Request for Proposal (RFP): Compound DAO Security Service Provider (SSP)

Motivation & Background

The Compound Foundation, in collaboration with the Compound Governance Working Group (CGWG), is issuing this Request for Proposals (RFP) to identify a qualified and cost-effective Security Service Provider (SSP) to deliver security services to the Compound protocol over a 12-month term.

Security remains a paramount concern for Compound as a leading decentralized lending protocol operating across multiple chains. Since December 2021, Compound has relied on OpenZeppelin as its primary security partner, who in the past year alone conducted over 40 audits and reviewed more than 180 governance proposals.

While OpenZeppelin has delivered strong coverage, the expiration of their current term presents an opportunity for the DAO to reevaluate the market and select a provider best suited to its evolving needs and financial constraints. A number of leading security vendors have expressed interest, and this RFP process is being run to ensure transparency, competition, and alignment with Compound’s long-term goals.

The Compound Foundation will lead the selection process, including managing vendor interviews, evaluating pricing, and issuing a final recommendation to the DAO. The CGWG will act as a neutral facilitator, ensuring the process remains transparent and aligned with DAO governance expectations. This collaborative approach allows the Foundation to apply its operational expertise while ensuring the broader community remains informed and empowered to make the final decision through onchain voting.


Shaping the Security Backbone of Compound’s Next Era

Compound is one of the most influential and historically significant protocols in decentralized finance. As the first DeFi platform to introduce on-chain algorithmic money markets, Compound laid the groundwork for permissionless lending, decentralized governance, and protocol autonomy. Its early innovations shaped the token voting models and governance contracts that are now industry standards. While its brand remains a pillar of credibility in crypto, Compound today finds itself at an inflection point—rich with reputation but ripe for renewed growth. With evolving regulation, improving sentiment, and an expanding appetite for DeFi infrastructure, this is a rare and timely opportunity to help Compound reassert itself as the leader in global decentralized lending.

The recent launch of the Compound Foundation marks the beginning of a new era—one focused on strategic execution, ecosystem expansion, and long-term resilience. As the Foundation takes on an active role in guiding protocol development and ecosystem coordination, the selection of a trusted security partner becomes mission-critical. This isn’t just about audits; it’s about embedding security at the core of Compound’s re-emergence. With over $2B in TVL, deep integrations, and a renewed growth mandate, Compound is uniquely positioned for a resurgence—and the partner ultimately chosen as its next Security Service Provider will be a visible and central force in safeguarding that trajectory.


Timeline & Order of Operations

  • RFP Submission Window (July 7 – July 18, 2025)
    Vendors must submit proposals publicly to the Compound forum by replying to the RFP thread. Each response must follow the “Required Responses” format and be posted as a single, comprehensive reply. Pricing details must be submitted separately and privately to the Compound Foundation at this Form
    The Foundation and CGWG will review each submission for completeness and relevance; proposals that meet all requirements will move forward to the evaluation phase.

  • Evaluation & Interviews (July 15 – July 22, 2025)
    The Compound Foundation will begin interviews on July 15 with vendors who submit early and continue reviewing all qualified proposals through July 22. This includes evaluating vendor qualifications, security capabilities, and service alignment. The Foundation will also provide constructive feedback on proposal structure, scope, and pricing. Following this feedback, vendors may submit final pricing and revised proposals by July 22.

  • Final Proposal Summary & Recommendation (July 23 - July 27, 2025)
    A final proposal summary will be posted to the Compound forum. This summary will consolidate each refined proposal, include publicly disclosed pricing, and highlight the Foundation’s recommendation. The goal is to ensure delegates and community members can easily compare options before the vote. Any final questions or clarifications will be resolved prior to opening Snapshot voting.

  • Snapshot Vote (July 28 – August 4, 2025)
    The CGWG will host a Snapshot vote with all eligible proposals included as voting options. The vote mechanics (e.g., single-choice or ranked-choice) and quorum requirements will be clearly communicated at the time of the vote. Delegates are encouraged to weigh the proposals alongside the Foundation’s review summary. The SSP receiving the most support will be considered the selected provider, subject to on-chain ratification.

  • On-Chain Ratification & Payment Authorization (August 5 – August 12, 2025)
    An on-chain proposal will be submitted to formally ratify the SSP selection and authorize the budget for a 12-month term. Payments will be streamed using the Compound Streamer developed by WOOF. The proposal will specify the total budget, stream rate, and service start date. This step ensures DAO-wide transparency and accountability for the selected vendor.

  • Onboarding & Transition Period (August 18 – September 8, 2025)
    The selected SSP will coordinate with the Compound Foundation and any outgoing vendor to assume full responsibilities by September 8. This onboarding period includes access to prior documentation, team introductions, and establishing communication protocols. The Foundation will support the transition to avoid any gap in service coverage. The SSP should be prepared to meet its first quarterly reporting milestone soon after.


Scope of Work

The selected Security Service Provider (SSP) will be responsible for executing three core workstreams critical to the security and operational integrity of the Compound protocol: (1) Security Audits and Reviews, (2) Security Advisory and vCISO Services, and (3) Monitoring and Incident Response. These workstreams are designed to ensure full lifecycle coverage of governance proposals, ongoing protocol development, and real-time defense capabilities.


1. Security Audits and Proposal Reviews

The SSP will lead technical assessments of protocol upgrades, governance proposals, and token onboarding efforts. They will provide actionable feedback, verify execution paths, and ensure proposed changes meet Compound’s security standards before being enacted. The review process will be tightly integrated with the governance lifecycle and include formal reporting.

  • Audit new protocol code and infrastructure developed by the Foundation, WOOF, external contributors, or grantees.

  • Validate calldata and execution logic for all governance proposals prior to submission or execution.

  • Assess the risk of onboarding new collateral assets, token integrations, or deploying to new chains.

  • Produce and publish Security Reports outlining findings, risks, recommended remediations, and issue severity classifications.

  • Coordinate audit scheduling and delivery timelines in alignment with governance proposal windows and DAO expectations. The Foundation will define prioritization when needed.


2. Security Advisory and vCISO Services

The SSP will provide high-touch security advisory services, including a dedicated technical lead to act as Compound’s virtual CISO (vCISO). This CISO will help bridge audits with governance, align protocol improvements with security best practices, and ensure DAO contributors understand and can act on security findings.

  • Offer on-demand guidance to the Foundation and contributors regarding governance proposals, upgrades, or architecture changes.

  • Participate in protocol design discussions, threat modeling exercises, and security reviews of new initiatives.

  • Maintain clear documentation of evolving security requirements, including checklists and best practices tailored to different proposal types.

  • Serve as a central point of contact for the DAO to interpret audit findings and discuss remediations

  • Help scope and prioritize security reviews and audits, working closely with authors to define timelines and security expectations.


3. Monitoring and Incident Response

The SSP will be responsible for continuous monitoring of protocol operations, governance proposal execution, and security-sensitive functions. They will maintain on-call availability for triaging incidents and may also contribute to shared governance responsibilities by participating in Compound’s emergency response mechanisms.

  • Monitor live protocol deployments, governance execution, and market activity for anomalies or malicious behavior.

  • Maintain on-call availability for real-time response to protocol incidents, unexpected outcomes, or critical threats.

  • Collaborate with the Foundation, Core Contributors and Community Multisig to triage and mitigate emerging threats, including postmortems and lessons learned.

  • Optionally nominate a qualified team member to join the Compound Community multisig as a signer for urgent interventions.

  • Propose and implement off-chain monitoring infrastructure (e.g. dashboards, alerting systems) that remain transparent and do not impact on-chain performance.


Payment Terms

  • The engagement will span a 12-month commitment starting August 18th, 2025, with payments streamed in COMP based on USD value via the Compound Streamer contract.

  • The DAO seeks to avoid large upfront payments. Vendors must agree to a 60-day termination clause, allowing the DAO to stop the stream and disengage with reasonable notice based on a governance vote. This will be prompted in cases where vendors fail to meet KPIs or stated SLAs


Evaluation Criteria

Proposals will be evaluated based on:

1. Technical Expertise

  • Solidity auditing proficiency; additional Rust/Go/MOVE capabilities are a plus

  • Cross-chain experience on Ethereum L1 and L2s (Arbitrum, Optimism, Base, Scroll, etc.)

  • Use of fuzzing, formal verification, and static/dynamic analysis

  • Infrastructure and application-layer pentesting capabilities

  • Documented incident response processes and tooling

2. Reputation and Track Record

  • History of working with DAOs and DeFi protocols

  • Public reports, references, or postmortems that demonstrate transparency and reliability

3. Compound Protocol Familiarity

  • Prior work with Compound is preferred

  • Vendors new to Compound must demonstrate a clear onboarding plan and ramp-up readiness

4. Capacity and Communication

  • Capacity to support parallel audits and urgent reviews without delays

  • Clarity and regularity in reporting to the DAO and Foundation

  • Willingness to publish updates and participate in governance discussions


Required Responses

General Overview

In your private pricing proposal to the Foundation, include the full name, telegram and email for your representative in the RFP process. All pricing must also be included in a private proposal to the Foundation during initial submission using this Form

Company/Team Name and Background:
Provide the name of your company or team and a brief background. Include the founding year, areas of specialization, and notable clients. Highlight the core team’s blockchain and security credentials.

