OpenZeppelin Security Partnership Renewal 2025

Proposals
3

Business Case Against Renewing OpenZeppelin as Compound’s Security Auditor

Summary

The following outlines a fact-based, commercially sound rationale for Compound DAO to decline the re-election of OpenZeppelin (OZ) as its security auditor. While OZ played an instrumental role in Compound’s early security posture, its continued engagement is no longer aligned with the DAO’s operational needs, financial constraints, or growth objectives. Key issues include lack of executional agility, prohibitively high costs, poor vendor behavior, and a net negative impact on the protocol’s ability to ship product and grow.

  1. Strategic Misalignment

OpenZeppelin has evolved into a bureaucratic vendor, not a strategic partner. Their workflow is rigid, slow, and antagonistic to the needs of a rapidly evolving DeFi protocol:

  • Code reviews are serialized on a weekly cadence. If an issue is flagged Tuesday, review does not resume until the following week, creating a systemic 7-day delay per iteration.

  • Minor issues (e.g., function naming conventions) halt entire audits, resetting multi-day workflows and effectively burning $15,000 per day delay cycle.

  • No prioritization or triage system exists; all tasks are blocked if metadata is missing or slightly misformatted, even when data is publicly available on-chain.

  • OZ offers no agility. They routinely reject collaborative iteration and instead enforce static contract terms that stifle velocity.

  1. Operational Inefficiency and Opportunity Cost

Compound has repeatedly failed to ship critical features on time due to OZ’s latency:

  • V2 Rewards Contract: Delayed over 15 months due to OZ’s workflow. This single delay has stalled all reward-based growth strategies and undermined business development partnerships.

  • Asset Listings & Chain Expansions: Multiple billion-dollar TVL opportunities (i.e. Ethena, Sonic) lost because of OZ audit backlog. Fast-moving ecosystems like WOOF shipped in days, while OZ take 6-8 weeks to analyze a single asset.

  • DeFi Cycles Move Fast: OZ’s inflexibility means Compound misses entire cycles and waves (LRTs), costing hundreds of millions in missed utilization.

  1. Cultural & Governance Misalignment

  • OZ behaves as a rent-seeking vendor rather than a protocol-aligned partner.

  • Their conduct is often combative. Team leads have described interactions as “energy draining” and “hostile.”

  • Feedback loops are broken. Despite repeated requests for acceleration, OZ demanded additional fees rather than improving efficiency.

  • Governance Overreach: OZ has labeled growth-oriented proposals as “governance attacks” while remaining silent on the far less transparent formation of the Compound Foundation. This inconsistency signals political bias and self-preservation over principled decentralization.

  1. Incomplete Security Coverage

Despite their cost and posture as Compound’s end-to-end security provider, OpenZeppelin has failed to prevent or mitigate:

  • Front-end vulnerabilities (e.g., Discord, Twitter, Website hacks)

  • Governance-based exploits (e.g., the Humpy incident)

  • Economic attacks or collusion scenarios tied to governance tokens

The DAO was forced to stand up internal governance operations to respond to these events, duties that fall under OZ’s remit.

  1. Market Alternatives Exist

A range of credible firms have expressed interest in serving Compound. Many offer:

  • Faster delivery timelines

  • Superior collaboration models

  • Team-based parallel execution vs. serialized workflows

  • Pricing that is 5x–8x more efficient

These firms are, however, discouraged from entering the process due to perceived governance capture favoring OZ.

  1. Excessive Cost Structure

OpenZeppelin charges $4M/year, despite offering limited coverage:

  • Provides only 50 weeks of service annually; ~$75,000/week.

  • Effective delivery bandwidth is equivalent to one full-time audit thread.

  • Compound has spoken to alternate firms offering comparable or superior delivery capacity at 1/8th the cost.

  • For $1M/year, the DAO could employ two full-time security teams. Current spend is unjustifiable given outcomes.

