Compound Community, we encourage you to please continue reviewing our fulsome proposal, where we worked hard to set out in detail the nature of services we provide to Compound and related data highlighting our recent work (e.g. number of audit weeks). We believe the proposal, together with our day-to-day security services and communications with the community over the past 3 years, have consistently met the high degree of quality and transparency demanded by a fully decentralized protocol.
We believe our track record speaks for itself and highlights our long-term commitment to the success of Compound; however, we are responding to Bryan’s post above because it ignores the key term we have built into our renewal proposal for the benefit of the community (namely, Compound retains an option to cancel our renewal with 3-month notice if and when a proper process or vendor selection process is agreed to).
Further, the post contains a number of harmful misrepresentations that should be either retracted or corrected (further details regarding such inaccuracies below).
We welcome any good-faith follow-up questions about our proposal or the related information. Going forward, we expect constructive dialogue based on facts. We will not engage with any further statements that cannot be substantiated by objective sources.
As always, we thank the community for its continued support.
Material corrections:
OpenZeppelin has maintained a long-standing commitment to Compound’s success, consistently taking principled positions to safeguard the protocol, even when that meant highlighting issues on specific proposals or noting practices we believe could put the protocol at risk. Our actions are guided solely by a responsibility to ensure the long-term security and resilience of Compound.
The portrayal of our engagement as rigid or misaligned does not reflect the reality of our collaboration. We currently manage multiple concurrent workstreams with dedicated researchers and management capacity. Delays typically stem from incomplete scopes or code submissions, rather than our independent review processes. We continue to prioritize responsiveness, flexibility, and deep protocol understanding, and we are always working to expand our support as the DAO matures its operational framework.
In the case of Rewards v2, despite recommendations from OpenZeppelin and Compound Labs for a simpler approach to Rewards v2, a more complex solution was chosen that required significant off-chain infrastructure and extended development timelines. The initial code submission contained security vulnerabilities that posed risks to fund safety and required multiple revision cycles. Development of the off-chain infrastructure remains ongoing.
Additionally, in the case of the Ethena integration, we did not receive a project scope for review nor a Sonic scope before Sonic announced the discontinuation of their integration efforts.
The statements above appear to deflect issues with third-party development and proposal processes, rather than identify substantive community concerns regarding OpenZeppelin’s review of such proposals. OpenZeppelin’s independent security role has become increasingly critical as growth initiatives have been used to provide justification for unaccountable actors to disregard established community standards and game risk mitigation processes, which potentially expose protocol assets and reputation (as we have noted in related reviews). Regarding the claims about additional fees and delays, OpenZeppelin has never demanded additional fees and project delays resulted from late delivery of project scopes rather than extended security review durations, as evidenced by the timelines documented in security reports.
OpenZeppelin has taken a leadership role in each event where Compound could have been at risk. Most of the delegates and the community multisig members can attest to our commitment and value we provided on each of these incidents, which is evidenced by the continued support of our role to date.
OpenZeppelin was the first to flag the risk of a potential governance attack to the community in May 2024, weeks before the real threat materialized. To avoid a full review of that incident here, you can learn more about the incident in this external article. As part of our security reviews, we always highlight token concentration risks and related potential governance risks or economic attacks. The community has found these risks important to their decisions on proposals and our analysis in this regard has resulted in multiple proposals being rejected.
As noted, we fully support the importance of a robust vendor selection process. This is precisely why our current proposal includes a three-month notice period for termination—providing the DAO with flexibility should a formalized selection process be established, while ensuring independent security review of DAO activity at all times.
It’s worth highlighting that OpenZeppelin became Compound’s Trusted Security Partner through a competitive RFP process in November 2021 (Auditing Compound Protocol), in which we were selected over two other top-tier security firms by a majority vote. Since then, we’ve worked diligently to earn and maintain the community’s trust, consistently delivering on our long-term commitment to securing the protocol.
We also acknowledge that given there is no current formalized process or Foundation to do this - it would be imprudent to stop things midstream during our proposal renewal, as it could leave the DAO exposed during any such period.
As indicated above, Compound’s original proposal for number of audits, auditor weeks and other relevant metrics was originally requested and driven by the CEO of Compound and the community based on the understanding that a full-time dedicated security partner would enhance the Compound brand as the most secure protocol in the space and ensure the protocol’s healthy operation under decentralized governance. Since this time, OpenZeppelin has protected the protocol and the brand of Compound and has made sure that all security incidents are escalated to the community for mitigation.
OpenZeppelin provides a dedicated team that supports Compound across audits, governance reviews, incident response, and ongoing strategic security guidance. In our current proposal, we’ve also outlined additional areas of coverage, such as infrastructure and operational security, to ensure we adapt to the changing needs of the market. We believe a committed and structured counterpart in the community would enable us to deliver the full breadth of our security capabilities in keeping with Compound’s original needs. This level of embedded expertise has helped Compound maintain a strong security posture through multiple protocol evolutions, community changes and market needs.
Compound has been a pioneer in fully decentralized governance and operations. Making comparisons to other DAOs or projects without a proper understanding of what type of services, dedicated personnel, and overall security requirements are required based on their unique structures is misleading.
As mentioned previously, OpenZeppelin is open to evolving our engagement model to better align with the DAO’s needs and financial constraints through an RFP process, once a formal DAO RFP process is in place, whether implemented by the Compound Foundation or otherwise.