Existing Relationship with Compound (if any):
State any prior engagements, audits, or contributions to Compound’s codebase or forums. If no relationship exists, describe your plan to quickly gain protocol familiarity.

Relevant Security Partnerships or Clients:
List DAOs or DeFi protocols you’ve supported, ideally those with governance, lending, or cross-chain complexity. Case studies or published audits are encouraged.


Section 1: Scope of Security Work

1a) Scope of Services Overview:
List all audit and review activities you will cover, including new deployments, governance reviews, and monitoring following the Scope of Work section. Specify if you support front-end or off-chain systems. Clarify any notable exclusions or limitations.

1b) Multi-Chain Support & Upgrade Expertise:
Compound V3 is deployed across numerous networks (including Ethereum mainnet, Base, Arbitrum, Unichain, Optimism, Polygon, Mantle, Scroll, Ronin, and Linea) and is expected to continue expanding. Additionally, protocol upgrades and new market deployments are a regular occurrence.

State your experience across Compound’s supported networks. Note if you’ve audited cross-chain deployments or major upgrades. Describe how your team stays current on emerging L2s or brings in specialists if needed. Define how the vCISO will be engaged and how they’ll be involved in operational security of the smart contracts integration and deployment.

1c) Resource Allocation and Availability:
Indicate how many FTEs will be assigned to Compound and if they are dedicated or shared. Explain how you will avoid audit bottlenecks and ensure coverage during staff absences. Describe how you preserve context and continuity over time.

1d) Additional Services or Tools (if any):
Share any value-added offerings like governance participation, training, or internal tools (e.g., dashboards, scanners). This is optional but encouraged. Keep descriptions high-level and relevant to DAO security.


Section 2: Technical Methodology and Audit Process

2a) Audit Methodology:
Summarize your process including manual review techniques and tool usage (fuzzers, linters, etc.). Mention how you identify non-code risks like governance or economic attacks. Note how you ensure full code coverage and reduce reviewer blind spots.

2b) Audit Workflow & Deliverables:
Outline your audit process from scoping to final report. Describe your report format (e.g., severity levels, fix guidance) and whether results are public. Provide turnaround time ranges based on audit scope.

2c) Quality Assurance and Track Record:
Cite past audits or incidents where your work mitigated or prevented harm. If a client was impacted post-audit, share how you helped and what was learned. Provide public links or references where possible.


Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure:

Describe your process for handling discovered vulnerabilities, particularly critical ones. If during the course of an audit (or via any monitoring you do), you uncover a serious bug or exploit possibility in Compound, what are the immediate next steps? Outline how you would inform Compound’s leadership or relevant parties.

Do you follow an established responsible disclosure protocol or have a standard policy (e.g. “notify core developers immediately, advise on fix, disclose publicly only after patch”) for these scenarios? The Compound community needs to know that any vulnerabilities will be handled with urgency and discretion. Include details like:

  • How you prioritize issues (e.g., stop all other work to focus on a critical vs. continue with audits for a low-severity finding)
  • Expected timelines for developing a remediation plan, and how/who you involve in remediation (do you merely report issues or also help design patches?)
  • If you have a secure communication channel for sensitive disclosures, note that as well

In short, tell us how you will manage the lifecycle of a critical vulnerability from discovery to fix to public disclosure in a way that minimizes risk to the protocol.

3b) Incident Response Support:
Detail how you assist during exploits—technical investigation, coordination, and recovery. Share prior examples where you helped mitigate live attacks. Clarify who you work with (e.g., Foundation, whitehats).

Provide any detailed examples of how you were able to triage and resolve a specific incident.

3c) Continuous Monitoring & Threat Detection:
Describe your monitoring stack, anomaly detection, and alert workflows. Note what gets flagged (e.g., whale voting, oracle anomalies), and who is notified. If no tooling is included, explain how you remain vigilant between audits.


Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model:

Pricing proposals must be submitted privately to the Compound Foundation via email as part of a private proposal attachment.

What is the total budget that you are requesting for the 12-month security partnership with the DAO? Break down the components of this cost if applicable. For example, is this a flat annual fee for a security retainer covering all services, or do you price per audit with an estimated number of audits included? Indicate if you are agreeable to a continuous streamed payment setup.

4b) Milestones and Performance Metrics:
List success metrics such as audit timeliness, report quality, or DAO engagement. Include sample KPIs. If you report publicly or quarterly, say so. These could include quantitative metrics such as:

  • audit report delivery times (e.g., “all standard audits delivered within X weeks of code readiness”)
  • responsiveness targets (e.g., “critical issues triaged within Y hours”)
  • any outcome-based goals (e.g., “zero critical vulnerabilities in production”).

You may also include community-centric metrics, like “monthly security update delivered on time 12/12 months” or engagement metrics like “participate in all governance calls with a security segment.”

4c) Conflict of Interest Declaration:
Disclose if you work with Compound competitors or protocol forks. Assure confidentiality safeguards are in place. If no conflicts exist, state that clearly. Working with multiple clients is normal, but we expect professional handling of any conflicts and confidentiality.

4d) Transition and Offboarding Plan:
Explain how you’ll ensure continuity if not renewed. How will you ensure that any new incoming security provider can pick up where you left off? Acknowledge DAO rights to terminate with 60-day notice.


Section 5: Service Level Expectations (SLA)

5a) Incident Response:
Describe your target response time for critical protocol incidents (e.g., 15 minutes). Include whether 24/7 monitoring coverage is available and through what channels. Outline your escalation, triage, and mitigation processes for urgent situations.

5b) vCISO Support:
State your availability for on-demand advisory support (e.g., within one business day). Note the expected cadence of recurring briefings, design reviews, or check-ins. Indicate who the DAO’s primary and backup contacts will be.

5c) Governance Proposal Reviews:
Specify your standard review turnaround time after a proposal request (e.g., within 48 hours). Mention your availability to support urgent or last-minute proposals. Describe how findings will be delivered and communicated to the community.

5d) Code Audits:
Indicate the average lead time required for scheduling audit engagements (e.g., 2–4 weeks). Provide expected turnaround times based on audit size and team allocation. Share your standards for report formatting, revision handling, and final delivery.

Final Considerations

If there are aspects of your approach, tooling, or philosophy that haven’t been addressed in prior sections, you may highlight them here. This could include specialized expertise (e.g., lending protocols, governance or economic security), proprietary tools or dashboards, operational scale, or mission alignment with decentralized finance.

You may also use this space to share supporting content and technical examples such as public audit repositories, technical write ups, incident postmortems, or training materials you’ve produced. These examples can help demonstrate your team’s track record, culture of transparency, or commitment to long-term partnerships. Bonus points for any examples relevant for Compound or similar lending protocols.

Please keep this section focused and additive. All essential information should still be included in the required responses above, as they form the basis for evaluation.

16 Likes

The Compound Governance Working Group (CGWG) is proud to collaborate with the Compound Foundation in selecting the next Security Service Provider (SSP).

If your team has a proven track record in DeFi security and shares Compound’s mission, we invite you to submit a proposal. Your expertise will be pivotal in protecting the Compound ecosystem while fueling its continued innovation and growth.

9 Likes

[Post 1/2]

Proposal edited on July 24th, 2025. Summary of edits:

  1. Tenderly has been unbundled from this proposal with the understanding that their platform will be considered as part of ZeroShadow’s evaluation process.

  2. ChainSecurity and Certora are submitting a joint proposal with an annual fee of $1.75M. The fee is capped for two years at least.

  3. The following has been added to our scope:

  • We will become signers of Compound’s multisig
  • We will ensure a smooth, clearly-defined, and efficient collaboration with ZeroShadow. We will make ourselves available to support their efforts and offer direct communication channels with redundancies across different timezones.
  • While ZeroShadow owns the responsibility for monitoring, we will support them by offering monitoring recommendations when relevant risk areas are noticed during our reviews or advisory work.
  • While ZeroShadow owns the responsibility for incident response (IR) & for designing the IR protocols, we are responsible for ensuring an IR drill happens every quarter with the relevant actors (ZeroShadow, multisig signers, key developers, etc.), and that the IR protocols are understood by all actors involved.
  1. The following has been excluded from our scope:
  • Monitoring & Alerting (both the platform and the associated services)
  • Incident Response & Triage
  • Any of Tenderly’s tooling solutions (Tenderly’s virtual testnet, Tenderly monitoring stack, etc.)
  • The scope of ZeroShadow’s proposal

Proposal - ChainSecurity & Certora

Key Facts

  • ChainSecurity and Certora are leading Web3 security firms, operating since 2017 and 2018 respectively. Both have a long-standing and successful track record of collaboration with Compound.
  • To streamline DAO coordination, we unify the DeFi expertise of our two firms under a single vCISO: a senior security engineer from ChainSecurity fully dedicated to Compound.
  • Full-time security engineers dedicated to Compound ensure rapid response times and leverage custom tooling to enhance efficiency and reliability.
  • Under the vCISO’s leadership, the three teams will work in close coordination to comprehensively address all of Compound’s security needs:
    • Smart contract audits (with targeted formal verification & fuzzing)
    • Audits of off-chain components (including Web2 security such as penetration testing of dApps)
    • Governance reviews
    • Security Advisory & Security governance

Contact

ChainSecurity & Certora

Collectively represented by Emilie Raffo, ChainSecurity Founding Partner

Telegram: @EmilieRaffo_ChainSecurity

Email: emilie.raffo@chainsecurity.com


Proposal

This proposal is led by ChainSecurity and submitted jointly with Certora. Our 2 teams will collaborate closely to provide ongoing, high-assurance security services to the Compound protocol. The vCISO, a senior ChainSecurity engineer allocated full-time to Compound, will serve as the main point of contact, ensuring close coordination, clear communication, and a smooth collaboration across all stakeholders.

