OpenZeppelin Security Updates for Q1 2024 & Q2 Compensation Proposal

Simple Summary

Over the last three months, OpenZeppelin has delivered seven audits, with one currently underway and three more audits planned in our backlog. Many of these audits have been performed in close cooperation with the Alpha Growth team in their efforts to deploy new markets and list new assets. We’ve been working actively with Gauntlet to propose a new vendor payments process which will be released in the coming weeks, in addition to soliciting new security grants for the CGP program. We’ve also performed several improvements to our monitoring suite to support L2 governance events and automation, along with providing more active commentary on security alerts such as the activation of the UAV price anchor which our monitors detected on several occasions over the past quarter.

Per our ongoing partnership agreement, we plan to submit a compensation proposal for Q2 2024 on Friday, March 22nd.

Initiative Updates

Protocol Audits

Audits

Audit Backlog

  • Arbitrum USDT Comet
  • Gauntlet Aera Vault Price Oracle
  • Native USDC Base Comet Migration

An updated kanban board tracking audit status can be found here. If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory

  • New Chain Checklist - We posted a new checklist to be used for evaluating the security and critical infrastructure for new EVM chains that may be considered for deploying new Comet markets. We have already been active in sharing this checklist with the Linea and Scroll teams and are coordinating with a new CGP grant that will be building on this existing list to refine the evaluation process and assess additional chains.

  • Streamlining Vendor Payments - As referenced in earlier forum updates, we are working to develop a standardized process that OpenZeppelin, Gauntlet, and any other third-party vendor can utilize to be paid on regular renewal schedules without over-exposure to COMP price fluctuations. We expect that our proposed solution will be shared with the community within the next month. Our Gauntlet Aera Vault Price Oracle audit is also related to this endeavor.

  • Gas Paymaster & Operating Expenses - After consultation with the CGP committee, we’ve decided to propose that both gas reimbursements and other operational expenses for the DAO be incorporated into a new CGP Domain for continuous funding. We intend to push for this domain’s incorporation into the next renewal of CGP, likely to occur in the next 3 months.

I’ve also continued to be active in managing the Security Domain in the grants program, CGP 2.0. More information on the GCP Security Domain is available on Questbook here.

Security Monitoring

Near the end of last year, we completed the release of a good number of security monitoring improvements, including full L2 support for governance monitoring and operations. Our main focus in Q1 has been to continue tweaking and improving these changes. Simultaneously, we’ve been supporting new Comet markets, such as the new Base USDC Comet Market while also preparing for the upcoming Comet deployments on Optimism and Scroll.

Finally, based on community requests, we’ve been active in providing commentary in the security-alerts channel on the latest alerts and their potential impact on the protocol. This includes an analysis of alerts triggered by UNI price volatility on Feb 23rd that triggered the oracle UAV used by Compound V2. As a result of this situation, we’ve prioritized the audit of the UAV deprecation changes being developed by Chainlink to remove the potential for future price volatility to impact the protocol.

image

Q2 2024 Compensation Proposal Details

Per our ongoing security partnership arrangement, we will be submitting a compensation proposal for Q2 of 2024. This proposal will be structured exactly the same as the past four quarters. The governance proposal will consist of a single payment of COMP granted from the Comptroller that is valued at $1M using the weekly VWAP price calculated at the time of submission. We intend to submit this proposal on-chain on Friday, March 22nd so that voting is complete and the payment is executed on April 1st and the start of Q2.

We do expect that our soon-to-be proposed vendor payment process, should it be accepted by the community, will be in palace by the time of our next compensation proposal at the end of Q2. We expect that with this new process in place, we move to a yearly renewal process and reduce the number of governance proposals needed for performing partnership payments to one per year.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:

  1. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
  2. Look out for our upcoming proposal for a new payment vendor process and provide feedback once posted on the forums.
  3. Stay subscribed to the Compound Discord Monitoring Feeds.
  4. Please vote in support of our compensation proposal once it goes live for voting early next week to continue our security partnership

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram, or email:

1 Like

Our compensation proposal has been submitted on-chain as Proposal 232 and will be ready for voting on Sunday. Please vote in support!

Hi everyone, we have only 11 hours left until the end of voting. Our proposal still needs another ~220K votes to pass quorum.

Please vote in support if you haven’t already: Compound

Our proposal unfortunately failed to meet quorum, coming less than ~40K votes short of the 400K requirement. We’ve heard that some delegates were unavailable during Spring Break among other availability issues.

We plan to resubmit our proposal on April 6th so that it is available for a new vote on Monday, April 8th. It will be the exact same proposal aside from an update to the COMP VWAP price.

2 Likes

Our new compensation proposal is now active for voting! Please vote in support early to ensure we get over quorum this time around.