Summary

OpenZeppelin has secured Compound since December 2021, establishing a proven track record of comprehensive protocol protection. In our current annual term (July 2024-June 2025), we’ve completed 40+ security audits, reviewed 180+ governance proposals, and identified 6 critical vulnerabilities while maintaining zero protocol losses due to security exploits.

Throughout this partnership, we’ve maintained Compound’s ecosystem security while flexibly responding to incidents and adapting to the DAO’s evolving development needs. Our collaborative approach with key contributors has optimized processes and enabled early risk mitigation across protocol operations.

This renewal continues our comprehensive security services with more detailed specifications of the coverage we’ve been providing to Compound, making our commitments more explicit.

Services

We remain committed to providing these services with unique expertise built from our 3+ years serving Compound.

Audit Services

• Code Reviews: Contract audits, migration reviews, and audit-readiness evaluations in Solidity, TypeScript, Rust, and additional languages as needed for Compound protocol changes including new versions, Grants Program projects, treasury operations, and contracts used by governance proposals
• Proposal Reviews: Security assessment of all governance proposals, formal reports when issues identified
• Asset & Network Evaluation: Token assessments for new borrowable and collateral assets; network assessments for new network deployments

Monitoring and Automation

• Governance Events: Alerts for new proposals, voting activity, and proposal queueing/bridging/execution; automated proposal queueing and execution
• Market Activity: Transaction monitoring and digests per market across multiple networks
• Security Alerts: Voting power accumulation tracking, price feed anomaly detection, community multisig transaction monitoring

Advisory Services

• Development Security: Testing methodologies, secure design principles, and integration guidance
• Operational Security: Key management training, deployment protocols, and treasury delegation
• Governance Security: Governance safeguards, decentralization enhancements, and security council formation/operations

Partnership & Performance

Our collaborative approach with Compound’s contributors has strengthened protocol security while supporting efficient operations:

• Multi-Chain Market Expansion: Collaborated with AlphaGrowth and Woof! on over 13 new market deployments across more than 3 new chains (Optimism, Scroll, and Mantle), providing comprehensive security coverage for their $814M TVL expansion
• Treasury Operations: Advised Avantgarde on their Avatar safe implementation for treasury custody solution, enabling secure treasury strategy operations while constraining multisig transactions to only approved actions
• Governance Security: Provided critical guidance during governance challenges, recommending both short-term fixes and long-term improvements, supported the governance upgrade initiative through comprehensive security auditing, and performed 14 community multisig updates across 5 networks in collaboration with the Community Multisig

Critical Incidents Prevented

Our security approach focuses on proactive risk mitigation, identifying and resolving vulnerabilities before they can be exploited. While this preventive model makes it challenging to quantify the full scope of potential losses avoided, the following three critical incidents we prevented during our last term demonstrate the tangible value of early detection:

• Critical vulnerability in Linea USDC Market Migration: Prevented potential theft of 100k USDC and complete protocol takeover on the Linea Network
• High-severity cross-chain attack vector: Prevented imitation of the Compound Timelock on Ronin network, protecting up to $1.41M in assets from potential theft
• Incorrect L2 token address in proposal step: Prevented proposal execution that would have caused deposit failure after bridging, irretrievably locking $120k in assets

These documented incidents represent a small sample of the losses we prevent, avoiding substantially higher costs of post-incident response, reputational damage, and threats to protocol integrity.

Current Term Performance (July 2024-June 2025):

• Audits: 40+ unique audit scopes with 119+ weeks of auditor time, identifying 229 total issues including 6 Critical and 14 High severity vulnerabilities
• Governance Coverage: Reviewed 180+ governance proposals preventing multiple fund-loss scenarios through early issue identification
• Monitoring Expansion: Enhanced monitoring across 25 markets on 9 networks, with automated queuing of 140 proposals and execution of 136 proposals

Our collaborative performance demonstrates effective partnership across the Compound ecosystem. Comprehensive details are available in our 2024 Year in Review and 2025 Q1 Update.