Certora and ChainSecurity together bring a uniquely comprehensive approach to smart contract security. Certora’s team of dedicated formal methods engineers specializes in writing precise, executable specifications and building custom verification pipelines that proactively eliminate entire classes of vulnerabilities before deployment. ChainSecurity complements this with unmatched experience in DeFi systems and complex protocol interactions, drawing on a broader security skill set including manual audits, threat modeling, and automated tooling. Together, we offer both depth and breadth: Certora ensures correctness by construction, while ChainSecurity identifies emergent risks through a holistic view of protocol behavior. This combined methodology delivers a higher level of assurance than either approach alone—giving clients a truly end-to-end security review that is proactive, rigorous, and battle-tested in production systems.

Collectively, we have a strong history with Compound, having previously contributed to securing its smart contracts as both auditors and formal verification partners. This proposal offers Compound the unique expertise and ability to provide the highest standards of security directly by combining two of the most established security providers’ offerings under one coordinated framework.


About ChainSecurity

(Represented by Emilie Raffo, founding partner)

ChainSecurity is one of the longest-standing Web3 audit firms, known for deep DeFi expertise, rigorous audits, and a stable team of formally trained experts.

ChainSecurity began in 2017 at ETH Zurich, 4th best university in the world for computer science, with the development of Securify: the first widely used static analyzer for Solidity.

As demand grew, the team of academic researchers formalized into ChainSecurity: auditing top-tier projects and releasing Securify as open source with the support of the Ethereum Foundation. In collaboration with ETH Zurich, we built formal verification tools like VerX.

ChainSecurity gained visibility during Ethereum’s Constantinople and Berlin hard forks by uncovering network-critical vulnerabilities. Our Ethereum client disclosures earned us top places on the global bug bounty leaderboard.

In 2020, we joined PwC Switzerland, gaining exposure to the best practices of regulated financial auditing. While staying focused on Ethereum, we collaborated with public institutions, banks and central banks, and supported large organizations in their tokenization efforts. Our experience with large, traditional corporations makes us the top choice for a new age of increased regulation and legal clarity in DeFi.

We spun off from PwC in 2021 to double down on DeFi and to be able to work with crypto native teams. Since then, we’ve led hundreds of audits, hired from top universities, won the Ethereum Foundation’s underhanded Solidity contest, and discovered several live vulnerabilities - including the novel “Read-Only Reentrancy”.

ChainSecurity is employee-owned and built for longevity. Our core team is committed, and subsequent hires are growing into ownership of the company. We retain expertise in-house and continuously refine our methodology since 2017. This consistency is why clients continue to place their trust in us.

About Certora

(Represented by Mooly Sagiv, founder)

Certora is the security assurance partner trusted by the most advanced teams in Web3. Founded in 2018 by pioneers in programming languages and formal methods, Certora helps leading protocols like Lido, Aave, Euler, and Ether.fi secure billions in TVL with confidence.

Certora is not just another auditor. Certora is a full-stack security assurance platform, combining best-in-class formal verification tools with expert advisory services, delivered on time and with zero compromise. Certora doesn’t just look for vulnerabilities, we help you prove correctness, accelerate your development speed, and embed safety into your design from day one.

With Certora, you get:

  • Proven, scalable tooling for checking real deployed code
  • A deep partnership model with on-demand support
  • Fast, responsive execution that helps you go-to-market faster

For Certora, security isn’t a checklist, it’s a continuous process.

Certora was founded by Dr. Mooly Sagiv, a pioneer in software analysis who has authored over 200 peer-reviewed publications, and Dr. Shelly Grossman, who holds a PhD in program verification and led the development of the Certora Prover—a powerful engine for detecting and preventing vulnerabilities in smart contracts before they reach production.

Our team of security auditors includes 20 PhD-level verification experts who collectively have authored over 650 academic publications, and 25 Web3 security experts with collectively over 80 years of auditing experience. Certora has completed 286 audits to date, and has found over 350 critical and high severity findings through our audits and verification work.

In collaboration with our R&D efforts, our audit team leverages advanced software analysis tools to deliver the industry’s most thorough security audit, and we translate the semantics of a protocol into verifiable specifications that are checked with our Prover technology. The result for our clients is the highest standard of security assurance for smart contracts in the industry, and a continued effort to leverage new, innovative technology to raise the bar even higher.


Existing Relationship with Compound:

We have longstanding ties with Compound, dating back to its early days as one of the most innovative and respected protocols in decentralized finance. Some of us were present during Compound’s formative years, when it helped define the lending market in DeFi and set standards for governance and protocol design. We are proud to have witnessed and supported those foundational moments.

ChainSecurity & Compound

ChainSecurity has been a close security partner to Compound since 2022, with deep insight into their protocol and architecture. To date, we’ve published several of our audit reports (Compound Quark (2024), Compound SUPTB (2023), Compound III (2023), Compound cToken (2022)) and continue to support the ecosystem through our work with Legend Labs—the spun-off Compound Labs team (Legend Labs - Quark V2), with more reports to be published.

In 2022, our team also identified and responsibly disclosed a live vulnerability in Compound that put millions at risk (TrueUSD ↔ Compound Vulnerability).

The Compound Labs team has shown high satisfaction with ChainSecurity’s work, as evidenced by the following testimonials:

“ChainSecurity has been an outstanding security partner who has earned our admiration and respect based purely on their technical competence and skill. They always go above and beyond to ensure their auditing is of the highest quality, and they are consistently excellent over the many projects we have done together.”

Jared Flatow, Compound VP of engineering 2019 to 2023

“We’ve worked with several auditing firms over the years, and ChainSecurity stands out as the most thorough and technically rigorous. Their team consistently delivers deep, high-quality audits. That is why they’re our go-to auditor.”

Kevin Cheng, Compound Labs Head of Protocol 2023 to 2024, Compound Labs Senior Engineer 2021 to 2023

Certora & Compound

Certora has worked closely with Compound since 2018 to strengthen the security of its smart contracts through formal verification. Our collaboration has focused on proactively identifying vulnerabilities that are difficult to catch through traditional audits alone. We have helped uncover subtle, high-impact issues before they could be exploited in the wild. These efforts have significantly contributed to improving the safety and reliability of the protocol across multiple major upgrades.

In our first engagement with Compound, we formally verified the first Price Oracle implementation. Using the Certora Prover, we identified 7 issues and proved 5 global properties of the contract, including a subtle bug after the code has already undergone a third-party audit—demonstrating how formal methods can complement traditional review processes.

In contrast, the MoneyMarket contract, which was not formally verified, was later found to contain a serious vulnerability in the liquidation function, one that could have threatened the protocol’s solvency. Following this discovery, Compound asked Certora to formally verify a sophisticated bug fix designed to prevent such exploits. Using Certora’s expressive language for smart contract specifications, CVL, we were able to collaborate with the Compound team to verify that no execution path could trigger the exploit, providing the Compound team with strong assurance of the fix’s soundness.

Certora was also the first auditor of Compound V3. The audit is available here. Seven bugs were prevented, and fifty CVL rules were written and integrated into Compound Labs’ build system to continuously leverage the Certora Prover to proactively find regressions in the protocol.

Over the course of Certora’s work, ten engineers wrote a total of 80 CVL rules for Compound contracts spanning CompoundV2, CompoundV2 Open Oracle and CompoundV3. These rules are publicly available and continue to serve as regression checks as the protocol evolves.

“Certora has given us the ability to practically apply formal verification methods to anything we do on-chain. They have an excellent team who we’ve partnered with closely over the years, and the process of writing invariants with them has proven to be invaluable in writing better smart contracts.”

Jared Flatow, Compound VP of engineering 2019 to 2023


Relevant Security Partnerships or Clients

ChainSecurity

ChainSecurity is the go-to audit partner for some of the most widely used projects in DeFi. In lending alone, we’ve helped secure the core systems behind Sky (formerly MakerDAO), Spark, Morpho, Euler, Frax, Gearbox, TrueFi and others. Our work extends across DeFi and beyond, with audits for Circle, Lido, Curve, Tether, Yearn, Enzyme, WBTC, and more. We also work with major ecosystem and infrastructure players like the Ethereum Foundation, Polygon, Optimism, Uniswap Foundation, TRON, Starknet, Fuel, etc.

Our clients trust us not just for technical depth, but for our reliability and long-term support. Here are some testimonials to illustrate this:

“ChainSecurity has been an invaluable partner throughout almost two years of high-stakes product launches. We prize them for their proactivity, consistency, and flexibility.”

Deniz Yilmaz, Tech Lead @ Sky (formerly MakerDAO)

“We’ve worked with many Smart Contract auditors in the last five years and ChainSecurity quickly differentiated themselves as a leader in the space. They have relevant DeFi expertise, professional work ethic and have always been a reliable partner.”

