OpenZeppelin Security Updates for August & September 2022

Simple Summary

OpenZeppelin has completed several audits over the last couple months, including Proposal 122 in preparation for the ETH Merge. We’ve supported the community’s response to the cETH Price Incident and published a post-mortem for further security improvements. We’ve released new monitoring capabilities for Compound V3, improved governance monitoring and on-chain proposal automation. We also intend to submit our next compensation proposal for Q4 by the end of this week.

Initiative Updates

Protocol Audits

Over the past two months, we’ve delivered audits of the following changes below. Most of the findings that came up were minor and shared directly with the protocol teams or in a gist format.

Audits Delivered

  1. PR516: Improvements to CometProxyAdmin and Configurator
  2. New Interest Rate Model for cETH - Submitted as Proposal 122
  3. PR14: Fixes for the UAV3 Upgrade

We have a very minimal backlog going forward with only one item upcoming for Compound Labs. We’ll be using any additional audit time to further optimize monitoring and improve security processes for Compound.

Audit Backlog

  1. Compound V2 → V3 Migrator by Compound Labs

If you are planning to propose a protocol change within the next 3 months, please reach out to ensure we have you considered in our schedule.

Security Advisory

A big focus for us this last month was supporting the response to the cETH Price Incident that occurred as a result from the UAV V3 upgrade. OpenZeppelin worked alongside other community members to ensure the protocol was safe during the incident, validated protective measures and eventually published a post-mortem that can be read here.

Going forward, our advisory focus will be to help the community implement security recommendations that were raised in our post-mortem. We also wish to form a community working group that can discuss security best practices and implement policies that are widely followed.

As we work to form this group, we ask the community to consider the following recommendations that we’ve proposed:

  1. Make Proposal Simulations an Explicit Requirement for Upgrades - OpenZeppelin will also be checking this requirement as part of our audit process for Compound proposals going forward.
  2. Implement a change management process for protocol codebases
  3. Explore measures to rollback governance upgrades instantly
  4. Improve the protocol’s response capabilities through the Pause Guardian - This was already a focus of ours prior to the incident so we’ll continue to expand on this going forward.

OpenZeppelin is planning to hold a security-focused community call in early October to discuss these measures in more detail and encourage all developers that make contributions to the protocol to share feedback and signal support for new policies.

Security Monitoring

On the security monitoring front, we’ve been very busy working to extend our support for Compound V3 and make other improvements to governance monitoring and automation. A full list of our feature releases are shown below:

  1. Released ALPHA V3 Market Feed in Discord - We released this new monitoring feed for Compound V3 markets. It’s currently in Alpha as we receive community feedback to improve its accuracy and reporting although we expect it to be fully mature in a short period.
  2. Governance Feed Improvements - We’ve incorporated community feedback to add the following features:
    1. Added @here mentions in alerts for new proposals to increase community awareness
    2. Stopped displaying Compound Governance votes below a low threshold (1 COMP) to reduce noise from dust accounts
    3. Created periodic Discord alerts for the status of active proposal votes including quorum progress
    4. Added support for “Abstain” :speak_no_evil: votes for Compound Governance proposals
  3. Governance Proposal Automation - We’ve added automation in OpenZeppelin Defender to automatically queue and execute proposals in a timely manner from this Relayer EOA. We released queuing during the cETH Price Incident to speed up the fix proposal’s timeline and will also be enabling executions to be automatic starting this week. We are currently funding gas costs for this Relayer ourselves but we may eventually create a governance proposal to fund these costs through DAO funds alongside other community tools such as the gasless voting and delegation system. PLEASE NOTE: Expect Compound DAO proposals to be queued and executed automatically from here on out. If you are creating a time-sensitive proposal, please be sure these automations will not be an issue.
  4. V3 Liquidatable Positions Bot - We’re working on a Forta bot that detects large liquidatable positions as a way for the protocol’s health to be monitored by the community (we don’t expect this will be used for liquidator bots). This bot is still in final review but an initial Forta deployment can be seen here.

Q4 Compensation Proposal

Finally, we also want to notify the community that we’ll submit our next quarterly adjustment proposal this Friday, Sep 23rd so that it will be executed by Sep 30th. It will follow the same structure as our last proposal as a lump sum payment of $1M in COMP based on a weekly VWAP.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Specifically, we ask the community for the following:

  1. Keep us informed of any protocol changes we might need to audit in the near future.
  2. Developers should read the cETH Price Incident Post-mortem and plan to participate in a new security working group with meetings planned for early October. Share any additional ideas for security improvements that you have in the forum.
  3. Take a look at our new monitoring and automation features. Share feedback and ideas for further improvements.
  4. Keep an eye out for our upcoming Q4 Compensation Proposal and give it your support so we can continue our partnership.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email:


Our Q4 Compensation Proposal is now live.

It should be ready for voting by next Monday.