Flexibility

We recognize that Compound’s needs and priorities continue to evolve. To provide the DAO with flexibility, we’re including a three-month-notice termination clause in this renewal. This provision allows the DAO to adjust arrangements if needed while ensuring continued coverage throughout the transition.

Compensation Structure

Previously OpenZeppelin used the Vendor Payment Aera Vault adopted in Proposal 249. With the deprecation of the Vendor Payment Aera Vault, Woof! Software proposed a USDC-price-adjusted COMP streaming mechanism. This approach provides several benefits:

• Reduced governance overhead for voters
• Payment of USDC obligations using COMP
• DAO clawback of unvested assets
• DAO capture of net COMP appreciation

OpenZeppelin will continue its annual renewal model for our Security Partnership adopting the same streaming approach. Our governance proposal will initiate a deposit of 110% of the 4M USDC equivalent in COMP, using a 30-day TWAP price at week of proposal submission, to be streamed over the course of a year starting at the beginning of Q3 2025.

The 10% buffer is designed to accommodate potential price fluctuations while balancing capital efficiency. OpenZeppelin will only receive the prorated portion of the $4M annual value based on actual service duration.

Governance may initiate early termination through a subsequent on-chain governance proposal with at least three months advance notice. Unvested funds can be transferred to the DAO by anyone 10 days or more after the term ends or after the notice period expires.

Timeline

We plan to submit this proposal by June 23rd so that voting completes by the end of the month. We will also post additional technical details about the payment stream mechanism in this forum thread in the days leading up to the proposal submission. We welcome community feedback on this renewal proposal and will consider relevant input before submitting our governance proposal.

Our Request to the Community

As usual, we would like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:

1. Please vote in support of our upcoming compensation proposal to keep us working with the Compound community for the next year.
2. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
3. Stay subscribed to the Compound Discord Monitoring Feeds.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram, or email:

• Email: jared@openzeppelin.com
• Telegram: @jbrtn55
• Discord (in the Compound server): jbass.oz

OZ’s long history with the DAO, deep knowledge of the protocol, holistic approach to security, and professionalism make them an easy ‘yes’ for renewal.

It bears mention that this renewal asks for ~10% of remaining COMP under the DAO’s control in the Comptroller at current prices. Given other anticipated upcoming asks to the DAO, including the establishment of a Foundation, the DAO will be on track to deplete its COMP holdings entirely in well under five years at current prices (possibly much less time than that if the Foundation team, as hinted in their current proposal, makes a larger ask at the 18-month mark).

I strongly support the OZ renewal. To sustain the partnership and continue to make this an easy ‘yes’ going forward, the DAO (perhaps at the guidance of a Foundation) must start to more aggressively pursue strategies that strengthen COMP’s market value or otherwise start to reverse the outflow of the DAO’s COMP.

Business Case Against Renewing OpenZeppelin as Compound’s Security Auditor

Summary

The following outlines a fact-based, commercially sound rationale for Compound DAO to decline the re-election of OpenZeppelin (OZ) as its security auditor. While OZ played an instrumental role in Compound’s early security posture, its continued engagement is no longer aligned with the DAO’s operational needs, financial constraints, or growth objectives. Key issues include lack of executional agility, prohibitively high costs, poor vendor behavior, and a net negative impact on the protocol’s ability to ship product and grow.

1. Strategic Misalignment

OpenZeppelin has evolved into a bureaucratic vendor, not a strategic partner. Their workflow is rigid, slow, and antagonistic to the needs of a rapidly evolving DeFi protocol:

• Code reviews are serialized on a weekly cadence. If an issue is flagged Tuesday, review does not resume until the following week, creating a systemic 7-day delay per iteration.

• Minor issues (e.g., function naming conventions) halt entire audits, resetting multi-day workflows and effectively burning $15,000 per day delay cycle.

• No prioritization or triage system exists; all tasks are blocked if metadata is missing or slightly misformatted, even when data is publicly available on-chain.

• OZ offers no agility. They routinely reject collaborative iteration and instead enforce static contract terms that stifle velocity.