Mona El Isa, CEO @ Enzyme Finance

“Their team pays close attention to every detail, prioritizing quality over quantity. This ongoing collaboration has made them true partners in our journey.”

0xMikko, Inventor @ Gearbox

“ChainSecurity delivered an exceptional audit for our project. Their meticulous approach and quick responsiveness enhanced our security and provided crucial insights. We greatly appreciate their dedication and excellent communication throughout the process.”

Erik Arfvidson, Head of Cybersecurity @ Euler Finance

ChainSecurity was a pleasure to work with—exceptionally easy to coordinate with and delivering an audit of the highest quality. Their meticulous attention to detail truly set them apart, making the entire process smooth and efficient.

Long Vuong Hoang, Head of Engineering @ Pendle

Through long-term collaborations highlighted by our clients and a proven track record of identifying critical vulnerabilities, ChainSecurity is a trusted and strategic partner in building secure and resilient decentralized systems.

Certora

Certora is the trusted security partner of many of the most impactful protocols in Web3. In the lending vertical alone, Certora has secured critical components for Aave (V2 and V3), Compound (V2 and V3), Silo, Euler, EtherFi, Seamless, Astaria, Kamino, Glow, Blend, and Slender. Our work extends beyond lending to a broad range of DeFi primitives — including MakerDAO, Balancer, Lido, Uniswap, Gnosis Safe, and others. Certora’s role in the ecosystem goes beyond auditing and formal verification. We are embedded in the security processes of leading protocols and infrastructure, serving as technical co-signers on multisigs and participating in security councils such as Arbitrum, AAVE, EigenLayer, GMX, Lido and Kinto. This level of trust demonstrates our operational reliability, technical depth, and ability to respond quickly to emerging threats. Our long-term relationships and active engagements across protocols and chains position Certora as not just a service provider, but a strategic partner in building safer and more resilient decentralized systems.


[Proposal continues in post 2/2]

4 Likes

[Post 2/2: for a summary of the July 24th edits, see post 1/2]

Proposal - ChainSecurity & Certora

Section 1: Scope of Security Work

This section includes:

  • Scope of Services Overview
  • Multi-Chain Support & Upgrade Expertise
  • Resource Allocation and Availability
  • Additional Services and Tools

A top-tier audit team, with a history of successful Compound audits and prior knowledge of the codebase, will be dedicated to the Compound ecosystem year-round. This joint proposal encompasses the following services:

  • Manual audit and targeted formal verification for new contract deployments.
  • Governance reviews and simulated execution as needed throughout the year.
  • Front-end and off-chain audits for mobile applications, web services, and other off-chain components.
  • Collaborative partnership with dedicated vCISO to deliver consistent and on-going support and advisory services in all aspects of the Compound platform.

Our auditing services include black box penetration and white box protocol testing for Dapps. Black box penetration testing services will include manually exercising common exploit patterns for web and mobile applications based on an external review of the functionality of the application. White box protocol testing services include reviewing the communication between the UX (web/mobile) and any backend services, and attempting to craft exploits by inferring the intended vs. unintended behaviors of the interaction. Automated tools may be applied in these services when feasible and appropriate to the particular application. Finally, we will seek language-appropriate static analysis and code scanning tools as part of our Dapp auditing to identify code-level mistakes that lead to known vulnerability categories. These findings may not always be exploitable, but they will identify opportunities to improve the code in order to avoid vulnerabilities.

Leveraging our combined auditing team, we are able to deliver on-demand availability for the deployment of new capabilities and major upgrades across a complex network of L1s and L2s with a team of 3 FTEs dedicated to Compound. To ensure availability, knowledge continuity, and a diversity of thought in approaching each audit, both Certora and ChainSecurity will internally maintain teams who will in rotation serve as primary and backup auditors for each engagement.

We will ensure team consistency throughout the year by maintaining continuity across engagements. Audits will follow our battle-tested methodology with a focus on preserving context to easily onboard new auditors and avoid vendor lock-in. Leveraging a larger team of audit professionals also injects a broader perspective and “fresh eyes” into each audit, which will yield superior coverage in our work. This same level of redundancy will apply to all vCISO discussions and governance reviews.

Across the ChainSecurity and Certora teams, we have expertise with a wide variety of L2s, and we have audited major cross-chain deployments with Aave, Uniswap, and others. As new L2s are introduced to the market, our teams will work in collaboration to establish an internal “center of excellence” for identifying new risks introduced by each new L2. We will then leverage this accumulated knowledge in future deployments to those L2s.

In addition to the expertise of our security engineers, ChainSecurity & Certora will contribute advanced tools to this engagement including:

  • The Certora Prover, which enables formal verification of complex smart contract properties.
  • A fuzzing suite built on top of Foundry & Echidna. This suite will enable on-going testing of each change introduced by the Compound team.
  • Participation in governance, if desired, as we have with Ether.fi, Spark, and other leading protocols.
  • An internal dashboard showing all projects, schedules, and delivery health using the Monday platform.

Finally, the vCISO service offered as part of this proposal is envisioned as a security advisory service to the Compound foundation and the DAO for the purposes of end-to-end security review of all aspects of operational security, code security, and governance. The vCISO is a senior blockchain security engineer from ChainSecurity allocated full-time on Compound. To ensure continuous support through the year, another engineer with deep Compound expertise will work closely with the vCISO and act as the vCISO’s official backup in case of absence. We will be available for consultation to the Foundation or the DAO on an as-needed basis.

In addition to on-demand guidance, Compound’s dedicated vCISO will take a proactive and holistic approach to securing Compound. Rather than simply reacting to individual audit requests, we will maintain an informed, high-level view of the protocol’s overall risk landscape—including internal architectural decisions as well as relevant external developments in the broader ecosystem. This includes participating in protocol design discussions, reviewing governance proposals, and supporting contributors in identifying and mitigating risk across the stack.

We also see the vCISO as a public-facing and coordination-oriented role. Responsibilities will include representing Compound in relevant security contexts, liaising with other vendors and ecosystem partners, and helping ensure that contributors and stakeholders have clarity around evolving security needs. This may also involve helping scope and prioritize reviews, maintaining lightweight documentation of expectations and best practices, and advising on the implications of new initiatives or integrations.


Section 2: Technical Methodology and Audit Process

This section includes:

  • Audit Methodology
  • Audit Workflow & Deliverables
  • Quality Assurance and Track Record

Audit Methodology

Leveraging our combined team of 3 full-time equivalent auditors, the Certora and ChainSecurity teams will audit the governance proposals and protocol changes. Our audit methodology includes the following key attributes:

  1. Each audit is assigned a team of two, and we will ensure continuity from audit to audit such that one member of this team of two participated in the previous audit.
  2. Prior to conducting an audit, all protocol changes will be validated using to identify functional and security regressions prior to audit review.
  3. Each audit consists of the following stages:
    1. Identification of a threat model and initial run of the Certora tool suite
    1. Manual inspection of protocol or governance code and review of all tool results
    1. Identification of potential code issues and attack vectors and collaborative review with the Compound team
    1. Collaborative discussion to specify required fixes and methodology for each fix
    1. Thorough review of each fix and final run of the Certora tool suite to ensure that fixes were applied properly and that no regressions were introduced
    1. After deployment, we will offer deployment audit services to certify the smart contracts are deployed with the expected bytecode and configuration (See Compound Deployment Validation)

Our audits are:

  • Comprehensive, leveraging tools to identify all suspicious areas of the code that require thorough, systematic review.
  • Multi-level, starting from a comprehensive threat model for the protocol and including a review of architecture, business logic, pricing logic, critical calculations, and implementation. This review includes both on-chain and off-chain components.
  • End-to-end in multiple dimensions. First, by including a collaborative effort to identify appropriate fixes to any issues that are uncovered, and a final review of actual fixes. Second, by including off-chain components.
  • Technology driven to ensure that human error and omission is minimized wherever possible.
  • Deep, including sophisticated verification of protocol properties using the Certora Prover and our team of dedicated formal verification experts.

Both Certora and ChainSecurity already possess extensive Compound knowledge and have a positive history with the Compound team. In collaboration, we are uniquely suited to protect your protocols from costly exploits, ensure compliance with industry standards, and build trust with users and stakeholders.

Audit Workflow & Deliverables

Each audit concludes with a comprehensive report delivered to the Compound team. These reports include:

  • Threat model used to conduct the audit
  • Architecture diagrams, if relevant, illustrating our understanding of the protocol and its associated threats
  • A comprehensive list of findings, including an explanation of the severity and impact of each finding
  • A list of fixes applied, including our evaluation of the effectiveness of the fix
  • A list of invariants, pre-, and post-conditions verified with the Certora Prover, and a description of the implications of these verification conditions on the overall security of the protocol
  • The output from the Certora tool suite, which illustrates the comprehensive nature of our audits and how we leverage advanced technology to complement human review
  • Required checks for Deployment Validation (See Compound Deployment Validation)

Reports will be made public at the discretion and on the timeline agreed to with the Compound team, and with a particular care devoted to ensuring that any live vulnerabilities identified are mitigated prior to publishing.

Governance proposals will promptly be reviewed by our vCISO team. Beyond general review against security threats, they will simulate proposal execution against mainnet state. This verifies that proposals execute as expected, checks system invariants, and flags gas regressions, avoiding incidents like Compound’s Proposal 117 and Proposal 226. This reduces the duration of review cycles while significantly increasing security.

