Summary

Starting on Dec 21st, 2021, OpenZeppelin has been selected to offer the Compound DAO security services including continuous audit, security advisory, and monitoring. My name is Michael Lewellen and I am acting as OpenZeppelin’s Protocol Security Advisor (PSA) for the Compound community.

Our first immediate objective is to audit the existing contracts for the Compound protocol to establish a baseline of understanding to better audit future protocol changes. We are also working to develop security processes for the community and gather requirements for building an open monitoring system. Each of these three initiatives is expanded below.

Motivation

This post acts as a general update to the Compound community on OpenZeppelin’s security initiatives. We will be sharing similar updates on the Compound Forum every month going forward as well as a Quarterly Retrospective to accompany our distribution adjustment proposals. Our goal here is to show progress on our partnership objectives and provide the community opportunities to collaborate on security initiatives and share feedback.

Initiative Updates

Protocol Audits

OpenZeppelin’s most important responsibility is auditing governance proposals for protocol changes. We have two audits now in progress and several more in our pipeline. We have a team of 2-3 auditors that will be focused on Compound full-time going forward so that waiting times for audits are kept to a minimum.

Current Audits in Progress

Compound Deployed Contracts

• Overview: We are auditing all deployed Compound contracts that impact the security of governance proposals. We will use this as a baseline to build internal knowledge of the Compound protocol for future proposal audits as well as security advisory and monitoring recommendations. The only exception is that we are not auditing the currently deployed CToken contracts as those will be covered in the audit of the CToken Refactors. We don’t expect to find any serious vulnerabilities given that the code has been heavily used, but we will provide feedback for potential house-cleaning items and security recommendations to consider implementing.
• Timeline: Work started on Jan 24th and a completed report is expected to be published in late February or early March
• Scope Details: https://gist.github.com/cylon56/b5193f19f249b2702e3844f83ac7b550#compound-deployed-contracts
• Participants: We are actively communicating with the Compound Labs team as well as many community developers. We don’t expect serious vulnerabilities to be uncovered in this audit but if they are, we will report them immediately to the Community Multi-sig to determine remediation steps before publishing details to the rest of the community.

CToken Refactor

• Overview: A refactoring of the CToken contracts that have already been audited by Chainsecurity and are waiting to be rolled out. We are auditing this in lieu of the existing deployed CToken contracts to save time so we can work on them in parallel with the audit of the remaining deployed contracts for Compound.
• Timeline: Work started on Jan 24th and a completed report is expected to be published in late February or early March
• Scope Details: https://gist.github.com/cylon56/b5193f19f249b2702e3844f83ac7b550#ctoken-refactor
• Participants: We are actively communicating with the Equilibria team that has worked on this as part of a community grant. We will be working with Equilibria to resolve any issues found in the audit and will then publish the report for the community to review prior to any governance proposals being submitted for an upgrade vote.

Audit Backlog

We are aware of several proposed changes in our pipeline to review after our current audits are complete. We have not yet determined the exact order of priority to assign to these items but we plan to publish our future decisions and are open to suggestions from the community. We also expect that the backlog wait will be reduced in the coming months after the initial Deployed Contracts and other pending proposals are out of the way.

Upcoming Proposals to Audit:

• PR150: Oracle Improvement to Chainlink Price Feeds
• PR177: Enable Transfer ETH from Timelock
• Multi-chain Strategy Updates from Compound Labs (slide details)
• PR95: Compound supply cap

If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory

Security Advisory encompasses all ways in which we advise the Compound community on security measures to better protect the protocol outside the immediate scope of audits. While we expect a lot of future recommendations to come out of our initial audit of the protocol, we are already researching some opportunities for security guidance.

Our current security advisory focuses include:

• Security Proposal Process - defining a set of security measures to secure governance proposal changes outside of audits. We have already published a draft process focused on audit preparation which we plan to expand on in the coming weeks with more detailed security checklists.
• Tooling Recommendations - we are exploring different tools for securing and deploying governance proposal code which includes both OpenZeppelin and third-party tooling. We will start by collaborating with the Equilibria team to test our recommendations in the deployment of their CToken Refactor proposal after our audit is complete.
• Asset Listing Security - while we are not currently involved in reviewing asset listing proposals due to the pressing need to audit protocol changes, we do plan to be part of the conversation. We are actively talking to the Gauntlet team to be aware of potential security concerns and plan to eventually publish security guidelines to assist the community in assessing the technical security risks of integrating with new collateral assets.

There are other security measures that we hope to advise on in the near future including bug bounties, incident response, and learnings that may result from our protocol audit. We are always looking for feedback and suggestions from the community as many of these initiatives will require community participation to be successful so please don’t hesitate to get involved.

Security Monitoring

Our first objective is to first build an initial version of a Security Monitoring Dashboard for the Compound community. We are currently gathering requirements on what metrics should be included in this dashboard and which tools should be used to build it. We plan to narrow down a list of potential metrics to a few to start with for detecting security issues that can be stopped or mitigated by early detection. We are aiming to release an initial version of this Security Dashboard by the end of March and will share our requirements list prior to starting development for community feedback.

While we are still developing the initial architecture of this solution, we are planning to include the use of Forta, a real-time threat detection protocol for smart contracts incubated by OpenZeppelin. Forta allows anyone to build and deploy detection agents to a decentralized network of node operators that can monitor on-chain activity. Forta is currently in its testnet phase and is planning a mainnet release in the coming months.

OpenZeppelin will sponsor the development of Forta agents for Compound that will feed monitoring data into our Security Dashboard solution. We plan for this solution to evolve iteratively with new monitoring metrics being added over the next year of our partnership. We also encourage the Compound community to participate in developing agents of their own to show that security monitoring can be an open, community-led process. Some PoC examples of Forta Agents for Compound have already been developed through the past grants program.

We plan to keep the community updated on our progress. We also encourage the community to learn more about Forta on their own and feel free to ask questions at any time. More information can be found below:

• Forta Network Explorer: https://explorer.forta.network/
• Forta Documentation: https://docs.forta.network/en/latest/
• Forta Video Tutorials: https://docs.forta.network/en/latest/tutorials/
• Forta Discord: https://discord.gg/tKSM7cTGnk

Our Request to the Community

We are excited to be part of one of the first security DAO partnerships but we realize this is a new way of doing things for everyone involved. As such, we want to encourage the community to be open with their feedback and participate in these forum discussions so we know where we can do better. There is no direct point of contact, managing partner, or founding team for us to answer to. While we’ll always keep conversations going with the Compound Labs team and other key contributors, we answer to the DAO as a whole and so it is up to the community to make its voice heard.

You can help our security partnership be successful by:

1. Sharing your plans for protocol changes with us and the rest of the community in Forum posts as early as possible so we can plan for audits.
2. Express any security concerns with me and the rest of the community. If there’s an area where you think security is lacking, let us know! Better to ask dumb questions now than find stupid answers later.
3. Leverage opportunities to learn about smart contract security with OpenZeppelin tools and resources. Play with the Ethernaut CTF, read our docs, and check out our workshops! If you have questions, feel free to reach out to schedule a time to talk with our team to learn more. We are also planning to hold Compound-focused workshops in the future so please share any topic suggestions or questions you may have.

Finally, keep building cool stuff for the protocol, and let us work with you to make this partnership a successful example of community-first security!

Share your feedback below or reach out directly to me on Discord, Telegram or email:

• Email: michael@openzeppelin.com
• Telegram: @cyloncat
• Discord (in the Compound server): Michael L#3462

Great work getting organized so far @cylon, thank you!