The basic actions of running the Compound protocol are adding Chains, Markets and assets. The cost structure for auditing services across each basic action is as follows :

1. Chain-Level Audits

  • Audit Cost: $153,846

  • Percentage of Total Chain-Level Costs: 55.56%

  • Total Chain-Level Cost: $276,922

image
image1242×854 13.3 KB

2. Market-Level Audits

  • Audit Cost: $115,384.50

  • Percentage of Total Market-Level Costs: 61.23%

  • Total Market-Level Cost: $188,456

    image
    image1248×830 14.2 KB

3. Asset-Level Audits

  • Audit Cost: $76,923

  • Percentage of Total Asset-Level Costs: 77.14%

  • Total Asset-Level Cost: $99,723

image
image1240×938 14.3 KB

These figures indicate that auditing services constitute the majority share of expenses across all levels, with the highest proportion at the asset level.

Market Comparables:

  • Aave, with over $30 billion in Total Value Locked (TVL), spent only $1.7 million on security in the past year, and a total budget of $64 million.
  • Compound, with approximately $2 billion in TVL, spent $4 million on security in the same timeframe.

Proportional Spend Analysis:

  • Aave: Security Spend = 2.7% of Total Budget; 0.0057% of TVL
  • Compound: Security Spend = 50% of Current Budget; 0.20% of TVL

This disproportionate security expenditure (35x higher per unit of TVL than Aave) highlights a serious misallocation of treasury resources. Compound’s smaller TVL makes cost efficiency all the more critical. The DAO must ensure that its security investment is proportional to risk, operational velocity, and real value delivery.

Delivery Timelines and Efficiency

The delivery timelines for OpenZeppelin’s auditing services have been a point of concern:

  • Extended Audit Durations: Audits have taken up to 15 months for certain components, such as the Rewards V2 contract, hindering timely protocol upgrades.

  • Sequential Processing: Audits are conducted in a linear fashion, with only one thread at a time, leading to bottlenecks in development and deployment.

  • Delayed Responses: Feedback loops often span a week, and minor issues, such as naming conventions, have caused week-long delays, incurring additional costs.

These inefficiencies have resulted in missed opportunities and delayed integrations, impacting the protocol’s competitiveness and growth.

Comparative Analysis

When compared to other auditing firms:

  • Cost Efficiency: Alternative auditors have quoted services at approximately one-eighth the cost of OpenZeppelin, offering similar or enhanced support.

  • Resource Allocation: Other firms provide dedicated teams capable of handling multiple threads simultaneously, improving throughput and reducing time-to-market.

  • Responsiveness: Competitors have demonstrated faster turnaround times and more collaborative engagement models, aligning better with agile development practices.

Strategic Recommendations

Given the financial burden and delivery challenges:

  1. Initiate a Competitive RFP Process: Solicit proposals from multiple auditing firms to assess cost-effectiveness, delivery capabilities, and collaborative potential.

  2. Diversify Auditing Partners: Engage multiple auditors to distribute workloads, reduce bottlenecks, and foster a more dynamic security review process.

  3. Implement Performance Metrics: Establish clear KPIs for auditing services, including delivery timelines, cost benchmarks, and quality standards, to ensure accountability.

  4. Reallocate Resources: Consider redirecting funds towards development and growth initiatives that offer higher returns on investment and accelerate protocol evolution.

By addressing these areas, the Compound DAO can enhance its operational efficiency, reduce costs, and better position itself for sustained growth and innovation.

Final Recommendation

Do not renew OpenZeppelin’s contract.

Instead, initiate a competitive RFP process to source a new security audit provider better aligned with the DAO’s performance, cost-efficiency, and accountability requirements. Compound’s continued growth and credibility depends on agility and fiscal discipline, neither of which OZ currently supports.

Closing Thought

OpenZeppelin was the right partner for a different era. Today, Compound must evolve, prioritizing protocol agility, cost optimization, and growth enablement. Renewing OpenZeppelin at $4 million/year is incompatible with those imperatives.

The DAO can, and must, do better.

7 Likes