OpenZeppelin Security Partnership Renewal 2025

Speaking with only my Compound delegate hat, $4M a year for security services is currently unsustainable. That is why I support this proposal with the 60 day exit clause to pursue a new arrangement. The Foundation and CGWG are now established to ensure that time window is used to effectively address all the questions you’ve raised and come out the other side with a more sustainable program.

However, any suggestion that a long-standing vendor should work without pay should be dismissed out of hand if the DAO wishes to solicit bids from other reputable security firms that only have time to work with fair counterparties. No one wants to work for a DAO that seriously suggests vendors should work for free while running a last minute evaluation that could also replace them.

I get the point about not asking vendors to work for free. But $16 million over four years is a lot, and it’s fair to say that’s been more than generous.

If there’s talk about exploring new vendors, shouldn’t a long-time partner be willing to show their commitment by continuing for just two more months? Especially considering how much they’ve already been paid?

And if compensation during that time was the large concern, why not revise the proposal to include reduced pay until there is a solid roadmap and growth plan? That would’ve been a more balanced approach.

With respect to the RFP process, I want to highlight that our team will be shipping several features and proposals in the coming weeks, and it’s important for us to avoid gaps in security coverage. We’d appreciate any solution that ensures audits continue smoothly while the RFP is in progress. If there is no allocated auditing team, it could lead to postponing any on-chain proposal from a few weeks to a few months.

Compound Foundation (starting operations next week) recognizes the engagement and feedback on this proposed renewal of OpenZeppelin’s security partnership. The topic of unsustainable costs of the current arrangement surfaced a few times with different delegates, and we support embarking on an immediate RFP process in concert with CGWG.

Compound’s brand is synonymous with trust and security, and we believe that maintaining uninterrupted security coverage is absolutely critical. Discontinuing OpenZeppelin’s services without a replacement would present unacceptable risks to the protocol’s security posture, and the complexity of vetting alternatives, conducting negotiations, aligning on a transition plan and executing will require time.

Given these competing priorities, we have requested that OpenZeppelin reduce their termination clause from 90 to 60 days. If the current proposal passes, the Foundation intends to immediately trigger this clause on July 1st, concurrently launching an RFP in coordination with the CGWG and working closely with delegates to identify an appropriate arrangement for Compound while not compromising on security and time to market (such as the upcoming Woof! upgrades).
Therefore, we support this short-term renewal as the best available option. As a side note, once the Foundation is fully operational, we will seek to manage such renewals strategically together with CGWG, so that short term extensions while an RFP is in session will not be necessary.

We appreciate the Foundation’s leadership and we support the coordinated RFP approach with CGWG.

This RFP process is an opportunity for the DAO to realign and potentially refocus the scope we have diligently covered at a flat rate year over the last several years despite its growth in volume and complexity.

We commend the Foundation’s commitment to addressing sustainability concerns while maintaining security standards through this process. At just 0.4% of the protocol’s ~$162M treasury value, the 60-day cancellation period is a prudent investment to ensure uninterrupted coverage until decisions are made on the future scope and direction of the DAO’s security coverage.

We appreciate the DAO’s continued trust and remain committed to maintaining Compound’s security, whether continuing our partnership or facilitating any potential transition.

Entersoft Audits Response to Security Partnership Opportunity for 2025 / 2026

Entersoft Audits is excited to express strong interest in participating in Compound’s security RFP and would be honoured to support the DAO in its next phase of growth and resilience. I see massive potential to uplift on the current security posture to enhance Compounds credibility and trust in the ecosystem.

We bring over a decade of global cybersecurity expertise across both Web2 and Web3 ecosystems. Since 2016, we’ve worked with leading CEXs, DEXs, DeFi protocols, L1 & L2 chains, and a magnitude of projects with a blend of offensive cyber security and risk-aligned strategies.

Entersoft Audits has additionally worked extensively with Tier 1 enterprises across financial services, banking, media, government, critical infrastructure, telco and more, delivering deep expertise across regulated environments and high-stakes digital systems. With an elite team of ethical hackers and highly accredited with certifications such as CRT, CPSA, OSCP, CEH, CISSP, CISSM and more the organisation is also ISO 27001 Certified, CERT-IN empanelled and a CREST Accredited Member.

Our services are holistic and we are a Managed Security Services Provider who integrate and work with your team around the clock. Services include:

• Smart Contract & Protocol Audits
• Offensive Penetration Testing – Web, API, Mobile, Node, RPC, Infrastructure, Cloud, Front-end, DApps, Secure Source Code Audits
• Architecture Reviews & Threat Modelling
• 24/7 Security Operations Centre (SOC) with real-time Threat Monitoring & Incident Response
• Governance, Risk & Compliance – including ISO 27001, SOC 2, CPS 234, GDPR, MAS, DFSA and other regulatory frameworks
• Virtual CISO (vCISO) & Strategic Security Advisory
• DevSecOps & Secure SDLC Integration
• DeFi-Specific Risk & Governance Reviews
• Cybersecurity Training & Awareness Programs for engineering and DAO teams
• Cyber Insurance

We go above and beyond just basic Audits. We become your trusted embedded security partners, supporting everything from internal security hygiene to third-party and supply chain resilience.

Crucially, Entersoft Audits highly recommends and supports a multi-vendor security approach. We believe this is best practice, allowing for diverse perspectives, broader coverage, and improved responsiveness.

We are ready to collaborate with other firms to bring round-the-clock support, faster iteration, and a more agile security posture to Compound—while remaining cost-effective and results-driven.

We’d welcome the opportunity to work alongside the DAO to raise the bar on protocol security, continuity, and decentralised resilience.

– Paul Kang
Director, Entersoft Audits
Telegram @entersoft
LinkedIn: https://www.linkedin.com/in/pkangduck

Although we’re in agreement with @cylon and @Compound_Foundation that extending the contract for 60 days is the pragmatic choice, we’re still voting AGAINST to signal our displeasure at OpenZepplin’s extractive relationship with Compound. (We still fully expect the vote to pass.)

Given that OZ has been overcharging Compound since December 2021, it would salvage substantial goodwill if they offered their full support to the handoff at a free or reduced rate, to @bryancolligan’s point. If OZ was acting in good faith they should have made a proposal to renew a few months before the expiration of their contract, rather than waiting until the very last minute so the DAO would have no other choice but to renew for the handoff.

As it currently stands, FranklinDAO plans to vote against any future service contracts proposed by OpenZepplin on Compound or any other DAO we serve as a delegate for.

As announced over the forum last week, today, July 1st, the Foundation triggers the 60 day termination clause with OpenZeppelin as part of the initiative to engage in a formal RFP process on behalf of the DAO.
Over the coming weeks, we will work closely with interested providers, including OpenZeppelin, CGWG and other delegates to ensure we find the best path forward for Compound.

To terminate the stream per the intent announced by the Foundation, a governance proposal must call terminateStream on the streaming contract as described below.

OpenZeppelin will create a proposal that will terminate the stream with the 60-day notice if enacted.