OpenZeppelin's Security Monitoring Solution - Discord Release

Hi everyone,

As we’ve stated in past Security Updates, OpenZeppelin has been working on a monitoring solution for Compound as part our security partnership. We’re now happy to release an initial version of a community-based monitoring solution in the form of Discord channel feeds in the Compound Server. These feeds provide the community up-to-date security alerts we’ve developed for the Compound protocol as a result of what we’ve learned from our audits and advisory work.

System Overview

Our Monitoring solution has been built with decentralization in mind which is why we make use of the Forta Network. As noted in past posts, Forta is a decentralized security monitoring network that lets developers deploy custom monitoring bots on a distributed network of scanner nodes. While users have the additional option of subscribing to Forta alerts directly using a web3 wallet like MetaMask, we wanted to create a central place for alerts to be seen by utilizing OpenZeppelin Defender Sentinel alerts to integrate with Discord channels in the Compound Community Discord Server.

Compound Monitoring Architecture V1 (3)939×621 31.8 KB

Discord Channels

The intention is that these alerts will update the community on regular activity (governance and market events) as well as security alerts that signal suspicious activity that should be investigated. To avoid alert fatigue, we separated our alerts into 3 channels under a general “Monitoring” category. The governance-feed and market-feed channels will replace the activity already reported by @blck 's bot-feed while the security-alerts will be used to report suspicious behavior and events.

While we expect the governance and market feeds to be fairly noisy, the security-alerts channel will only fire alerts that are relatively serious and infrequent. The Compound security-alerts channel can also be followed in other Discord servers that want to stay up to date with Compound’s security posture.

Security Alerts

You can see a description of each alert below. Most of these alerts will be fired in the #security-alerts channel where they can be subscribed to by users in Discord. Users can also subscribe directly to Forta alerts by going to the Compound Forta page, selecting a Bot and and then clicking “Subscribe to this bot” using a web3 wallet that allows alerts to be sent by Email, Slack or Discord.

I’ve listed details for each monitoring bot below that describes its purpose and relevant channel

1. GovernorBravo Event Monitor: This agent monitors the Compound Finance GovernorBravo contract for specific emitted events related to Proposals and Voting. All alert types and severities are set to Info.
   • In #governance-feed
   • Forta Explorer Link
   • IPFS README.md
2. cToken Transaction Monitor: This agent monitors Compound Finance cToken contracts for common market events like Mint, Borrow, etc. Monitored events are specified in the agent-config.json file, with associated Finding types and severities for each one.
   • In #market-feed
   • Forta Explorer
   • IPFS README.md
3. Large Borrows Governance Monitor: This agent monitors all borrow events of COMP to see if the borrower address has accrued enough COMP to pass significant governance thresholds. This can be an early indication of governance attacks.
   • In #governance-feed
   • Forta Explorer
   • IPFS README.md
4. Oracle Price Monitor: This agent monitors the UniswapAnchoredProxy contract for PriceGuarded events which indicate that a ValidatorProxy reported a cToken price that is outside of the Uniswap V2 TWAP percent threshold. Alert type is set to Degraded and severity is set to High.
   • In #security-alerts
   • Forta Explorer
   • IPFS README.md
5. Community Multisig Transaction Monitor - This Detection Bot monitors the Compound Community Multisig smart contract for important transactions, including adding/removing owners, assigning a new Pause Guardian, setting a new Borrow Cap, etc. The full list of monitored events and associated Forta alerts can be found in the documentation.
   • In #security-alerts
   • Forta Explorer
   • IPFS README.md
6. Low Liquidity Market Attack Monitor - This Detection Bot monitors Compound Finance cToken contracts that have low liquidity for potential market attacks where a malicious actor mints cTokens and then transfers additional tokens in order to unbalance the contract such that subsequent mints will not yield cTokens.
   • In #security-alerts
   • Forta Explorer
   • IPFS README.md
7. cToken Underlying Asset Monitor - This bot monitors the underlying assets of Compound Finance cToken contracts. First it determines which assets are deployed using upgradable proxy contracts and then it monitors those contracts for any upgrade events to detect when the implementation for a cToken’s underlying asset may have changed.
   • In #security-alerts
   • Forta Explorer
   • IPFS README.md

Request for Feedback

We hope this first release of our monitoring solution is valuable to the Compound community and we hope to hear your feedback. If you have any questions, please share them on this forum, on Discord or in the Developer Dev Call tomorrow.

P.S. Big shout-out of appreciation to @blck for his earlier work on the #bot-feed that we took inspiration from and for his support!

Can the upgradeable token monitor go one step further and see proposed upgrades for such tokens that have time locked upgrades?

@coburncoburn - Great question! It does not currently have that ability but that’s something that would be important to have. Currently, we’re automatically watching for new CToken markets that are added and checking if it uses the standardized EIP1967 Transparent Proxy Pattern for upgrades and then watching for changes to the implementation contract.

We can go further and determine if the upgrade admin is a standard Timelock and watch for queued upgrades. There are some technical questions we’ll want to resolve but its very doable with another Forta bot.