Quality Assurance and Track Record

ChainSecurity & Certora are all committed to supporting our clients and the ecosystem at large. Here are some examples where our work prevented harm:

  • ChainSecurity identified an Ethereum-wide vulnerability ahead of the Constantinople upgrade. They disclosed it responsibly to Ethereum Foundation, who delayed the upgrade and was able to fix the issue (see blog article).
  • ChainSecurity responsibly disclosed a live critical vulnerability in Compound and supported the mitigation efforts (See blog article)
  • ChainSecurity discovered the read-only reentrancy, a novel type of vulnerability putting more than $100M at risk. Before making the vulnerability public, they spent months researching the affected protocols, responsibly disclosing the vulnerabilities, and supporting them as they patched the vulnerabilities. (See Devcon talk)
  • ChainSecurity has been part of multiple undisclosed war-rooms securing hundreds of millions at risk in collaboration with SEAL911 and others.

Section 3: Risk Management and Incident Response

  • While ZeroShadow owns the responsibility for monitoring, we will support them by offering monitoring recommendations when relevant risk areas are noticed during our reviews or advisory work.
  • While ZeroShadow owns the responsibility for incident response (IR) and for designing the IR protocols, we are responsible for ensuring an IR drill happens every quarter with the relevant actors (ZeroShadow, multisig signers, key developers, etc.), and that the IR protocols are understood by all actors involved. We will support ZeroShadow to promptly design custom emergency response protocols emcompassing all potential emergency scenarios and all Compound actors.
  • We will ensure a smooth, clearly-defined, and efficient collaboration with ZeroShadow. We will make ourselves available to support their efforts and offer direct communication channels with redundancies across different timezones.

If ChainSecurity & Certora are the ones discovering a live vulnerability, we will follow a strict and coordinated responsible disclosure process that prioritizes the security of Compound above all else. Whether the issue arises during an audit, a formal verification engagement, a governance review, or any security advisory work, our teams are aligned in treating these findings with urgency, discretion, and technical rigor.

Our approach goes beyond merely reporting bugs—we act as partners in remediation. Together, our teams will collaborate closely with Compound’s developers to design secure and effective patches. We will help evaluate possible solutions, and use both manual methods and automated tools, including formal verification, to validate that fixes resolve the vulnerability without introducing new risks. If needed, we will dedicate additional engineering resources to conduct emergency reviews of the patched code under tight timelines.

We classify vulnerabilities according to industry-standard severity frameworks, and respond accordingly. Critical issues—those that could lead to loss of funds, insolvency, or governance failure—are treated as top priority and take precedence over all other audit activities. Medium and high severity issues are triaged and handled with urgency, while lower severity findings are reported in due course and included in regular deliverables unless Compound requests otherwise.

With respect to disclosure, our unified policy is to ensure no public exposure of the issue occurs until a fix has been deployed and user funds are no longer at risk. Once Compound confirms the vulnerability has been safely mitigated, we are happy to support a coordinated public disclosure, which may include a detailed post-mortem or report for community transparency and learning. We can also assist in communicating this clearly and responsibly to the broader community if needed.


Section 4: Commercial Terms and Commitment

This section includes:

  • Pricing Model
  • Milestones and Performance Metrics
  • Conflict of Interest Declaration
  • Transition and Offboarding Plan

Pricing Model

We are requesting a flat annual fee of $1.75M for the 12-month security partnership with Compound DAO. This fee, capped for two years at least, covers the full scope of services outlined in our proposal, including audits, formal verification, vCISO services, advisory support, ChainSecurity & Certora tooling, and governance proposal reviews. We are also fully supportive of a continuous streamed payment setup, which offers transparency and aligns with DAO-native funding practices.

Milestones and Performance Metrics

We propose the following KPIs:

  • Governance Proposal Reviews completed within 24 business hours of request (Mon–Fri).
  • Audit Lead Time: New audit engagements scheduled within 2 weeks of request and the re-review of fixes will start within 3 business-days of code submission.
  • The vCISO owns the relationship with Compound and provides clear security leadership and guidance for the community. He is available full-time Monday to Friday. In case of absences, continuous service is provided by the dedicated backup vCISO.
  • Governance Participation: vCISO is active in the governance forums and ensures Compound maintains a proactive stance on security
  • Quarterly Security Updates: Summary posted to the forum every quarter
  • Ensuring that IR drills (led by ZeroShadow) happen every quarter and encouraging all relevant actors to participate in the drills and know their roles.

These metrics reflect our commitment to reliability, speed, and clarity—ensuring Compound receives proactive and responsive support, while maintaining rigorous standards across all engagements.

Conflict of Interest Declaration

ChainSecurity & Certora are not exclusive to Compound and do work with other protocols in the ecosystem that may be considered competitors or forks. However, we are fully committed to maintaining the highest standards of professionalism, confidentiality, and conflict management. We ensure that strict internal processes and access controls are in place to prevent any sharing of sensitive information across engagements. Both firms have longstanding reputations for handling such matters with discretion and integrity, and we take our responsibility to protect Compound’s information and interests extremely seriously.

Transition and Offboarding Plan

Our proposal is deliberately designed to avoid vendor lock-in and ensure smooth transitions. All deliverables will be documented, reproducible, and fully accessible to the DAO and any future service provider. We are committed to maintaining transparency and portability in all our work.

In the event the DAO chooses not to renew our engagement, we will fully support the onboarding of a new security provider. Our team will collaborate closely during the offboarding period, sharing documentation, context, and institutional knowledge to ensure continuity and prevent any loss in coverage or understanding. As security firms with strong reputations in the ecosystem, we understand the importance of professionalism and integrity in these transitions, and we will uphold that standard without exception.

We fully acknowledge and respect the DAO’s right to terminate the agreement with 60 days’ notice and will treat such a scenario with the same level of commitment, diligence, and cooperation as any other part of the engagement.


Section 5: Service Level Expectations (SLA)

This section includes SLAs for:

vCISO Support & Governance proposal reviews

Our vCISO - a senior ChainSecurity engineer allocated full-time on Compound - will be available constantly from Monday to Friday, with a handoff protocol for absences. He will provide:

  • security advisory (e.g. flagging risks and requesting additional layers of security such as formal verification or re-audits),
  • architecture recommendations,
  • audit-readiness support for developers,
  • coordination between the different security providers for smooth collaboration and best security practices,
  • governance proposals reviews.

The vCISO will offer complete availability, deep Compound expertise, and constant visibility on the current state of Compound and its governance. In addition, our tooling and the vCISO’s deep knowledge of the system will considerably reduce the duration of each review.

For urgent or concurrent proposals, we can pause active audits and allocate additional engineers to scale reviews without delay. The vCISO will work closely with the audit team. In case of sickness of holidays, the backup vCISO, a senior engineer with Compound expertise, ensures seamless coverage with the same level of service.

Following governance proposal reviews, our findings and recommendations will be delivered in the form preferred by the community, for example via the Compound forum, via Github, or any other preferred method.

Audits

For Audits our average lead time for scheduling audit engagements is approximately 2 weeks, depending on project scope and availability. Once the engagement begins, turnaround times typically range from 2 to 6 weeks, depending on the codebase size, complexity. Our reporting process follows a clear, transparent structure:

  • Initial Report: Delivered upon completion of the audit, detailing findings with severity levels, impacted components, and remediation recommendations.
  • Revision Handling: We conduct one or more follow-up reviews to validate fixes and provide updates on resolved issues.
  • Final Report: Includes a summary of the full engagement, status of all findings, and is published in our standard format.

Final Considerations

Today, our shared goal is to help Compound regain and strengthen its position as a leading force in Web3. We bring both historical context and forward-looking capabilities, combining deep technical expertise and protocol familiarity. Our team is committed to ensuring security, reliability, and resilience in this next chapter building on the legacy of Compound’s early impact while meeting the demands of today’s fast-moving landscape.

We deeply understand that security should accelerate development, not slow it down. Our approach is designed to support rapid iteration while maintaining rigorous standards. By integrating early into the development lifecycle, reusing proven security components, and collaborating closely with builders, we ensure that security is a foundation for faster, safer shipping—not a bottleneck. Our work is tailored to enable Compound to move quickly with confidence.

5 Likes

Updated before Snapshot: Request for Proposal (RFP): Compound DAO Security Service Provider (SSP) Cyfrin - Part 1

Motivations to proceed to snapshot

Firstly, we want to thank the Compound Foundation, the CGWG, and especially Michael Lewellen and Aaron Schnarch for their transparency, professionalism, and thoughtful handling of this RFP process. An immense amount of care has gone into shaping the security future of Compound.

We fully respect the Foundation’s recommendation of ChainSecurity and Certora, both highly respected firms in the space. At the same time, we continue to believe that Cyfrin offers a uniquely strong alignment with Compound’s evolving needs and remain committed to this community as we move toward the final vote.

Why Cyfrin?

While it has been noted that Cyfrin lacks a prior audit history with Compound, we believe that security is ultimately about capability and commitment.

For much of Compound’s history, security was handled by a single, long-term, and respected partner - OpenZeppelin. This meant fewer opportunities for external vendors to demonstrate direct experience. But Compound is entering a new chapter, and with that comes new criteria: scale, responsiveness, involvement, and DAO alignment.

