OpenZeppelin Security Updates for June & July 2022

Simple Summary

Over the last couple months, OpenZeppelin has completed an audit of the new Compound III protocol for Compound Labs, codenamed Comet. We finished development of our monitoring solution with the release of an all-in-one dashboard and we plan to extend monitoring support for Compound III after its launch. Finally, we’re planning to provide security advice to the Pause Multisig to utilize the new monitoring alerts and improve incident response readiness.

Initiative Updates

Protocol Audits

Audits Delivered

Compound III: Comet

As planned in our last monthly update, OpenZeppelin conducted a comprehensive audit of Compound III developed by Compound Labs. Our audit lasted from May 16th to June 17th and was followed by several weeks of working with the Compound Labs team on fix reviews and follow-up changes. The audit is now published and be viewed on our blog here:

We found a total of 30 security issues, the majority of which were Low severity or Best Practice Recommendations. One High and three Medium security issues were raised and were either resolved with code changes or additional documentation to avoid misuse by privileged roles. We also included monitoring recommendations that could be added to our existing monitoring solution.

Overall, we are happy to have worked with such a high-quality codebase. We didn’t find any critical vulnerabilities and are glad to have robustness across the contracts even with novel designs. A short overview of the v2 → v3 protocol changes is available in this Twitter thread.

PR177 & PR193 for Arr00

In early May, we conducted a short audit for @arr00 of both PR193 for the Sweep Controller and PR177 to enable Timelock ETH Transfers. We found a collection of issues for both which were promptly resolved. Both the initial audit findings resolutions are available in this gist:

PR193 was successfully passed by governance as part of Proposal 112.

Audit Backlog

With the audit of Compound III completed, we’ve found ourselves with a very minimal backlog going forward. We’ll be using any freed-up audit time to research vulnerabilities and find ways to optimize our monitoring for Compound.

Audit Backlog:

  • PR210 - Cleanup for Solidity versioning and compilation errors. It won’t be audited on its own but we will be including it in the next audit that utilizes these changes.

If you are planning to propose a protocol change within the next 3 months, please reach out to ensure we have you considered in our schedule.

Security Monitoring

After over 6 months of development, we’ve finally reached a completion point for our Compound Security Monitoring Solution with the release of our Monitoring Dashboard built on Datadog. This dashboard allows anyone to check that monitoring is still running, even for bots that don’t fire off alerts often. We’re also open to adding additional visualizations if anyone has feedback to improve it further. The dashboard can be viewed by anyone here:

Our monitoring solution now consists of 7 Monitoring bots running on the Forta network. These alerts are then fed into OpenZeppelin Defender to populate Discord channels in the community server and provide insights in the Datadog dashboard.

While we consider this monitoring solution to be complete, that does not mean that future work won’t be necessary. We intend to provide similar monitoring support for Compound III once it is launched which may include multiple instances deployed on other EVM networks. We also highly encourage the community to write their own Forta bots for Compound that could be included in our solution and ask that any future grant programs for Compound consider funding for community-built security monitoring, starting with ideas shared in the latest audit.

Security Advisory - Incident Response Readiness

With security monitoring in a completed state, our security advisory focus will shift to supporting incident response readiness to make use of this new alert system. We will start by working with members of the Pause Guardian Multisig to assess current readiness and help them develop strategies to quickly respond to potential security threats that would require rapid pausing.

If there are any other community members that would like to better understand incident response or have other advisory needs that pertain to Compound’s security, please don’t hesitate to reach out.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for feedback on the following:

  1. Keep us informed of any protocol changes we might need to audit in the future. We do not have any major audits in our pipeline for Compound at the moment so please reach out if you have any changes requiring an audit.
  2. Take a look at our new monitoring dashboard and overall monitoring solution to give us feedback to improve and focus on threats important to the community. Consider building your own Forta monitoring bots if you have an idea for security alerts we’re not currently providing. The community could also try implementing our monitoring ideas that came up in the Compound III Audit and consider funding for bot development in future grant programs.
  3. Let us know if there are any potential threats or policies that should be considered in our incident response readiness with the Multi-sig and the DAO.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email: