Simple Summary

Over the last three months, OpenZeppelin has delivered three audits for Compound and has two more planned in our backlog. We’ve provided security advisory by publishing a CIP for protocol contribution policies and we are currently working on a solution for managing the Pause Guardian multi-sig across multiple EVM chains. Finally, we’ve performed several updates to the Compound monitoring suite including new feeds for the recently launched WETH market on Mainnet and USDC market on Polygon.

Per our ongoing partnership agreement, we plan to submit a new compensation proposal for Q2 2023 on Friday, March 24th.

Initiative Updates

Protocol Audits

Audits Delivered

• Compound Polygon Bridge Receiver Audit (published)
• Compound Optimism Bridge Receiver Audit (finalized, publication pending)
• Compound V2 DSR Integration Security Assessment (private draft)

Audit Backlog

• Compound Arbitrum Deployment - for Compound Labs
• Comet Wrapper - for the grants program

If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory

• CIP-2: Protocol Contribution Policy - This CIP describes process improvements to facilitate the development and evaluation of protocol contributions that ensures community feedback and quality assurance measures are achieved before adoption.
• Pause Guardian Multi-chain Solution (in progress) - We are currently working to develop a solution for managing multiple Gnosis Safe multi-sigs across different EVM networks as Compound continues to deploy to new chains that require their own local Pause Guardian instance. We’ve shared an initial version with select community members for feedback and plan to publish our finalized solution in the coming weeks.

It should also be noted that I’ve been personally active in managing the Security Domain in the new grants program, CGP 2.0, including the approval of three grant proposals. More information is available on Questbook here.

Security Monitoring

• New WETH Market Activity Monitor - The WETH Market Activity Monitor logs transactions to the Compound Discord server #weth-market-feed channel
• New USDC Polygon Market Activity Monitor - The USDC Polygon Market Activity Monitor logs transactions to the Compound Discord server #usdc-polygon-market-feed channel
• Updated Multisig Monitor - 10 new alert types added to cover all multisig events.
• Updated Oracle Price Monitor - Price monitor was updated with the new oracle address from Proposal 143: Compound UAV v3 Upgrade.

We also intend to deploy new monitoring feeds for future Compound market deployments expected on Optimism and Arbitrum.

Q2 2023 Compensation Proposal Details

Per our ongoing security partnership arrangement, we will be submitting a compensation proposal for Q2 of 2023. This proposal will be structured exactly the same as the past three quarters. The governance proposal will consist of a single payment of COMP from the Timelock that is valued at $1M using the weekly VWAP price calculated at the time of submission. We intend to submit this proposal on-chain on March 24th so that voting is complete and the payment is executed before March 31st and the start of Q2.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:

1. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
2. Review CIP-2 and share any feedback on how it can be improved in the forum post.
3. Take a look at our new monitoring bots and give us feedback to improve and focus on threats important to the community.
4. Please vote in support of our compensation proposal once it goes live for voting early next week to continue our security partnership

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email:

• Email: michael@openzeppelin.com
• Telegram: @cyloncat
• Discord (in the Compound server): Michael L#3462

Full support here. Recent market failures in other DeFi lending protocols remind us more than ever that security comes first, and OZ has been a valuable partner to Compound on this front.

Regarding the audit backlog, although it is not a protocol change, I thought I’d mention here for transparency that CGP is requesting an audit of grantee Paytr protocol’s core contract as part of OZ’s engagement.

Thanks @allthecolors!

I appreciate you raising Paytr’s audit request early on. Our audit team is already assessing how we can add it to our backlog. I’ll follow-up directly with you once we’ve got details confirmed.

Quick update for everyone. We had some issues with delegated COMP that required us to postpone submission of our compensation proposal last minute. We’ve since resolved it by being added to the proposal submission whitelist by the Pause Guardian Multi-sig.

We now plan to submit our compensation proposal this upcoming Friday, March 31st, with the same details as before.

Our Q2 compensation proposal is now live and will be in review over the weekend. Please give your support once voting goes live early next week.