OpenZeppelin Security Updates for Q2 2024 & Yearly Renewal Compensation Proposal

Simple Summary

Over the last three months, OpenZeppelin has delivered 9 audits and reviews with 6 more audits planned in our backlog. Many of these audits have been performed in close cooperation with the Alpha Growth team in their efforts to deploy new markets and list new assets. The new vendor payment process we’ve been working on with Gauntlet has been successfully established with the passage of Proposal 249 while we’ve continued to support the CGP program as manager of the Security Tooling Domain. We’ve continued iterations on improving our monitoring suite and supporting new market deployments such as Optimism USDC market.

Per our ongoing partnership agreement, we plan to submit a compensation proposal. However, we will now be utilizing the new vendor payment process established by Proposal 249 that allows us to move to a yearly renewal model utilizing a payment stream in USDC.

Initiative Updates

Protocol Audits

Audits

Audit Backlog

  • Arbitrum USDT Comet Migration Review
  • Mainnet USDT Comet Migration Review
  • Rewards v2 Contracts Audit
  • Mainnet WETH Collateral rsETH, weETH Migration Review
  • Mainnet WETH Collateral ETHx Migration Review
  • Polygon USDT Comet Migration Review

An updated kanban board tracking audit status can be found here. If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Given how much our backlog has grown with new market deployments from Alpha Growth, we have been considering increasing our assigned audit personnel to speed up the pace of delivery. We’ve decided to explore proposing this increase after the annual renewal of our partnership as we want to take the time to gather further community feedback in a separate proposal.

Security Advisory

Throughout Q2, we’ve been very focused on assisting the WOOF!, Franklin DAO and Alpha Growth teams with their market deployments and discussing potential risk management concerns around new assets such as weETH as well as continuing discussions on LST/LRT technical risks. While the bulk of this work has occurred in conjunction with many of the audits we’ve performed, we’ve often started discussions on security risks with teams long before the audit start date to provide early feedback.

Furthermore, I’ve also continued to be active in managing the Security Domain in the grants program, CGP 2.0 up till the program’s end date on May 30th, 2024. During this time, we’ve seen the completion of several grant project’s including Proposal Safety Checks and Improved Chain Technical Risk Checklist for New Market proposals. Additional grants for the complementary New Asset Listing Automation and Automated Asset Analysis have also been approved prior to the program’s end date and are beginning work now. I expect to continue serving as the Domain Manager for Security Tooling when the CGP program is renewed.

Finally, we’ve been active in discussions to consider upgrading and improving Compound Governor Bravo. We worked with @allthecolors of the CGP New ideas domain to fund an upgrade of Compound Governor to use OpenZeppelin Governor which will provide better governance security, gas efficiency and the ability to extend and add additional modules for more governance features.

Security Monitoring

After implementing a series of new improvements and refactors in Q1 to support L2 governance, our primary focus for monitoring has been to maintain the current monitoring features and continue supporting new market feeds including USDC Optimism.

In the meantime, we’ve been coordinating closely with @robinnagpal of DoDAO on the Proposal Safety Check grant and provided advice on its implementation as part of managing the CGP Security Domain. We believe that this grant project will be especially valuable for ensuring transparency in DAO proposal payloads and preventing potential configuration issues when setting sensitive parameters. The safety check reports help decode the proposal payload as well as check for potential failure cases such as simulating if the proposal will succeed when executed. This new Governance SeatBelt has been incorporated into the governance monitoring feed on Discord. You can see an example of a safety check report run on Proposal 259 in both a Discord alert and larger report PDF.

We’re very excited to see this project live and are greatly appreciative of @robinnagpal and DoDAO for their excellent work here.

Annual Renewal Compensation Proposal Details

Starting on Dec 21st, 2021, OpenZeppelin was selected to offer the Compound DAO security services including continuous audit, security advisory, and monitoring. In the past, OpenZeppelin has created a proposal every quarter to perform the next service fee payment of $1M in COMP.

With the adoption of Proposal 249, there is now a standard payment process for all Compound DAO service vendors utilizing payments streams in USDC. This new process is intended to reduce governance overhead for voters and streamline the process of paying all DAO service vendors, starting with OpenZeppelin.

By utilizing the new vendor payment process, OpenZeppelin will move to a yearly renewal model for our Security Partnership. As such, this proposal will initiate a payment of $4M in USDC to be streamed over the course of a year starting at the beginning of Q3 2024 and funding our security partnership until the end of Q2 2025. This has the added benefit of moving our annual renewal to a different time than the end of the year holidays which can undermine voter participation.

We plan to submit this new proposal on June 22nd so that voting can begin during the following week. We will also post additional technical details about the proposal structure in this forum thread in the days leading up to the proposal submission.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:

  1. Please vote in support of our upcoming compensation proposal to keep us working with the Compound community for the next year.
  2. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
  3. Stay subscribed to the Compound Discord Monitoring Feeds.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram, or email:

6 Likes

I have interacted with @cylon and @jbass-oz many times regarding work on security tooling, among other topics. They are always available to address any type of queries and questions.

It’s impressive to see how OZ has managed to juggle all the new deployments, review and support CGP applications, and assist with reviewing other critical updates, such as the updates on the rewards contract, among other tasks.

2 Likes

I have been working with OpenZeppelin and Cylon for the past 8 months and the team’s motivation and expertise in safeguarding the protocol is commendable.

The recent push from the OZ team to streamline the audit processes will also help in having a streamlined pathway to the growth of the Protocol. Look forward to working together in creating the best opportunities for the Compound Community.

3 Likes

OpenZeppelin’s Annual Renewal Proposal is now submitted on-chain. Voting should begin early Monday.

1 Like

For everyone’s awareness, OpenZeppelin has recently proposed a new streamlined deployment process to better differentiate which proposals require a dedicated review and which do not. This has allowed deployments from Alpha Growth to be accelerated with shorter timelines to deploy new markets and asset listings for the protocol. Despite these recent changes, OpenZeppelin has continued to be involved in reviewing several of these recent deployments where appropriate and continues to monitor the on-chain proposals for production issues.

As a result, we have seen 4 new proposals submitted just recently to deploy new markets or list new assets. This follows 2 new market deployments that were submitted last week for Optimism and Arbitrum that will soon be executed.

image

These improvements are the result of a long working relationship with the Alpha Growth, WOOF! and Franklin DAO teams that has developed over the past six months where we have learned how to better optimize work streams and developed unique processes. This is also possible due to the additional security expertise on Compound’s codebase and security posture that OpenZeppelin has built up gradually since our partnership began 2.5 years ago. This expertise has allowed us to assist in the onboarding of the WOOF and Franklin DAO dev teams to become valuable contributors to the protocol while maintaining security.

1 Like

It is been very productive and effective working with Open Zeppelin on tools and reports for Compound. They have kept us closely focused on building content that meets Compounds needs. They have always been closely focused on security.

1 Like

We’re excited to see that governance delegates have voted to renew our security partnership for another year by an overwhelming margin and with no opposition. We appreciate the trust that the Compound community continues to place in OpenZeppelin and we look forward to working with you all for the coming year.

2 Likes