Proposal Security Process Discussion

Proposal Security Process Discussion


My name is Michael Lewellen. I’ll be the Security Advisor for you all on behalf of @OZSecure. Now that OpenZeppelin has been selected as Compound’s Security partner, we’d like to begin with soliciting feedback from the community for the creation of a Proposal Security Process.

My short background is that I’ve been working in the blockchain industry since 2012 as a technical consultant and architect with a special focus on Ethereum and smart contract security. I joined OpenZeppelin to manage their audit projects and have done community education at Defcon and other events. I’ve also done public policy education for the Texas Blockchain Council and am personally very interested in developing and scaling DAO governance models.


Based on the Next Steps outlined in our proposal, our first goal is to define a security process that proposal authors can follow leading up to an audit and submission to the DAO for a vote. This will start with engagement in the next community call and one-on-ones with key community members to solicit feedback. After collecting feedback from everyone, we’ll then propose a detailed process that will go through refinements with the community before being finalized.

You can find below a draft process that I’ve been working on that we would utilize if a protocol audit was needed ASAP although we don’t expect it will be necessary until February. This is based on our standard way of doing audits. I expect this will go through many changes to make it work with an open DAO structure so we’d definitely be looking for feedback from everyone. A more detailed version of this process will be shared later by OpenZeppelin. This draft only serves as a placeholder and a starting point for soliciting community feedback. We expect the final version to have more detailed security checklists, touchpoints with the auditors, tooling, and other considerations.

DRAFT Process for Securing Proposal Changes

  1. Proposal developers contact the SA and OZ directly as soon as development starts. Please share early versions of the code as soon as possible.
  2. We’ll review the code to determine if it is ready for an audit. In some cases, we may ask developers to incorporate feedback on code quality, documentation, test coverage, etc prior to audit start. This makes the audit go smoother and usually leads to developers catching bugs on their own.
  3. Once the code is ready for an audit with a frozen commit, we would set a time to have a call and kick off the audit for an estimated length of time (depends on code size/complexity). We go through our process with you during the kickoff and collect feedback.
  4. During the audit, we review the code line by line and begin collecting issues we find. Throughout this time, we would actively ask developers questions to understand potential issues and design intentions.
  5. Once the audit is complete, we would privately share a report with the developers containing all the issues and recommended fixes.
  6. Developers would deliver each fix as an individual PR for us to review. In some cases, you might not want to fix something but would provide some comments for us to include in the report. Some security issues might not be fixable but could at least be known by the community to weigh the potential risks.
  7. Once all fixes are reviewed, we finalize the report and publish it for the community to review as a PDF report and on our blog.
  8. Once the community has reviewed the audit report, the proposal can be submitted to governance for a vote. A link to the report can be included so that voters can verify the finalized commit hash referenced in the report matches the code in the proposed changes.

Please note I may be slow to reply over the holidays this week and next although I want to schedule conversations with some of you as soon as I can. I’ll be fully engaged on this starting January 3rd and will start by adding more color to the proposed process based on my own research and feedback from others.

Anyone that has protocol changes planned in the near future or would like to share feedback can reply here or contact me directly with the following below. I look forward to working with you all!

Security Advisor Contact Info