As we approach the 2 year mark of OpenZeppelin’s security partnership with Compound and reflect on the past year’s success, we ask the community to continue renewing our partnership on a quarterly basis for Q1 of 2024. We’ve included details on the security initiatives we plan to focus on in 2024 in addition to some improvements we have planned for streamlining the way that the DAO handles vendor payments and operating expenses.
In our original proposal, OpenZeppelin proposed a one-year partnership for $4M paid through a COMP stream that would be price-adjusted every quarter. Starting with Q3 2022, we engaged with the community to change this model to renew our partnership on a quarterly basis with a lump-sum payment of $1M per quarter, primarily to minimize our price impact to COMP and better cover our operating costs. This has continued to be our model since and we intend to make our next proposal for Q1 of 2024 no different
However, we’ve received feedback from community members that they would prefer a more streamlined vendor payment structure that allows renewals to return to a yearly model without the need for quarterly proposals. We agree that this is desirable to reduce DAO overhead and we are currently researching ways to accomplish this while also accommodating the need for price stability in payments made with COMP. We also intend for this structure to still incorporate a vesting period for some percentage of COMP to ensure vendor alignment with DAO stakeholders.
We plan to publish a CIP for this new vendor process in early Q1 and roll over into this new model by the start of Q2 2024. We feel this timing is desirable to both allow community discussion on a new vendor process and to ensure that future yearly renewals of OpenZeppelin’s partnership do not occur during the winter holidays when DAO participation is lower.
While our service offerings and pricing will remain the same as before, we would like to highlight some of the specific areas we plan to focus on going into 2024 for security auditing, advisory and monitoring.
We will continue to provide a dedicated auditing team at the same capacity as before. We’ve seen no let up in our audit demand for Compound and have continued to maintain a busy backlog of work that includes supporting market deployments on new blockchain networks as well as audits of grant projects that have a security impact on the protocol such as CometWrapper. We’ve also identified areas of improvement in our audit process where we can incorporate more advanced invariant testing and simulation techniques to ensure we cover more potential edge cases.
Our primary advisory focus this past year has been incident response readiness and we are nearing the end of implementing all the improvements that we’ve identified since the SEAL Chaos Drill that was performed in July of this year. As such, we think it will be important for us to schedule another drill in 2024 to validate our incident response enhancements are effective and identify other areas of improvement. For quality assurance, we intend to publish additional security guidance for new chain deployments.
Additionally, we are planning to draft and propose two new CIPs that cover the following:
Streamlining Vendor Payments - As referenced earlier, we want to develop a standardized process that OpenZeppelin, Gauntlet and any other third-party vendor can utilize to be paid on regular renewal schedules without over-exposure to COMP price fluctuations. See Compensation Background for more details on this.
Gas Paymaster & Operating Expenses - We intend to outline a structure where the DAO can set aside ETH and other gas tokens to cover on-chain gas costs for various operations performed by privileged participants. While these costs are negligible in the short-term, they can quickly add-up and be a burden, especially when operating on different blockchain networks concurrently. These operations include:
- Proposal submissions for risk parameter updates by Gauntlet
- Governance operations such as queuing/executing proposal as performed by OpenZeppelin’s governance automation
- Gasless voting provided by Arr00’s comp.vote Dapp
- Multi-sig actions such as those performed by the Pause Guardian and CGP committees
This CIP, if passed, would fund a Paymaster Relay account on each blockchain network where Compound is active and use a combination of meta-transactions and multi-sig managed treasuries to ensure that costs are covered without exposing the funds to unauthorized usage. We also want to set up a way to fund off-chain expenses, such as the hosting costs for the forum website, to avoid any disruptions of services and create transparency around these costs and the participants that maintain them.
If you have any questions or feedback on the initial ideas for these CIPs, please don’t hesitate to reach out and share your thoughts.
We are in the final stages of launching several new improvements to our monitoring suite that will make it easier for us to deploy monitoring on new blockchain networks and better capture cross-chain governance activity as detailed last quarter here. We expect these improvements to be complete by the start of 2024. As such, the majority of our monitoring efforts will then be focused on maintaining our existing suite and supporting new Comet markets as they come online and expand to new networks. We’ll continue to provide more actionable guidance on how our monitoring can be used for detecting live issues and integrate it into the new pager system setup for the Pause Guardian.
Our next proposal will be structured exactly the same as the past year of quarterly renewals. More background on the current lump-sum payment structure can be read here. As stated before, we plan to propose a more streamlined vendor structure that will allow us to only make one proposal per year, which we hope to have available for the next renewal at the end of Q1 2024 and the start of Q2.
The governance proposal will consist of a single payment of COMP granted from the Comptroller that is valued at $1M using the weekly VWAP price calculated at the time of submission. We intend to submit this proposal on-chain on Dec. 1st so that the voting and payment is complete before Dec. 8th and the start of the holiday season. Please note that this timeline does mean that our payment would be received ~3 weeks before the start of Q1 but we feel this is better than interrupting community members’ holidays to vote on a governance proposal during the week of Dec 26th. That being said, we are open to alternative suggestions.
Even though we are still operating on a quarterly renewal model, we still want to take this time to hear feedback from the community on our past year of work and see if anyone would like to make suggestions on how we can work together better. We are also open to expanding or refining our offerings with Compound at the start of next quarter or future quarters.
Finally, the team at OpenZeppelin would like to thank everyone in the Compound community for their support and assistance over this past year. Our security partnership with the Compound DAO continues to be some of our most impactful work as an organization and our learnings from the first year of 2022 have allowed us to refine our security work into something we feel has become a well-integrated part of the Compound community.
We remain incredibly grateful for the initial opportunity we were offered by the Compound DAO back in December of 2021 when choosing us to be Compound’s security partner. The continued support of the Compound community has been essential to our success through both their active participation in our security initiatives and the seven successive renewal proposals that have overwhelmingly passed since our partnership has started. We look forward to the challenges of 2024 with more markets to be deployed, blockchain networks to be supported and novel security threats to identify and protect against.
As usual, we welcome community feedback and suggestions below. You can also reach out to me directly to me on Discord, Telegram or email:
- Email: firstname.lastname@example.org
- Telegram: @cyloncat
- Discord (in the Compound server): Michael L#3462