That’s where we believe Cyfrin leads.

vCISO

We’ve nominated Patrick Collins as our vCISO because we believe this role requires more than just deep technical skills. It demands a visible, principled leader who has the trust of both the developer, security, and institutional communities alike.

  • Patrick is one of the most recognizable names in the Web3 security space.

  • He has taught Compound to hundreds of thousands of developers over the years.

  • He builds open-source tooling, contributes to standards, and educates with integrity.

With Patrick as vCISO, Compound gains a respected public representative who will champion its vision and advocate on its behalf, rather than just conducting reviews behind the scenes.

As Web3 enters a new era of regulatory clarity and TradFi integration, it needs more than a security vendor; it needs a strategic partner who understands both Worlds. With Patrick Collins as vCISO and Cyfrin’s connections, Compound gains a visible, engaged leader who will champion its vision and represent the protocol with authority.

Post

Throughput and bottlenecks

One of the significant points raised in this RFP process was throughput, the ability to execute multiple audits and reviews without bottlenecks.

Cyfrin answers this directly:

  • 4 named full-time Lead Security Researchers (LSR), with no junior staff.

  • 2 concurrent audits, guaranteed, scalable through our Eagles program (a vetted network of elite external researchers).

  • Flexible bandwidth to support governance reviews, upgrade audits, and tooling support. Simultaneously.

Other proposals mention “three teams” or “multiple firms”, without considering the number of LSR involved in each audit. When it comes to capacity, our model addresses the exact throughput issues Compound has faced in the past.

Lower costs with no tradeoffs

In light of the DAO’s priorities and ZeroShadow’s collaboration with the DAO, we are lowering our proposed fee to $1.5M annually, 60%+ below historical spend and competitive with all finalists, while preserving full audit capacity, vCISO leadership, and security tooling.

We believe this is the most sustainable value-for-cost model for the DAO:

  • Two audits in parallel (not sequentially)

  • Dedicated advisory capacity

  • Named, public-facing vCISO

  • Open-source tooling and continuous education

Web3 is evolving. With increased regulatory focus, institutional scrutiny, and complex governance demands, Compound needs more than audits.

Cyfrin uniquely combines:

  • Security talent trained and led by former senior auditors from the leading firms

  • A strong educational arm (Updraft) to support internal team onboarding and DAO contributors

  • Strategic partnerships across institutions, research organizations, and security standards bodies

This isn’t just about coverage, it’s again about long-term stewardship, aligned with Compound’s vision.

A commitment to the DAO

We’ve chosen to move forward with the Snapshot vote because we sincerely believe our proposal offers more substantial alignment with Compound’s current needs, particularly in terms of cost efficiency, execution speed, education, and public-facing leadership.

While we respect the Foundation’s process, we believe that the evaluation may have placed too much weight on legacy affiliations and formal verification tooling, whilst we will be using Halmos from A16z, there is still not enough on sustained, real-world value to the DAO.

We’re not here to rely on prior relationships or incumbency. We’re here to bring a well-resourced, execution-focused security partner to the table. One that’s capable of delivering both strategic guidance and hands-on security from day one.

Cyfrin brings a leaner security model, built for continuous delivery and engagement, not point-in-time optics.

Compound deserves a partner who is both strategic and hands-on, capable of scaling with the protocol and engaging with the community at every level. That’s precisely what Cyfrin offers.

Updated Proposal

About Cyfrin

Cyfrin is a leading smart contract security firm providing industry-leading security audits, consulting, research, education, professional certifications, and security tools, to some of the world’s most prominent institutions, organizations, and protocols.

In the last two years alone, Cyfrin has audited hundreds of protocols, trained over 100,000 blockchain developers and security researchers, while protecting more than $40 billion in Total Value Locked (TVL) across various chains. Our team combines technical depth, real-world DeFi experience, and a strong public track record to raise the security standards across Web3.

Cyfrin is the security partner trusted by some of the most targeted institutions, protocols, and infrastructure providers, including Uniswap, Lido, Ethena, Chainlink, Axelar, MetaMask, Euler, Ondo Finance, Benqi, Swell, Wormhole, M^0, Curve, Linea, Starknet, ZKsync, and Sonieum. Our engagements span the full spectrum of decentralized finance, cross-chain interoperability, and blockchain ecosystems. See the list on our Github (Please note some reports and/or clients are not present due to confidentiality)

In addition to our work in Web3, Cyfrin also actively supports leading organisations in traditional finance and capital markets, including PwC, Libre Capital, and Securitize, reflecting our ability to meet the security and compliance standards of both crypto-native and regulated institutions.

Cyfrin acts as a key provider for several Security funds, including the Uniswap Foundation, Sonieum, and the ADPC, while closely working with Areta, a platform for Web3-native fund infrastructure, to deliver audit services, governance reviews, and deep technical due diligence to protocols backed by these ecosystems. Most recently, the Uniswap Foundation awarded a $1.2 million grant to Areta to launch the Uniswap Foundation Security Fund, aimed at supporting Uniswap v4 hook developers with subsidised access to top-tier audits.

Member of the Abstract Chain Security Council and founding member of the ZKsync Security Council, Cyfrin is entrusted with core governance and security roles within the ecosystem. The Security Councils are responsible for safeguarding protocol integrity, coordinating emergency upgrades, and enabling rapid, decentralized responses during high-risk security incidents. Our responsibilities include protocol-level threat modeling, emergency decision-making, and active collaboration with the ZKsync and Abstract Chain core teams, validators, and whitehat communities. This work reflects both Cyfrin’s deep expertise in smart contract security and our commitment to decentralized governance at scale.

In 2025, Cyfrin was part of the response team that helped mitigate a high-severity exploit involving over $5 million in at-risk funds. Acting in coordination with the ZKsync core contributors and other council members, we supported the successful recovery of the funds and closure of the incident via a negotiated whitehat bounty. Cyfrin’s involvement with ZKsync, Abstract Chain, and other Security Councils demonstrates our capacity to secure large-scale, cross-chain, governance-intensive protocols, not just through preventative audits, but by playing an active role in live incident response, security governance, protocol stewardship, and growth.

The Cyfrin Team

Cyfrin is founded and operated by some of the most prominent figures in the Web3 space:

Patrick Collins, CEO and one of the top Solidity educators and engineers worldwide, with over 8 million views on his courses and more than 250,000 subscribers across platforms. Beyond education, Patrick boasts extensive hands-on engineering experience, having worked on critical protocols and integrations within the blockchain space.

Alex Roan, CTO of Cyfrin and a seasoned Web3 developer with deep expertise in DeFi infrastructure. He has played a key role in building and securing major projects, including Chainlink, GMX, and Compound. His contributions have helped safeguard billions of dollars in value across DeFi. Alex’s technical leadership drives the development of security solutions tailored for complex, decentralized protocols.

Hans Friese, co-founder and lead security researcher at Cyfrin, where he drives innovation in smart contract auditing and Web3 security. Renowned for his deep expertise and unmatched precision, Hans earned the distinction of being the #1-ranked auditor on Code4rena. Widely respected, Hans has played a pivotal role in shaping modern smart contract security practices. He is also the creator of Solodit, a platform that empowers auditors and developers by aggregating real-world audit findings.

Dacian, the Security Research and Audit Team Lead at Cyfrin, oversees high-impact smart contract audits and advanced protocol security reviews for some of the most sophisticated projects in the blockchain ecosystem. Known for his meticulous attention to detail and deep understanding of complex DeFi architectures, Dacian is widely recognized as one of the top security auditors in the space. Dacian is a prolific researcher whose in-depth technical articles regularly appear in leading industry publications and newsletters, including BlockThreat.

Mark Scrine, CSO, previously the Strategic Lead for Proof of Reserve & Real World Assets at Chainlink Labs, where he led several of their biggest integrations, including protocols such as: Circle, TrueUSD, Matrix Port, Avalanche Bridge, BackedFi, and Swell Network.

Vittorio Rivabella, formerly leading Developer Relations at Alchemy, the leading Web3 infrastructure provider, where he helped create Alchemy University and Road to Web3, educating tens of thousands of engineers.

Overview

To streamline Compound’s ongoing security operations, Cyfrin will dedicate a fully tailored security solution led by a dedicated vCISO, Patrick Collins, a prominent figure in blockchain security. Patrick brings strategic insight, advisorship, technical depth, visibility, and industry-wide influence through his work on smart contract best practices, wallet security standards, and multi-chain deployment frameworks.

Cyfrin commits four full-time Lead Security Researchers to Compound, along with one vCISO, ensuring rapid, context-aware responses and continuity.

Our audit methodology combines industry-leading expertise and manual reviews with cutting-edge static analysis, fuzzing, and formal verification, cutting-edge proprietary open-source security tooling, multi-sig threat modeling, and DAO-native incident readiness.

Leveraging our Lead Security Researchers and expertise, we will deliver on-demand availability for the deployment of new capabilities and significant upgrades.

By involving a broader team of seasoned domain-expert Lead Security Researchers, Cyfrin brings a variety of perspectives and fresh insights to each engagement, significantly improving coverage while reducing blind spots. This same layered, battle-tested, and collaborative approach tailored to Compound’s needs will extend to all vCISO discussions and governance reviews, led by Patrick Collins, reinforcing thoroughness and resilience across the board.

This fully personalised, dynamic framework streamlines onboarding and improves both the quality and efficiency of our assessments.

