OpenZeppelin Security Updates for April 2022

Governance Process
1

Simple Summary

Over the course of April, OpenZeppelin completed an audit of the new open oracle upgrade and will next audit several small PRs before starting a longer audit of Compound’s new protocol version, codenamed Comet. We reviewed the security of asset listings and created a Process for the community to securely assess new assets by checking for known integration and market risks. Finally, we’ve created additional security monitoring bots that feed alerts into several newly organized Discord channels that can be added to the official Compound server.

Initiative Updates

Protocol Audits

Audits Delivered

Open Oracle Upgrade

This is a refactor of the already existing open oracle solution that allows for a migration to Uniswap v3 liquidity pools. There were no major issues found and we’ve reported some minor issues that the ChainLink team has resolved. The audit report can be viewed here.

Asset Listing Process

After completing the Open Oracle Upgrade, we then focused on researching the potential issues that can arise with asset listings. Instead of auditing individual Asset Listing Proposals, we’ve instead created an Asset Listing Process with a Checklist of info for new assets to provide that the community can review. We’ll explain this in more detail in the Security Advisory section.

Upcoming Audits

After completing the Asset Listing Process, we plan to first audit two small PR changes from @arr00 which will start on May 9th. After this, we will begin auditing the new Comound version produced by Compound Labs, codenamed Comet. We expect this audit to take 4 weeks to complete followed by a round of reviewing any necessary fixes. This audit comes after the Comet codebase has already been reviewed by Certora and Chainsecurity so we don’t expect to find any critical issues but we will still approach it with our usual level of scrutiny.

Upcoming Changes to Audit:

If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory - Asset Listings

The primary focus for us this past month has been defining a secure asset listing process. We first performed a review of the existing practices and tooling that the Compound community has been using for past asset listings. We took everything we found along with our own understanding of Compound’s asset risks and distilled it into a GitHub repository containing a Process and Checklist that were informed by known Risks.

We made this repository public and shared it with the Compound community for feedback during the last community call. We’ve also spoken to the Gauntlet team about their involvement in assessing market risks for new assets and they’ve indicated that they’ll be sharing a more detailed process for evaluating asset listings in the coming weeks.

For current and future asset listing proposals, we recommend that this Asset Listing Process be utilized starting with the Checklist and the following steps of assessment before a governance proposal is submitted. You can see the summarized Process steps below.

  1. Initialization - Forum post is made and Checklist information is provided
  2. Community Check - Community member(s) review and verify the given information
  3. Risk analysis - The market risks are assessed based on available data. Gauntlet is currently working on a risk assessment framework to be used at this stage
  4. Tooling and simulations - Community member(s) run eth-saddle or another specified tool to check if the implemented contract matches the base implementation with the expected parameters.
  5. Contract deployment - Proposal author(s) deploy the needed contracts and provide their deployed address in the same forum post.
  6. Proposal Draft - A governance proposal is drafted. It must include _supportMarket and _setCollateralFactor at least.
  7. Audit (optional) - If requested, the Proposal is reviewed by security auditors. This can be done by OpenZeppelin or another third-party hired by the proposal author. We’ve previously noted that auditing every asset listing proposal is infeasible which is why we make this step optional and emphasize that the community should use prior steps to check for known integration issues after verifying Checklist information.
  8. Proposal Submission - Proposal is submitted on-chain for voting.
  9. Post-Launch Parameter Update - Sometime after a proposal passes, the community can decide to eventually increase collateral factor to a safe level and set the reserve factor in line with other assets. Borrow limits can be optionally set.

This new Process addresses the potential integration issues that can come from new asset listings such as the TUSD issue. We appreciate the community’s patience in waiting for this process to be defined and we ask that currently pending asset listings now start with the Checklist and work their way through each step. Some pending proposals have already accomplished some steps such as running testing simulations so we hope that the remaining steps to be done can be performed promptly.