2. Operational Inefficiency and Opportunity Cost

Compound has repeatedly failed to ship critical features on time due to OZ’s latency:

• V2 Rewards Contract: Delayed over 15 months due to OZ’s workflow. This single delay has stalled all reward-based growth strategies and undermined business development partnerships.

• Asset Listings & Chain Expansions: Multiple billion-dollar TVL opportunities (i.e. Ethena, Sonic) lost because of OZ audit backlog. Fast-moving ecosystems like WOOF shipped in days, while OZ take 6-8 weeks to analyze a single asset.

• DeFi Cycles Move Fast: OZ’s inflexibility means Compound misses entire cycles and waves (LRTs), costing hundreds of millions in missed utilization.

3. Cultural & Governance Misalignment

• OZ behaves as a rent-seeking vendor rather than a protocol-aligned partner.

• Their conduct is often combative. Team leads have described interactions as “energy draining” and “hostile.”

• Feedback loops are broken. Despite repeated requests for acceleration, OZ demanded additional fees rather than improving efficiency.

• Governance Overreach: OZ has labeled growth-oriented proposals as “governance attacks” while remaining silent on the far less transparent formation of the Compound Foundation. This inconsistency signals political bias and self-preservation over principled decentralization.

4. Incomplete Security Coverage

Despite their cost and posture as Compound’s end-to-end security provider, OpenZeppelin has failed to prevent or mitigate:

• Front-end vulnerabilities (e.g., Discord, Twitter, Website hacks)

• Governance-based exploits (e.g., the Humpy incident)

• Economic attacks or collusion scenarios tied to governance tokens

The DAO was forced to stand up internal governance operations to respond to these events, duties that fall under OZ’s remit.

5. Market Alternatives Exist

A range of credible firms have expressed interest in serving Compound. Many offer:

• Faster delivery timelines

• Superior collaboration models

• Team-based parallel execution vs. serialized workflows

• Pricing that is 5x–8x more efficient

These firms are, however, discouraged from entering the process due to perceived governance capture favoring OZ.

6. Excessive Cost Structure

OpenZeppelin charges $4M/year, despite offering limited coverage:

• Provides only 50 weeks of service annually; ~$75,000/week.

• Effective delivery bandwidth is equivalent to one full-time audit thread.

• Compound has spoken to alternate firms offering comparable or superior delivery capacity at 1/8th the cost.

• For $1M/year, the DAO could employ two full-time security teams. Current spend is unjustifiable given outcomes.

The basic actions of running the Compound protocol are adding Chains, Markets and assets. The cost structure for auditing services across each basic action is as follows :

1. Chain-Level Audits

• Audit Cost: $153,846

• Percentage of Total Chain-Level Costs: 55.56%

• Total Chain-Level Cost: $276,922

image1242×854 13.3 KB

2. Market-Level Audits

• Audit Cost: $115,384.50

• Percentage of Total Market-Level Costs: 61.23%

• Total Market-Level Cost: $188,456
  

  

  image1248×830 14.2 KB

3. Asset-Level Audits

• Audit Cost: $76,923

• Percentage of Total Asset-Level Costs: 77.14%

• Total Asset-Level Cost: $99,723

image1240×938 14.3 KB

These figures indicate that auditing services constitute the majority share of expenses across all levels, with the highest proportion at the asset level.

Market Comparables:

• Aave, with over $30 billion in Total Value Locked (TVL), spent only $1.7 million on security in the past year, and a total budget of $64 million.
• Compound, with approximately $2 billion in TVL, spent $4 million on security in the same timeframe.

Proportional Spend Analysis:

• Aave: Security Spend = 2.7% of Total Budget; 0.0057% of TVL
• Compound: Security Spend = 50% of Current Budget; 0.20% of TVL

This disproportionate security expenditure (35x higher per unit of TVL than Aave) highlights a serious misallocation of treasury resources. Compound’s smaller TVL makes cost efficiency all the more critical. The DAO must ensure that its security investment is proportional to risk, operational velocity, and real value delivery.

