OpenZeppelin Security Updates for March 2022

Simple Summary

During the month of March, the OpenZeppelin team has published its comprehensive audit of the existing Compound protocol and raised integration risks with the current asset listing process due to the TUSD finding. To address these risks, the audit team is reviewing the existing asset listing process to create a security checklist as well as auditing upgrades to the open oracle system. We are also releasing an initial version of our monitoring solution as a Discord feed for reporting compound activity and security alerts for the community to review. Finally, we’ve submitted a governance proposal for our quarterly compensation adjustment that is expected to be executed on April 4th.

Initiative Updates

Protocol Audits

Current Audits in Progress

Open Oracle Upgrade

  • Overview: This is a refactor of the already existing open oracle solution. The refactor includes a migration to Uniswap v3 liquidity pools. Given that oracle pricing feeds are a critical component of new asset listings, we’ve elected to audit this upgrade first to better understand the oracle system before moving to create an asset listing security checklist.
  • Timeline: Work started on March 21st and will be complete by the end of today, April 1st. A private report of the issues will be delivered to the development team so they can resolve any issues found before we make the report public for the community review prior to a governance proposal.
  • Scope Details: We are auditing commit 71b6db7dfdf7527783991fd6354aa7a063d1347d as the latest commit on PR#3 of the open-oracle repository.
  • Partipants: We are working with the ChainLink team that developed this upgrade and have also been communicating with @Getty on the progress.

Asset Listing Process

  • Overview: Rather than audit any specific proposal, we are electing to audit the process for listing audits as it currently exists. We will first start by investigating how listing new assets on Compound could lead to integration issues similar to the TUSD bug. We will also be reviewing the tools and processes that Compound community members have used in the past. Our goal is to use our findings to generate a security checklist that an asset listing proposer and other community members can use to check for integration issues.
  • Timeline: Work is expected to start on April 4th and will be complete within two weeks. A report of the potential integration issues along with a security checklist will be released shortly after.
  • Scope Details: We will be looking at existing asset listing proposals such as FRAX and MATIC although we don’t be auditing them directly and will just be using them as examples, although we will raise any security concerns we come across. We’ll also be reviewing existing tools and processes that Compound has developed for asset listings including the following:
  • Participants: We’ll be asking the community for feedback in the next community developer call to hear if there are any other tools and processes we should consider for our audit of the existing asset listing process. We also welcome that anyone reaches out directly.

Audit Backlog

Upcoming Proposals to Audit:

  • PR177: Enable Transfer ETH from Timelock
  • Multi-chain Strategy Updates from Compound Labs (slide details)
  • PR95: Compound supply cap

If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory

The main focus for our security advisory this month will be creating a security checklist for listing assets, which will be developed as part of the Asset Listing Audit previously mentioned.

It’s important to note that this security checklist will require community participation to work effectively. The initial checklist will require proposers and community members to check for security issues and validate that the requirements of the checklist are satisfied. While the OpenZeppelin audit team could also perform these checks on every proposal, it would come at the expense of protocol change audits that the community has signaled is a higher priority.

We do expect to explore additional solutions following the creation of a security checklist that could accomplish what the checklist requires without manual review. This could include automated tooling, testing frameworks or other tools already used by Compound community members. We welcome community feedback on potential tools to consider as well.

Security Monitoring

Discord Activity Feed

We’re happy to share that we’ve developed a first iteration of our security monitoring solution that the Compound community can review. This solution will already seem familiar to many community members as it is emulating the Discord bot-feed developed by @blck. Our aim is to replicate and then add to that functionality so that alerts are available to Compound community members in Discord in a way that feels familiar. These alerts are provided using both Defender Sentinels and Forta agents.

Community members can see a live version working in this Discord server “Test For Alerts”: https://discord.gg/eCg7MtXRxp

We plan to migrate this feed into the Compound community Discord and replace the existing bot-feed within the coming weeks.

Forta Monitoring Agents

To better understand how these alerts are being generated for the activity feed differently than before, the community can also view the Forta agents we have developed to detect suspicious activity. More on each Forta agent we have developed is available below:

  1. GovernorBravo Event Monitor: This agent monitors the Compound Finance GovernorBravo contract for specific emitted events related to Proposals and Voting. All alert types and severities are set to Info.
  2. Compound Distribution Monitor: This agent monitors the Compound Finance Comptroller contract for distribution events that exceed a configurable threshold. Alert type is set to Suspicious and severity is set to High.
  3. cToken Transaction Monitor: This agent monitors Compound Finance cToken contracts for common market events like Mint, Borrow, etc. Monitored events are specified in the agent-config.json file, with associated Finding types and severities for each one.
  4. Large Borrows Governance Monitor: This agent monitors all borrow events of COMP to see if the borrower address has accrued enough COMP to pass significant governance thresholds. This can be an early indication of governance attacks.
  5. Oracle Price Monitor: This agent monitors the UniswapAnchoredProxy contract for PriceGuarded events which indicate that a ValidatorProxy reported a cToken price that is outside of the Uniswap V2 TWAP percent threshold. Alert type is set to Degraded and severity is set to High.

By using Forta for security alerts, we want to give the community transparency in where our monitoring data comes from and provide opportunities for others to make suggestions or develop their own monitoring agents.

Future Dashboard

Finally, we plan to collect all data coming from the Compound activity feed and Forta agents into a Security Dashboard built using Dune Analytics. Our development team is currently working with the Dune team to provide an official integration into Defender that will make this possible and give the Compound community a transparent and visually expressive dashboard to see the security posture of the protocol.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for feedback on the following:

  1. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
  2. Share any tools or existing processes used in asset listings that we can consider as part of our security checklist.
  3. Take a look at our monitoring solution as it develops and give us feedback to improve and focus on threats important to the community.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email:

3 Likes

This is great! OZ continues to impress as always.

Michael, can you please clarify what you meant by item 3 in the last paragraph (Request to the Community)? If you have a dashboard or online service that we can access, please post the link.

Hi @DeFiefdom, thanks!

For the monitoring systems we’ve released, you can see the links under the Monitoring section. The primary thing to check out would our discord monitoring feed here: Test For Alerts