As we’ve stated in past Security Updates, OpenZeppelin has been working on a monitoring solution for Compound as part our security partnership. We’re now happy to release an initial version of a community-based monitoring solution in the form of Discord channel feeds in the Compound Server. These feeds provide the community up-to-date security alerts we’ve developed for the Compound protocol as a result of what we’ve learned from our audits and advisory work.
Our Monitoring solution has been built with decentralization in mind which is why we make use of the Forta Network. As noted in past posts, Forta is a decentralized security monitoring network that lets developers deploy custom monitoring bots on a distributed network of scanner nodes. While users have the additional option of subscribing to Forta alerts directly using a web3 wallet like MetaMask, we wanted to create a central place for alerts to be seen by utilizing OpenZeppelin Defender Sentinel alerts to integrate with Discord channels in the Compound Community Discord Server.
The intention is that these alerts will update the community on regular activity (governance and market events) as well as security alerts that signal suspicious activity that should be investigated. To avoid alert fatigue, we separated our alerts into 3 channels under a general “Monitoring” category. The governance-feed and market-feed channels will replace the activity already reported by @blck 's bot-feed while the security-alerts will be used to report suspicious behavior and events.
While we expect the governance and market feeds to be fairly noisy, the security-alerts channel will only fire alerts that are relatively serious and infrequent. The Compound security-alerts channel can also be followed in other Discord servers that want to stay up to date with Compound’s security posture.
You can see a description of each alert below. Most of these alerts will be fired in the #security-alerts channel where they can be subscribed to by users in Discord. Users can also subscribe directly to Forta alerts by going to the Compound Forta page, selecting a Bot and and then clicking “Subscribe to this bot” using a web3 wallet that allows alerts to be sent by Email, Slack or Discord.
I’ve listed details for each monitoring bot below that describes its purpose and relevant channel
- GovernorBravo Event Monitor: This agent monitors the Compound Finance GovernorBravo contract for specific emitted events related to Proposals and Voting. All alert types and severities are set to Info.
- cToken Transaction Monitor: This agent monitors Compound Finance cToken contracts for common market events like Mint, Borrow, etc. Monitored events are specified in the agent-config.json file, with associated Finding types and severities for each one.
- Large Borrows Governance Monitor: This agent monitors all borrow events of COMP to see if the borrower address has accrued enough COMP to pass significant governance thresholds. This can be an early indication of governance attacks.
- Oracle Price Monitor: This agent monitors the UniswapAnchoredProxy contract for PriceGuarded events which indicate that a ValidatorProxy reported a cToken price that is outside of the Uniswap V2 TWAP percent threshold. Alert type is set to Degraded and severity is set to High.
- Community Multisig Transaction Monitor - This Detection Bot monitors the Compound Community Multisig smart contract for important transactions, including adding/removing owners, assigning a new Pause Guardian, setting a new Borrow Cap, etc. The full list of monitored events and associated Forta alerts can be found in the documentation.
- Low Liquidity Market Attack Monitor - This Detection Bot monitors Compound Finance cToken contracts that have low liquidity for potential market attacks where a malicious actor mints cTokens and then transfers additional tokens in order to unbalance the contract such that subsequent mints will not yield cTokens.
- cToken Underlying Asset Monitor - This bot monitors the underlying assets of Compound Finance cToken contracts. First it determines which assets are deployed using upgradable proxy contracts and then it monitors those contracts for any upgrade events to detect when the implementation for a cToken’s underlying asset may have changed.
We hope this first release of our monitoring solution is valuable to the Compound community and we hope to hear your feedback. If you have any questions, please share them on this forum, on Discord or in the Developer Dev Call tomorrow.
P.S. Big shout-out of appreciation to @blck for his earlier work on the #bot-feed that we took inspiration from and for his support!