Delivery Timelines and Efficiency

The delivery timelines for OpenZeppelin’s auditing services have been a point of concern:

• Extended Audit Durations: Audits have taken up to 15 months for certain components, such as the Rewards V2 contract, hindering timely protocol upgrades.

• Sequential Processing: Audits are conducted in a linear fashion, with only one thread at a time, leading to bottlenecks in development and deployment.

• Delayed Responses: Feedback loops often span a week, and minor issues, such as naming conventions, have caused week-long delays, incurring additional costs.

These inefficiencies have resulted in missed opportunities and delayed integrations, impacting the protocol’s competitiveness and growth.

Comparative Analysis

When compared to other auditing firms:

• Cost Efficiency: Alternative auditors have quoted services at approximately one-eighth the cost of OpenZeppelin, offering similar or enhanced support.

• Resource Allocation: Other firms provide dedicated teams capable of handling multiple threads simultaneously, improving throughput and reducing time-to-market.

• Responsiveness: Competitors have demonstrated faster turnaround times and more collaborative engagement models, aligning better with agile development practices.

Strategic Recommendations

Given the financial burden and delivery challenges:

1. Initiate a Competitive RFP Process: Solicit proposals from multiple auditing firms to assess cost-effectiveness, delivery capabilities, and collaborative potential.

2. Diversify Auditing Partners: Engage multiple auditors to distribute workloads, reduce bottlenecks, and foster a more dynamic security review process.

3. Implement Performance Metrics: Establish clear KPIs for auditing services, including delivery timelines, cost benchmarks, and quality standards, to ensure accountability.

4. Reallocate Resources: Consider redirecting funds towards development and growth initiatives that offer higher returns on investment and accelerate protocol evolution.

By addressing these areas, the Compound DAO can enhance its operational efficiency, reduce costs, and better position itself for sustained growth and innovation.

Final Recommendation

Do not renew OpenZeppelin’s contract.

Instead, initiate a competitive RFP process to source a new security audit provider better aligned with the DAO’s performance, cost-efficiency, and accountability requirements. Compound’s continued growth and credibility depends on agility and fiscal discipline, neither of which OZ currently supports.

Closing Thought

OpenZeppelin was the right partner for a different era. Today, Compound must evolve, prioritizing protocol agility, cost optimization, and growth enablement. Renewing OpenZeppelin at $4 million/year is incompatible with those imperatives.

The DAO can, and must, do better.

As mentioned by OZ on today’s Discord call, they said they can’t explain what they do differently from other service providers without seeing those providers’ contracts. If that’s the case, then sharing those comparisons should be part of the conversation if alternative services are being considered.

I also think comparing what Aave spends versus what OZ is doing for Compound is a very good point. It would be helpful to understand not just the cost difference, but also the difference in scope and amount of work. Are the services similar? Is one team taking on significantly more?

I also liked the idea brought up in the call and in other proposals about staying open to multiple service providers and seeing which can perform best. A $4M renewal is a major commitment but maybe it can be justified. It’s hard to tell without a full side-by-side comparison which I think should be in this conversation.

Compound Community, we encourage you to please continue reviewing our fulsome proposal, where we worked hard to set out in detail the nature of services we provide to Compound and related data highlighting our recent work (e.g. number of audit weeks). We believe the proposal, together with our day-to-day security services and communications with the community over the past 3 years, have consistently met the high degree of quality and transparency demanded by a fully decentralized protocol.

We believe our track record speaks for itself and highlights our long-term commitment to the success of Compound; however, we are responding to Bryan’s post above because it ignores the key term we have built into our renewal proposal for the benefit of the community (namely, Compound retains an option to cancel our renewal with 3-month notice if and when a proper process or vendor selection process is agreed to).

Further, the post contains a number of harmful misrepresentations that should be either retracted or corrected (further details regarding such inaccuracies below).

We welcome any good-faith follow-up questions about our proposal or the related information. Going forward, we expect constructive dialogue based on facts. We will not engage with any further statements that cannot be substantiated by objective sources.

As always, we thank the community for its continued support.

