. Our current focus has been on auditing new deployment configurations of Comet in cooperation with Compound Labs which we expect will continue well into 2023. We also hope to audit other protocol improvements that come out of protocol maintenance discussions and support the further growth of Compound V3. To improve coordination, we have also begun tracking our audit progress on a GitHub kanban board that we’ll be releasing in the coming weeks.


Our primary advisory focus will be to help shepard the new CIP framework that was recently adopted by the community with the approval of CIP-1. Our first focus will be to draft a new CIP that defines a clear contribution process for upgrades that ensures a rigorous quality assurance process is followed for any and all protocol changes. This will be built on the existing work of posts by Compound Labs and expanded to account for the challenges faced by third-party contributions. We will also be active in the new grants program as an Allocator for the Security Domain and we’ll continue to advise the Community Multi-sig on best practices for incident response.


We’ll continue to work on refining and expanding the monitoring capabilities we’ve built for the Compound protocol. Most especially, we’ll be working to ensure that new deployments of Comet on other chains will also be covered by our monitoring suite that feeds into Discord and Datadog. We’ll also work to provide more actionable guidance on how monitoring can used for performing post-deployment health checks and responding to existential threats such as oracle interruptions, rapid market changes and any critical components that may be involved in the cross-chain governance of Compound markets on other chains.

Proposal Structure

Our next proposal will be structured exactly the same as the past two quarters in Q3 and Q4 of 2022. We only ask that the community accept the lump-sum payment structure as the default approach for quarterly renewals going forward. More background on our motivation for moving to the lump-sum payment structure can be read here.

The governance proposal will consist of a single payment of COMP from the Timelock that is valued at $1M using the weekly VWAP price calculated at the time of submission. We intend to submit this proposal on-chain on Dec. 9th so that voting is complete before Dec. 16th and the start of the holiday season. Please note that this timeline does mean that our payment would be received ~2 weeks before the start of Q1 but we feel this is better than interrupting community members’ holidays to vote on a governance proposal during week of Dec 26th. That being said, we are open to alternative suggestions.

Request for Feedback

Even though we are moving to a quarterly renewal model, we still want to take this time to hear feedback from the community on our past year of work and see if anyone would like to make suggestions on how we can work together better. We are also open to expanding or refining our offerings with Compound at the start of next quarter or future quarters.

Finally, the team at OpenZeppelin would like to thank everyone in the Compound community for their support and assistance over this past year. This is the first DAO security partnership of its kind and we’re incredibly proud of what we’ve achieved and grateful for the community’s continued support. We’ve also learned a lot about how we can improve the protocol’s security even further to avoid future incidents as well as tailor our own ways of working to better align with the community’s needs. With all that’s been learned, we expect that the next year will be even better.

As usual, we welcome community feedback and suggestions below. You can also reach out to me directly to me on Discord, Telegram or email:


The proposal has been submitted and voting will become active early next week.

Have a good weekend everyone!

1 Like

Why should COMP be used as opposed to another asset like USDC? Using COMP risks either underpaying or overpaying in the long-term, and if users have faith in the value of COMP, then shouldn’t USDC be used?

1 Like

Can OpenZeppelin comment on the expensive nature of these security audits? $1M per quarter seems high, but maybe it’s worth it given the amount of risk. Who are the main competitors to OpenZepplein? Is it Trail of Bits, etc., and what would they quote for similar services?

1 Like

Hi @VonNeumann2022 - Sorry for not seeing these messages until now. Here’s some information to address your questions below.

Regarding the payment structure, there is further background on this in a prior thread. We had previously requested USDC as a payment option but it wasn’t considered sustainable since the only source of USDC is from lending reserves.

Regarding pricing, our rates incorporate not just audits but also security advisory, custom monitoring work, and access to OpenZeppelin products such as Defender which is part of our monitoring suite. There was a long forum discussion including bids from other competitors (Trail of Bits, Chainsecurity) last year when the partnership started that would give you more background on how the community decided on us as the best option.

1 Like

I see. That makes a lot of sense. I support this proposal.