Under Patrick’s leadership, and with the help of 4 LSRs (Lead Security Researchers), Cyfrin will comprehensively cover all of Compound’s security needs, including:

  • Smart contract audits, with targeted formal verification, invariant, and fuzz testing

  • Audits of off-chain components, including infrastructure and tooling

  • Governance reviews, including calldata validation, risk modeling, and simulated executions

  • Real-time monitoring, dashboards, and alerting for governance-critical flows integrated directly into Compound’s coordination tools

  • 24/7 incident response, coordinated with multi-sig and foundation teams

  • War room coordination

  • Periodic security drills test

  • Proactive security advisory and security governance, driven by DAO alignment

  • Compound representation in Security contexts

In addition to the expertise of our security engineers, researchers, and engineers, Cyfrin brings unique value through:

  • Cross-chain deployment expertise, including chain-specific threat reviews and onboarding risk assessments

  • Ongoing training and Cyfrin Certifications for Compound contributors at no additional cost

  • Developers education

  • DevSecOps services for multisigs, hardware wallets, and privileged accounts

The vCISO will serve as Compound’s representative in public security-related engagements, acting as the primary point of coordination for security communications and actions. Patrick Collins will make sure that contributors, stakeholders, and the broader Compound community have clear and timely insight into security priorities.

Responsibilities will include scoping and prioritizing security reviews, maintaining a comprehensive knowledge base of current and historical efforts, and defining clear expectations and best practices. The vCISO will work closely with both the Compound Foundation and the DAO, aligning security initiatives with the protocol’s strategic goals.

A team of dedicated Lead Security Researchers will support the vCISO, enabling depth and breadth in execution. The vCISO will also provide ongoing advisory support to Compound, including participating in protocol design discussions, reviewing governance proposals, and assisting contributors in identifying and mitigating risks across the stack.

Finally, Cyfrin will also create Compound-specific content on Cyfrin Updraft, the leading educational platform for Web3 engineers and security researchers. Amplifying Compound’s reach to over 100,000+ developers. Discussed in Section 6.

Cyfrin brings an integrated education funnel, where Compound can not only secure protocol code, but also grow the next 10,000 secure developers building on it.

Existing Relationship With Compound

Cyfrin brings extensive expertise in DeFi protocols, with a strong understanding of Compound’s V3 architecture developed through proactive study of its public codebase, community discussions, and direct auditing experience. Several of our Eagles and Security Researchers have previously participated in audits or projects that are forks of the protocol, demonstrating a proven track record of high-quality findings, including winning a $100,000 contest of a v2 Compound fork.

Our strategy includes arranging a joint kickoff session and launching internal “Compound bootcamps” to accelerate the onboarding of the vCISO and auditors. These bootcamps will be supported by our CTO, former Smart Contract Lead at Chainlink Labs for several Compound integrations, and Cyfrin Eagles Security Researchers, who have previously audited the protocol:

Compound Governance Discussion

Compound Github Commit
Compound Governance Proposal

Testimonial & Testimonial 2on the work completed

The Cyfrin team has conducted numerous audits across DeFi protocols, with a strong track record in uncovering critical and high-severity issues. The most relevant audit categories include:

  • Lending & Borrowing Protocols
    • Average of 3.67 Critical/High issues per audit

    • Demonstrates our deep technical understanding and consistent identification of high-impact vulnerabilities in complex financial primitives.

  • DAO Governance Systems
    • Average of 4.17 Critical/High issues per audit

    • Reflects our leadership in identifying systemic risks in on-chain governance mechanisms.

1 Like

Updated before Snapshot: Request for Proposal (RFP): Compound DAO Security Service Provider (SSP) Cyfrin - Part 2

Section 1: Scope of Security Work

Leveraging Cyfrin’s extensive expertise, we will deliver security tailored to Compound’s evolving needs. Our work spans smart contract audits, governance review, cross-chain threat analysis, and security support across infrastructure and tooling. Led by a dedicated vCISO and a team of senior security researchers, we offer Compound both operational continuity and strategic oversight.

Through formal reporting, continuous monitoring, and proactive training, Cyfrin ensures robust risk management, faster response times, and empowered contributors. Our multi-chain capabilities, hands-on DevSecOps, and exclusive certifications (via Cyfrin Updraft) reinforce our commitment to Compound’s long-term success.

1a. Scope of Services

Cyfrin will deliver:

  • Smart contract & protocol audits of new code and core upgrades, with a focus on security, correctness, and gas optimization

  • Governance proposal reviews, including:

    • Calldata validation to ensure input integrity and prevent malicious payloads.

    • Risk modeling for token integrations and chain deployments, assessing economic, oracle, and systemic risks.

    • Collateral onboarding risk assessments, evaluating smart contract, oracle, and market risks of new assets.

    • Infrastructure, front-end, and off-chain tooling checks to secure the entire Compound ecosystem.

  • Formal security reporting, structured by severity according to an explicit risk classification framework (Critical, High, Medium, Low), with remediation guidelines prioritized for risk reduction.

  • Cyfrin Updraft Certifications: Solidity Smart Contract Developer Certification and Qualified Web3 Signer Certification provided at no additional cost, empowering internal teams and contributors.

  • DevSecOps for multi-sig wallets, permissioned accounts, and hardware wallet setups led by Patrick Collins, including secure key management best practices and incident readiness.

1b. Multi-Chain Support & Upgrade Expertise

Our experience spans all major L1s (Ethereum, Solana, Aptos, Sui) and all significant L2s (Optimism, Arbitrum, zkSync, Base, Starknet).

For Compound specifically, we provide:

  • vCISO-led chain-specific threat reviews, identifying unique risks per chain and cross-chain interactions.

  • Detailed chain-specific deployment and upgrade checklists, including pre-deployment simulation and rollback strategies.

  • Continuous monitoring of emergent L2s and ecosystem upgrades via a dedicated research team.

1c. Resource Allocation

With 5 full-time security staff, including 4 Lead Security Researchers and a dedicated vCISO. Cyfrin commits the most prominent and most accessible team to Compound’s security lifecycle. This means no waiting, no backlog, and no compromise on velocity:

  • 5 Full-Time Employees: 4 Lead Security Researchers + 1 vCISO dedicated exclusively to Compound.

  • The Cyfrin Eagles program will provide redundancy from domain experts and handle peak demand.

  • Continuous collaboration through shared communication channels, ticketing, triage, and transparent documentation to ensure operational continuity and rapid response times.

1d. Additional Services

Cyfrin doesn’t just support Compound’s governance; we participate in it. From forum engagement to contributor training to proposal simulation tooling, we treat security as a shared, DAO-native discipline, not a black box:

  • Training sessions for Compound contributors, governors, and multisig signers, through Cyfrin Updraft and Cyfrin Wise Signer.

  • Real-time security dashboards incorporating off-chain feeds, alerts, and analytics.

  • Governance alerts are integrated with community chat, forums, and on-chain event watchers to proactively flag risks and suspicious activity.

Section 2: Technical Methodology and Audit Process

Cyfrin’s audit process centers around a systematic manual review, supplemented by automated, open-source tooling, stateful fuzz testing, and formal verification, to thoroughly assess the security of smart contracts. These tools, including Aderyn, Echidna, Medusa, Halmos, and the multi-fuzzer framework Chimera, enhance detection and ensure rigorous, context-aware analysis.

2a. Audit Methodology

Our audit process blends automated tooling with expert, manual review:

  • 4 Dedicated Lead Security Researchers, plus a dedicated fuzzing engineer

  • Static analysis & linting using tools such as Slither and Aderyn to catch common vulnerabilities early on during the quoting phase

  • Thorough research phase before any audit to ensure maximum context of the protocol and its external dependencies

  • Systematic manual inspection cross-referenced against comprehensive checklist items

  • Custom test suite and property-based stateful fuzz (invariant) testing

  • Fuzzing with Echidna, Foundry, and Medusa to explore unexpected contract states, inputs, and other edge cases

  • Differential testing to ensure the correctness of functionality and state that is expected to have equivalence, especially when performing contract upgrades

  • Formal verification applied through Halmos and Certora Prover for critical contract components, mathematically proving the correctness of key invariants

  • Governance threat modeling, emphasizing upgrade mechanisms, timelocks, oracle integrations, and multisig control paths to uncover complex social and technical attack vectors

  • Post-deployment alerts, and support

At the end of each security review, the Cyfrin team will assist the Compound team during the mitigation to ensure all necessary fixes are correctly implemented and no new vulnerabilities are introduced.

Cyfrin Tooling and Toolset

At Cyfrin, we’ve developed and/or utilize a suite of open-source tools designed to empower our researchers with deeper insights and equip engineers with a more secure and efficient building experience. These tools are fully integrated into our audit process and will be provided to Compound at no additional cost.

Cyfrin tools are free, open, and reusable, even after our engagement ends. This ensures that Compound retains its security capabilities and knowledge, regardless of who the provider is.

Cyfrin Aderyn

Aderyn, developed in Rust, delivers seamless integration across both small-scale and enterprise-level development workflows. It provides ultra-fast command-line static analysis coupled with a flexible framework for creating custom detectors tailored to any Solidity codebase. Backed by funding from the Ethereum Foundation in late 2024, Aderyn’s adoption has been accelerated through the development of its dedicated VS Code Extension.