Material corrections:

OpenZeppelin has maintained a long-standing commitment to Compound’s success, consistently taking principled positions to safeguard the protocol, even when that meant highlighting issues on specific proposals or noting practices we believe could put the protocol at risk. Our actions are guided solely by a responsibility to ensure the long-term security and resilience of Compound.

The portrayal of our engagement as rigid or misaligned does not reflect the reality of our collaboration. We currently manage multiple concurrent workstreams with dedicated researchers and management capacity. Delays typically stem from incomplete scopes or code submissions, rather than our independent review processes. We continue to prioritize responsiveness, flexibility, and deep protocol understanding, and we are always working to expand our support as the DAO matures its operational framework.

In the case of Rewards v2, despite recommendations from OpenZeppelin and Compound Labs for a simpler approach to Rewards v2, a more complex solution was chosen that required significant off-chain infrastructure and extended development timelines. The initial code submission contained security vulnerabilities that posed risks to fund safety and required multiple revision cycles. Development of the off-chain infrastructure remains ongoing.
Additionally, in the case of the Ethena integration, we did not receive a project scope for review nor a Sonic scope before Sonic announced the discontinuation of their integration efforts.

The statements above appear to deflect issues with third-party development and proposal processes, rather than identify substantive community concerns regarding OpenZeppelin’s review of such proposals. OpenZeppelin’s independent security role has become increasingly critical as growth initiatives have been used to provide justification for unaccountable actors to disregard established community standards and game risk mitigation processes, which potentially expose protocol assets and reputation (as we have noted in related reviews). Regarding the claims about additional fees and delays, OpenZeppelin has never demanded additional fees and project delays resulted from late delivery of project scopes rather than extended security review durations, as evidenced by the timelines documented in security reports.

OpenZeppelin has taken a leadership role in each event where Compound could have been at risk. Most of the delegates and the community multisig members can attest to our commitment and value we provided on each of these incidents, which is evidenced by the continued support of our role to date.

OpenZeppelin was the first to flag the risk of a potential governance attack to the community in May 2024, weeks before the real threat materialized. To avoid a full review of that incident here, you can learn more about the incident in this external article. As part of our security reviews, we always highlight token concentration risks and related potential governance risks or economic attacks. The community has found these risks important to their decisions on proposals and our analysis in this regard has resulted in multiple proposals being rejected.

As noted, we fully support the importance of a robust vendor selection process. This is precisely why our current proposal includes a three-month notice period for termination—providing the DAO with flexibility should a formalized selection process be established, while ensuring independent security review of DAO activity at all times.

It’s worth highlighting that OpenZeppelin became Compound’s Trusted Security Partner through a competitive RFP process in November 2021 (Auditing Compound Protocol), in which we were selected over two other top-tier security firms by a majority vote. Since then, we’ve worked diligently to earn and maintain the community’s trust, consistently delivering on our long-term commitment to securing the protocol.

We also acknowledge that given there is no current formalized process or Foundation to do this - it would be imprudent to stop things midstream during our proposal renewal, as it could leave the DAO exposed during any such period.

As indicated above, Compound’s original proposal for number of audits, auditor weeks and other relevant metrics was originally requested and driven by the CEO of Compound and the community based on the understanding that a full-time dedicated security partner would enhance the Compound brand as the most secure protocol in the space and ensure the protocol’s healthy operation under decentralized governance. Since this time, OpenZeppelin has protected the protocol and the brand of Compound and has made sure that all security incidents are escalated to the community for mitigation.

OpenZeppelin provides a dedicated team that supports Compound across audits, governance reviews, incident response, and ongoing strategic security guidance. In our current proposal, we’ve also outlined additional areas of coverage, such as infrastructure and operational security, to ensure we adapt to the changing needs of the market. We believe a committed and structured counterpart in the community would enable us to deliver the full breadth of our security capabilities in keeping with Compound’s original needs. This level of embedded expertise has helped Compound maintain a strong security posture through multiple protocol evolutions, community changes and market needs.