We’ve also noted that this process is only an initial version and that future improvements should be made as listed in our ReadMe. While we intend to make our own tweaks as we learn more in future audits, we will need community feedback and contributions to maintain the Process over time. Checklist automation, tooling improvements and better community organization of proposal assessments will be critical for ensuring the Process grows with the needs of the protocol.

Security Monitoring

Discord Activity Feed

Over the past month, we have added security alerts to our “Test For Alerts” Discord server, provided by the Forta Bots monitoring Compound smart contracts. We also created a separate channel for governance alerts so that they are no longer hidden among the many market activity alerts. We have also created additional Forta Bots to monitor other suspicious or concerning transactions. The current channels available are:

  • comp-market - Market activity (Supply, Borrow, Repay, etc.)
  • comp-governance - Governance activity (proposals created, proposals executed, votes cast, etc.)
  • comp-security-monitor - Alerts from Forta Bots

After running our Discord alerts in the Test Server for the past month, we plan to migrate these channels over into the main Compound Discord Server after receiving final feedback from the community. We will also be providing examples of each alert type in the coming days that will be posted below once final testing has been completed.

Forta Monitoring Agents

Based on discussions between the auditing and monitoring teams, we created additional Detection Bots to monitoring potentially concerning transactions:

  1. Community Multisig Transaction Monitor - This Detection Bot monitors the Compound Community Multisig smart contract for important transactions, including adding/removing owners, assigning a new Pause Guardian, setting a new Borrow Cap, etc. The full list of monitored events and associated Forta alerts can be found in the documentation.
    1. Forta Explorer Link: https://explorer.forta.network/agent/0x5684f8bc81da57dc433ad0ff957446abd4c5547a3e8e04d8c1e7ede1a4a04b2e
    2. IPFS README.md: https://ipfs.forta.network/ipfs/QmTzYKiYNeqw94MgwWw1VTm51F8bDhtY4qjDTiGKhvFerq
  2. Low Liquidity Market Attack Monitor - This Detection Bot monitors Compound Finance cToken contracts that have low liquidity for potential market attacks where a malicious actor mints cTokens and then transfers additional tokens in order to unbalance the contract such that subsequent mints will not yield cTokens.
    3. Forta Explorer Link: https://explorer.forta.network/agent/0x2ae467a39c7b107cd85878a53abfcc218ae37b7a66d7707f0d66929fbdb2f600
    4. IPFS README.md: https://ipfs.forta.network/ipfs/QmVMGzPZTv2xSieTpJFmoto5UzJm2gTTYWR7UfMhJ5iJGs
  3. cToken Underlying Asset Monitor - This bot monitors the underlying assets of Compound Finance cToken contracts. First it determines which assets are deployed using upgradable proxy contracts and then it monitors those contracts for any upgrade events to detect when the implementation for a cToken’s underlying asset may have changed.
    5. Forta Explorer Link: https://explorer.forta.network/agent/0x3f02bee8b17edc945c5c1438015aede79225ac69c46e9cd6cff679bb71f35576
    6. IPFS README.md: https://ipfs.forta.network/ipfs/QmR3GyW9ZEgZpkgVPmCi38XK81P9ZAR5UFF84jRsTv8Lv7

Existing Forta Detection Bots

These Detection Bots were previously deployed and are still monitoring (see the March 2022 update for more details):

  1. GovernorBravo Event Monitor
  2. Compound Distribution Monitor
  3. cToken Transaction Monitor
  4. Large Borrows Governance Monitor
  5. Oracle Price Monitor

Future Dashboard

We continue to work on creating a public dashboard in Dune Analytics for giving the community a single view of all the activity and security alerts on Compound over a long period of time. We are still waiting on integration work to be completed and so have focused instead on improving the Discord channels and adding more Forta agents as we wait for the integrations to be completed by a separate team.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for feedback on the following:

  1. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
  2. Review our Asset Listing Process and share any feedback on how it can be improved in this forum or as Pull Requests against the repository, including the Future Improvements we’ve highlighted. If you are making a listing proposal, please start with providing information listed in the Checklist.
  3. Take a look at our new monitoring bots and give us feedback to improve and focus on threats important to the community.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email:

3 Likes