Simple Summary

Over the last three months, OpenZeppelin has delivered four audits and one security assessment with one more audit planned in our backlog. We participated in a security simulation with the Pause Guardian Multisig to test incident response readiness and find areas of improvement. We’ve also deployed new monitoring feeds for new Comet markets on Base and Arbitrum and have additional improvements planned in Q4 to expand coverage of security monitoring across all EVM chains.

Per our ongoing partnership agreement, we plan to submit a compensation proposal for Q4 2023 on Thursday, Sep 21st.

Initiative Updates

Protocol Audits

Audits

• Multiplicative Price Feed Audit (finalized)
• Encumbrance Factory Audit (finalized)
• Linea Bridge Audit (finalized)
• Governance Signature Functions Audit (finalized)

We plan to publish the majority of these audits shortly and well before the changes are intended to be deployed on-chain.

Security Assessments

• Comet Wrapper Security Assessment (the assessment was done in June, but there is an follow-up audit required)
  • Please note that Comet Wrapper is not yet considered production ready and we don’t recommend using it for live funds until the audit is completed.

Audit Backlog

• Wido Audit
• Comet Wrapper Audit
• USDT Comet Audit

If you are planning to propose a protocol change within the next 3 months that you don’t see included in this list, please reach out to ensure we have you considered in our schedule.

Security Advisory - IR Simulation

Our primary focus this past quarter was to test the incident response readiness of the Pause Guardian Multi-sig, particularly in its ability to detect and respond rapidly to an on-chain incident that requires markets to be paused. We worked with the SEAL Chaos team to conduct an incident response exercise where OpenZeppelin, Compound Labs and the 6 members of the multi-sig were presented with a security issue that we had no prior knowledge of so we could practice identifying the issue and coordinating a response in real-time. The simulation was run using a mainnet fork simulation of the Compound V3 USDC market that spoofed regular user activity along with an on-chain attack. A block explorer and OpenZeppelin’s Forta-based monitoring stack were also stood up on the mainnet fork to make the simulation as realistic as possible.

The exercise was conducted on July 5th, 2023 with all participants invited to a closed Discord channel where they could view real-time monitoring alerts. After ~45 minutes of monitoring protocol activity, one of the participants immediately identified an oracle issue that affects the WETH market price after being alerted by the Oracle Price Monitor Bot. This opened up an exploit vector for an attacker to begin siphoning funds from the protocol. Within ~10 minutes of the discovery, the participants created a war room voice call and the Pause Guardian initiated a pause transaction for the protocol. It then took about ~30 minutes for the Pause Guardian to collect the required signatures necessary (3/6) to initiate a pause at which time the attack was stopped. The team also practiced preparing public statements on Twitter to inform users of the attack and post-mortem before concluding the simulation.

Overall, the response during this simulation was successful in identifying the security issue immediately and eventually stopping the attack with a pause transaction. However, several areas of improvement were identified that could have reduced the response time and therefore the amount of funds lost. OpenZeppelin is now working with the Pause Guardian to implement the following:

1. Reduce decision-making time by having a clearly documented process for specific scenarios and their response, building on the scenarios already documented here. There should also be an incident commander present that can assume the responsibility of following and recommending actions from the checklist or react to unanticipated scenarios.
2. Automate the process of queuing a pause transaction in the Gnosis Safe multisig. This can include triggering the automation as soon as a pre-defined scenario such as an oracle issue is detected on a Comet market.
3. Reduce the time needed for gathering signatures from the Pause Guardian by setting up a pager system for signers and ensuring their keys are always close at hand to their person.
4. Continue practicing incident response with future simulations and have all multi-sig members regularly practice signing transactions on the Gnosis Safe to ensure they are readily available.

We are incredibly thankful to the SEAL Chaos team for their gracious support in conducting this exercise, most especially to Isaac Patka and Samczun.

Finally, in order to take a more active role in the Pause Guardian’s incident response, OpenZeppelin has joined the Multi-sig as an additional signer to work alongside Compound Labs, Gauntlet and four other independent community members. Our primary role here will be to help rapidly propose transactions in emergency scenarios based on pre-prepared plans. It’s important to note that while OpenZeppelin is now taking a more leading role in Compound’s incident response, the collective Pause Guardian multisig will still be responsible for all emergency decisions made on the protocol’s behalf.

Security Monitoring

We’ve continued to expand our monitoring suite to cover new Comet deployments. Over the last quarter, we’ve deployed the following monitoring feeds:

• Arbitrum Native USDC Market Activity Monitor- logs activity to the Compound Discord #arbitrum-usdc-market channel. Please note that the prior feed for the Arbitrum USDC.e Market has been renamed to #arbitrum-usdce-market.
• Base USDC Market Activity Monitor- logs activity to the Compound Discord #base-usdc-market channel.
• Base WETH Market Activity Monitor- logs activity to the Compound Discord #base-weth-market channel.

Based on feedback we’ve received and lessons learned from the recent security simulation, we plan to make the following improvements to our monitoring and automation suite over the next quarter:

1. Expand L2 Security Monitoring - As we have for our Comet market activity feed, we intend to create easily repeatable monitors for oracle health, collateral assets and liquidations to expand what we currently monitor for on Mainnet to the EVM networks where Comet has been deployed, namely Polygon, Arbitrum and Base.
2. Extend Governance Monitoring to L2s - The governance feed currently only monitors events that occur on Ethereum mainnet and doesn’t report on the final stages of a proposal after it is bridged over to an L2 network. We intend to expand this coverage so that all events are tracked on L2s and reported in the Discord #governance-feed. There are already existing bots built by Nethermind as part of their CGP 2.0 grant that monitor the BridgeReceiver contract for bridged proposals on Polygon which we intend to integrate and expand on.
3. Extend Proposal Automation to L2s - We’ve had an automated relayer running for over a year that automatically queues and executes governance proposals on Ethereum mainnet. However, this does not currently extend to proposals that require additional steps to be queried and executed on an L2. We intend to expand this coverage for Polygon, Arbitrum and Base to remove these additional manual steps.

It’s also important to note that we’ll be soliciting additional monitoring work in the next iteration of the Compound grants program along with RFPs for specific security enhancements to the protocol and security tooling.

Q4 2023 Compensation Proposal Details

Per our ongoing security partnership arrangement, we will be submitting a compensation proposal for Q4 of 2023. This proposal will be structured exactly the same as the past four quarters. The governance proposal will consist of a single payment of COMP from the Timelock that is valued at $1M using the weekly VWAP price calculated at the time of submission. This might first require additional COMP to be granted to the Timelock by the Comptroller given the current balance of COMP in the Timelock is slightly below our required amount. We intend to submit this proposal on-chain on Thursday, Sep 21st so that voting is complete and the payment is executed a few days before Oct 1st and the start of Q4.

Our Request to the Community

As usual, we’d like to ask the community to read our updates and always feel welcome to get involved and provide feedback. Simply put, we ask for the following:

1. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.
2. Please vote in support of our compensation proposal once it goes live for voting early next week to continue our security partnership

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram or email:

• Email: michael@openzeppelin.com
• Telegram: @cyloncat
• Discord (in the Compound server): Michael L#3462

Hi everyone,

The proposal is now up and is in the voting phase. Please vote in support as soon as you can. Last quarter, we came close to not passing quorum so please don’t wait.

Hey all,

Porter here from a16z. We voted for this proposal and hope to see the successful partnership continue. We appreciate the feedback incorporated thus far.

As always, none of this is investment advice and we are investors in both Compound and Forta.

Best,

Porter

The proposal has been executed. Thank you everyone for your support!