Compound has been a pioneer in fully decentralized governance and operations. Making comparisons to other DAOs or projects without a proper understanding of what type of services, dedicated personnel, and overall security requirements are required based on their unique structures is misleading.

As mentioned previously, OpenZeppelin is open to evolving our engagement model to better align with the DAO’s needs and financial constraints through an RFP process, once a formal DAO RFP process is in place, whether implemented by the Compound Foundation or otherwise.

Thank you Jared for the response. However, there are a bunch of hand waves here that signals you are not interested in taking real feedback and we are going to have to agree to disagree.

Here is my best recommendation for the DAO which I said in private to the OpenZeppelin team multiple times. There is most likely historic knowledge that can be lost if OpenZeppelin leaves abruptly, how valuable that knowledge is, is unknown.

The most sensible thing for the DAO is to have OpenZeppelin to remain an advisor to Compound Protocol in a smaller capacity, this way they can provide support for knowledge transfer and soley support core protocol updates.

Then OZ can operate at their own pace, and focus on their strengths. I would support a maximum of $1M a year budget allocation to Open Zeppelin to retain them in this advisory position. With the savings, Compound ought to employ another Auditor to handle the DAOs regular business practices with greater efficiency and agility.

• New Collateral Listings
• New Markets
• New Chains

With another security team, the cost structure around standard practices would drastically reduce. We have already chatted with multiple vendors who said their range for similar coverage would be $500k-$1MM a year. The DAO would then get to trial 1-2 more auditors to support Compound, and when we need OpenZeppelin for critical updates, they can be there to help the protocol retain its integrity.

This dual provider model would offer the following benefits:

• Continuity: Institutional memory retained without overpaying for routine services
• Cost Optimization: Blended spend reduced by 50 to 70%
• Efficiency: Faster execution on listings and deployments
• Resilience: Future-ready vendor diversification and reduced key-person or single-firm dependency

I speak as a DAO member, and as someone who has worked with Open Zeppelin personally over the last year. I believe Compound is best served through implementing a dual provider model approach toward Audit Service Providers.

The proposed renewal of OpenZeppelin’s security partnership with Compound reflects a well-considered balance of operational continuity, proactive risk management, and DAO accountability. I’d like to highlight a few key observations:

1. Clear Scope and Accountability
   The enhanced specification of audit and monitoring services, including coverage of governance proposals, market activity, and multisig operations—helps define OpenZeppelin’s obligations with greater clarity. This aligns with principles of legal certainty and improves transparency for tokenholders and other DAO participants.
2. Streamed Payment Structure
   The proposed COMP-streaming mechanism, replacing the now-deprecated Vendor Payment Aera Vault, reflects a creative approach to DAO treasury management. It not only aligns with capital efficiency goals but embeds legal safeguards through vesting and clawback features—critical in reducing financial risk and potential misuse of DAO funds.
3. Risk Mitigation & Legal Liability
   The proactive identification of critical vulnerabilities (e.g., the Linea USDC Market incident) illustrates OpenZeppelin’s preventative value. From a liability and compliance standpoint, this minimizes the potential for post-incident legal exposure, regulatory scrutiny, and reputational harm—especially as DeFi protocols face increasing attention from global regulators.

Recommendation:
As Compound DAO continues to operate as a decentralized and compliant financial infrastructure, this renewal appears to support the DAO’s fiduciary duty to its tokenholders by ensuring robust and proactive protocol security. I would recommend the DAO support this proposal, pending a final review of the payment stream mechanism’s implementation details to ensure enforceability and auditability.

Hi everyone – Shelly here, co-founder and CTO of Certora.

After reviewing the thread, we’d like to signal two security firms, Chainsecurity and Certora, that are interested in responding to an RFP when available to provide agile development while maintaining the security budget. Both companies are familiar with the Compound ecosystem and have continuously worked closely with the former Compound lab since 2018.

In addition to reviewing code and monitoring activities, we will integrate open-source formal verification rules and Foundry tests into every commit and share the reports publicly.

We’re coordinating with Chainsecurity to share a proposal once the RFP process is live.