Simple Summary
Over the last three months, OpenZeppelin has delivered seven audits, with one currently underway and three more audits planned in our backlog. Many of these audits have been performed in close cooperation with the Alpha Growth team in their efforts to deploy new markets and list new assets. We’ve been working actively with Gauntlet to propose a new vendor payments process which will be released in the coming weeks, in addition to soliciting new security grants for the CGP program. We’ve also performed several improvements to our monitoring suite to support L2 governance events and automation, along with providing more active commentary on security alerts such as the activation of the UAV price anchor which our monitors detected on several occasions over the past quarter.
Per our ongoing partnership agreement, we plan to submit a compensation proposal for Q2 2024 on Friday, March 22nd.
Initiative Updates
Protocol Audits
Audits
- Scroll Alpha Comet Deployment (completed)
- wstEth as Collateral (completed)
- RedStone Oracles (completed)
- Mainnet USDT Comet (initial report delivered)
- OP Comet (completed)
- UAV to Price Oracle (initial report delivered)
- Scroll Mainnet Comet Migration (completed)
- Contango Integration for CGP (in progress)
Audit Backlog
- Arbitrum USDT Comet
- Gauntlet Aera Vault Price Oracle
- Native USDC Base Comet Migration
An updated kanban board tracking audit status can be found here. If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.
Security Advisory
-
New Chain Checklist - We posted a new checklist to be used for evaluating the security and critical infrastructure for new EVM chains that may be considered for deploying new Comet markets. We have already been active in sharing this checklist with the Linea and Scroll teams and are coordinating with a new CGP grant that will be building on this existing list to refine the evaluation process and assess additional chains.
-
Streamlining Vendor Payments - As referenced in earlier forum updates, we are working to develop a standardized process that OpenZeppelin, Gauntlet, and any other third-party vendor can utilize to be paid on regular renewal schedules without over-exposure to COMP price fluctuations. We expect that our proposed solution will be shared with the community within the next month. Our Gauntlet Aera Vault Price Oracle audit is also related to this endeavor.
-
Gas Paymaster & Operating Expenses - After consultation with the CGP committee, we’ve decided to propose that both gas reimbursements and other operational expenses for the DAO be incorporated into a new CGP Domain for continuous funding. We intend to push for this domain’s incorporation into the next renewal of CGP, likely to occur in the next 3 months.
I’ve also continued to be active in managing the Security Domain in the grants program, CGP 2.0. More information on the GCP Security Domain is available on Questbook here.
Security Monitoring
Near the end of last year, we completed the release of a good number of security monitoring improvements, including full L2 support for governance monitoring and operations. Our main focus in Q1 has been to continue tweaking and improving these changes. Simultaneously, we’ve been supporting new Comet markets, such as the new Base USDC Comet Market while also preparing for the upcoming Comet deployments on Optimism and Scroll.
Finally, based on community requests, we’ve been active in providing commentary in the security-alerts channel on the latest alerts and their potential impact on the protocol. This includes an analysis of alerts triggered by UNI price volatility on Feb 23rd that triggered the oracle UAV used by Compound V2. As a result of this situation, we’ve prioritized the audit of the UAV deprecation changes being developed by Chainlink to remove the potential for future price volatility to impact the protocol.
Q2 2024 Compensation Proposal Details
Per our ongoing security partnership arrangement, we will be submitting a compensation proposal for Q2 of 2024. This proposal will be structured exactly the same as the past four quarters. The governance proposal will consist of a single payment of COMP granted from the Comptroller that is valued at $1M using the weekly VWAP price calculated at the time of submission. We intend to submit this proposal on-chain on Friday, March 22nd so that voting is complete and the payment is executed on April 1st and the start of Q2.
We do expect that our soon-to-be proposed vendor payment process, should it be accepted by the community, will be in palace by the time of our next compensation proposal at the end of Q2. We expect that with this new process in place, we move to a yearly renewal process and reduce the number of governance proposals needed for performing partnership payments to one per year.
Our Request to the Community
As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:
- Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
- Look out for our upcoming proposal for a new payment vendor process and provide feedback once posted on the forums.
- Stay subscribed to the Compound Discord Monitoring Feeds.
- Please vote in support of our compensation proposal once it goes live for voting early next week to continue our security partnership
As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram, or email:
- Email: michael@openzeppelin.com
- Telegram: @cyloncat
- Discord (in the Compound server): Michael L#3462