Simple Summary

Over the last three months, OpenZeppelin has delivered three audits and two security assessments with three more audits planned in our backlog. We’ve delivered a set of security policies and solutions for the Pause Guardian while also actively advising on several security-related events including the Hundred Finance Exploit and a price feed disruption in the cSUSHI market, none of which required a security response. Finally, we’ve performed several improvements to our monitoring suite which includes preparations to incorporate more third-party monitoring bots through the Compound grants program.

Per our ongoing partnership agreement, we plan to submit a compensation proposal for Q3 2023 on Friday, June 23rd.

Initiative Updates

Protocol Audits

Audits

• Arbitrum Bridge Receiver (published)
• WBTC Price Feed (published)
• CometWrapper (initial report delivered, fixes and updates to be finalized)

Security Assessments

• Dai Savings Rate Integration (published)
• Paytr Protocol (communicated design concerns to be incorporated before future audit)

Audit Backlog

• MultiplicativePriceFeed
• Paytr protocol
• Asset Listing V3 Evaluation Updates (improving on V2 Asset Listing Process)

If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory

• Pause Guardian Multi-chain Solution -.We developed a solution for generating new Gnosis Safe Multi-sigs on EVM networks to support new Comet market deployments as well as further enhancements to improve the incident response readiness of the Pause Guardian. This includes:
  • A script to clone the multi-sig and its configuration from an existing deployment
  • A solution based on the Defender platform to synchronize Safe’s across networks such as the addition or removal of signers
  • Discord Notifications for alerting Pause Guardian members of new transactions to be signed in incident response scenarios (worked as intended during the cSUSHI UAV price occurrence on June 10th, 2023)
• Compound Pause Guardian Security Policies - Our team drafted a set of incident response policies to improve the clarity and readiness of the Pause Guardian multi-sig. This includes documentation on Pause Guardian members, stakeholders, pause powers and specific scenarios that the Pause Guardian should be prepared to respond to.
• Security Advisory on the Hundred Finance Exploit - Our team assessed the security risk of the Hundred Finance exploit occurring on Compound markets in coordination with the Pause Guardian, Compound Labs and various community members and third-parties. While the conditions for an exploit do not exist in Compound V2 today, there are factors that should be monitored for in deprecated and low liquidity markets to ensure that the protocol remains protected.
• Security Advisory on cSUSHI UAV Price Occurrence - On June 10th, 2023, our monitoring detected that UAV prices for the cSUSHI V2 market were being rejected due to liquidity issues that caused Uniswap prices to fall out of sync with the prices reported by the ChainLink oracle. OpenZeppelin coordinated with Compound Labs, Gauntlet and the Pause Guardian to prepare to pause cSUSHI markets if the occurrence continued which was luckily unnecessary as prices returned to normal. OpenZeppelin has since been in conversation with the ChainLink team on the future for the UAV system so as to avoid future occurrences. Further details are posted in the Discord channel.
• Incident Response Simulations (early planning) - OpenZeppelin is currently working with Compound Labs and a third-party to conduct an incident response simulation to test the ability of the protocol to react to security incidents in early Q3. More details will be shared upon conclusion of the exercise along with any areas of improvement that are identified.

I’ve also continued to be active in managing the Security Domain in the new grants program, CGP 2.0. This includes the successful completion of two grant proposals and another two proposals still in progress that are developing additional monitoring bots built on OpenZeppelin’s existing monitoring suite.

More information on the GCP Security Domain is available on Questbook here.

Security Monitoring

Our main focus in Q2 has been the improvement of our existing monitoring suite to better support third-party contributions, including the two CGP 2.0 grant proposals that were previously mentioned. We’ve also continued to support additional Comet markets as they are deployed such as Arbitrum and intend to deploy new monitoring feeds for future Compound market deployments expected on Optimism. More details below.

• New Arbitrum Market Activity Monitor - The Arbitrum USDC Market Activity Monitor logs transactions to the Compound Discord server #arbitrum-usdc-market channel
• Monitoring Bot Refactors
  • V2 API Deprecation Governance Monitoring Refactor - We’ve refactored our governance monitoring bot to accommodate the deprecation of the Compound V2 API by switching to using the Tally API. Alerts continued to be logged in the Compound Discord server #governance-feed channel.
  • Multi-sig Monitoring Refactor - various minor improvements
  • Oracle Price Feed Monitoring Refactor - various minor improvements
• Monitoring Repo Consolidation (in progress) - We are currently working to improve the Monitoring Repository that contains our monitoring source code and configurations. Our improvements are aimed to better consolidate our various efforts, improve readability and better support third-party contributions from grants contributors and other community members.

One major milestone to note is that our monitoring suite detected a live issue for the first time with the previously mentioned cSUSHI price occurrence which prompted the Pause Guardian to prepare countermeasures in a timely manner. This can be seen in both the security-alerts Discord channel and in the Forta explorer.

Q3 2023 Compensation Proposal Details

Per our ongoing security partnership arrangement, we will be submitting a compensation proposal for Q3 of 2023. This proposal will be structured exactly the same as the past four quarters. The governance proposal will consist of a single payment of COMP from the Timelock that is valued at $1M using the weekly VWAP price calculated at the time of submission. We intend to submit this proposal on-chain on June 23rd so that voting is complete and the payment is executed before June 30th and the start of Q3.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:

1. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
2. Review our security advisory on the Hundred Finance Exploit and remain vigilant on V2 markets with low liquidity to ensure the exploit factors never become present.
3. Review our Pause Guardian Security Policies to suggest any areas of improvement or request clarification on anything that appears unclear.
4. Stay subscribed to the Compound Discord Monitoring Feeds and review our monitoring repository to learn more about our monitoring infrastructure, especially once we complete improvements to make it more clear to third-party reviewers.
5. Please vote in support of our compensation proposal once it goes live for voting early next week to continue our security partnership

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email:

• Email: michael@openzeppelin.com
• Telegram: @cyloncat
• Discord (in the Compound server): Michael L#3462

Our compensation proposal has been submitted with voting set to start early next week.