Halmos Formal Verification

Halmos, developed by a16z, distinguishes itself as a leading formal verification tool by offering a fully open-source framework that eliminates licensing restrictions, enabling deep integration into custom development pipelines. It leverages SMT solvers to efficiently verify complex smart contract properties, supporting rich specification languages that allow precise modeling of contract logic and invariants. Key technical strengths include:

  • Modular architecture that supports extensibility and automation for seamless CI/CD integration

  • Efficient SMT-based verification capable of handling intricate protocol-level correctness properties

  • Support for expressive specification languages enabling detailed and accurate contract modeling

  • Open-source nature allowing unrestricted use, free from any vendor lock-in, customised to project needs

  • This combination provides developers with strong correctness guarantees, early bug detection, and cost-effective flexibility unmatched by many formal verification tools

2b. Audit Workflow & Deliverables

Cyfrin follows a structured audit workflow, from scoping to final report delivery, which includes both manual and automated testing, severity-ranked findings, and collaborative, assisted mitigation reviews. Governance proposals receive specialized, simulation-based evaluation to ensure security and efficiency before approval.

  • Scoping and onboarding: Clear definition of audit scope and deliverables.

  • Kick-off call to align on priorities and timelines.

  • Audit execution: Deep manual and automated testing according to scope.

  • Draft findings with categorized severity (Critical, High, Medium, Low), exploitability, and reproducible proof-of-concept code where applicable.

  • Mitigation review sessions to collaboratively verify fixes and improvements.

  • Final report delivery: Comprehensive report optionally shared DAO-wide to promote transparency and community confidence.

  • Typical turnaround: 2 weeks, depending on scope and complexity; expedited 1-week turnaround for urgent governance proposal reviews.

Each security review will end with a thorough report that includes:

  • The threat model that guided our analysis

  • An updated testing suite, reflecting the audit process

  • A dedicated invariant testing suite, depending on complexity and external dependencies

  • Architecture diagrams (when applicable) to illustrate protocol structure and associated threat surfaces

  • A detailed list of findings, with clear severity ratings and impact explanations

  • Actionable mitigation recommendations

  • A summary of verified invariants, pre-conditions, and post-conditions states using Halmos, along with an analysis of what these checks imply for protocol-level security

Following the implementation of mitigation steps, Cyfrin conducts a second in-depth review, specifically targeting the changes to ensure that no new risks or vulnerabilities have been introduced.

In parallel, governance proposals will be evaluated by our vCISO team. This extends beyond basic threat analysis as each proposal is executed against mainnet state in a controlled environment using a specialized test suite. This verifies correctness, enforces system invariants, and detects gas inefficiencies or regressions. This process not only speeds up the review timeline but also significantly reduces the risk of governance-related incidents

2c. Quality Assurance & Track Record

Beyond vulnerability identification, if deemed necessary by our auditors, we also perform architecture analysis, fuzz testing, invariant testing, and improvement pull reviews, offering specialised expertise such as formal verification, code analysis, and testing feedback.

Our elite team of auditors, led by Dacian, one of the worldʼs top auditors, brings their extensive skills to focus solely on evaluating a single protocol’s codebase. His leadership ensures that our team delivers thorough and meticulous evaluations, leveraging their expertise to enhance the security and reliability of the protocols they examine.

Cyfrin has a proven track record of identifying and responsibly disclosing critical vulnerabilities in both pre-deployment and post-deployment. A recent example is our work on Bunni, a Uniswap V4 hook, where we discovered and disclosed a critical vulnerability after the protocol had already gone live with over $7 million in TVL. This enabled mitigation before any exploit could occur, preserving user funds and contributing to the protocol’s security and reputation. Since our disclosure, the Bunni has seen significant adoption, growing to over $70 million in TVL.

Over the years, our team has uncovered novel multi-chain attack vectors and led coordinated disclosures across affected platforms, protecting hundreds of millions in total value locked. We have played key roles in high-severity incident response war rooms.

All of our public audit reports are available on the Cyfrin GitHub, organized by sector and categorized by the average number and severity of vulnerabilities identified. This structure provides clear insight into our methodology, findings, and the breadth of our work across the Web3 ecosystem.

Additionally, you can review the work of our Audit Team Manager, which includes their articles published in Blockthreat and some vulnerabilities they’ve uncovered:

In addition to this public research output, the Cyfrin Audit Team has a keen awareness of the attacks that have previously affected Compound, its forks, and other similar lending protocols. This includes vectors such as various forms of reentrancy, share price inflation through donations, rounding, and other manipulations, including dangers associated with empty markets, liquidations, and various forms of governance attack.

Section 3: Risk Management & Incident Response

Cyfrin provides 24/7 risk management and incident response, combining rapid triage, formal verification, and close collaboration with Compound to ensure swift, secure remediation of critical vulnerabilities.

  • 24/7 on-call by vCISO and lead auditor

  • Rapid triage using forensics tools; coordination with multi-sig

  • Example: mitigated unauthorized collateral addition during a flash event in 2023

In the event of discovering a vulnerability, Cyfrin follows a strict, coordinated responsible disclosure process that prioritizes the security of Compound above all else. Whether the issue is uncovered through audits, automated testing, or continuous monitoring, our team acts with urgency and discretion.

Upon identifying a critical issue, Cyfrin immediately initiates triage by notifying Compound’s designated security contacts through secure, encrypted communication channels. Each disclosure includes a detailed technical analysis, severity classification, and potential exploit scenarios where applicable.

Our collaboration extends beyond identifying vulnerabilities; we work closely with Compound’s developers to implement secure and effective solutions. We rigorously evaluate proposed fixes using a combination of manual analysis, automated tools, and formal verification methods. Each patch is thoroughly validated to ensure the original issue is resolved without introducing additional risks. When necessary, we allocate dedicated engineering resources to perform expedited reviews under strict timelines.

Disclosure is handled with care. Our customers’ privacy and security operations are our top priority. No vulnerability is made public until Compound confirms it has been fully mitigated and user funds are secure. At that point, we are happy to support a transparent post-mortem process to benefit the broader ecosystem.

Example:

In 2025, Cyfrin was part of the response team that helped mitigate a high-severity exploit involving over $5 million in at-risk funds. Acting in coordination with the ZKsync core contributors and other council members, we supported the successful recovery of the funds and closure of the incident via a negotiated whitehat bounty. Cyfrin’s involvement with ZKsync, Abstract Chain, and other Security Councils demonstrates our capacity to secure large-scale, cross-chain, governance-intensive protocols, not just through preventative audits, but by playing an active role in live incident response, security governance, and protocol stewardship.

Section 3: Risk Management & Incident Response (ZeroShadow)

We look forward to collaborating closely with ZeroShadow during high-severity governance reviews or when cross-functional incident coordination is required. Their dedicated IR function complements Cyfrin’s auditing and governance specialization.

“ZeroShadow has been selected as the dedicated monitoring and incident response (IR) provider under a separate $250K annual engagement. This approach solidified after ZeroShadow was named as a vendor in two separate SSP proposals, and the Foundation had the opportunity to reimagine the best security framework for Compound’s current needs. Carving out the IR engagement as a standout provider allows Compound to benefit from 24/7/365 coverage with a virtual Security Operations Center (vSOC)—fully embedded within Compound’s monitoring infrastructure. Their responsibilities include:

  • Setting up a monitoring solution and tuning detection logic to reduce alert noise, utilizing the latest methodologies including AI
  • Triaging alerts in real time and coordinating incident response
  • Responding to governance attacks, smart contract exploits, phishing attempts, and multisig compromise
  • Running tabletop exercises and improving preparedness of the protocol to proactively respond and resolve security incidents in coordination with the Community Multi-sig

While the Foundation interviewed other incident response offerings that applied to the SSP RFP, ZeroShadow was selected for its battle-tested team, “follow the sun” operational framework, fund recovery experience, and strong track record supporting major incidents, including work with SEAL to combat DPRK cybercrime. ZeroShadow will work closely with the Compound Foundation, selected SSP and Community Multisig to ensure rapid, informed response.

You can read more about ZeroShadow in their proposal the Foundation has asked them to provide here.”

Section 4: Commercial Terms and Commitment

Cyfrin proposes a flexible and transparent annual retainer structure designed to provide Compound with continuous, high-assurance security support across audits and governance. The retainer includes:

  • Unlimited proposal reviews with full 24/7 incident response coverage

  • As many audits as needed, with up to two engagements conducted simultaneously, additional concurrent audits can be accommodated through Cyfrin’s Eagles program at a supplementary rate.

  • Governance Proposal Reviews will be completed within one business day (Monday–Friday), with expedited paths available for urgent matters.

  • New audit requests will be scoped and scheduled within two weeks, and follow-up reviews of remediations will commence within three business days of receiving the updated code

  • The designated vCISO will serve as Compound’s primary point of contact for all security matters, providing leadership, risk prioritization, and operational oversight. Full-time availability is guaranteed during weekdays and weekends

  • The vCISO will maintain an active presence in Compound’s governance discussions, contributing to proposals, identifying security risks, and helping shape the future roadmap

  • A structured report summarizing audit findings, incident response actions, and security trends will be published every quarter to ensure transparency and continuous improvement.

  • The engagement will be funded via quarterly COMP streams, aligning with Compound’s governance and budgeting structure.

Conflict of Interest

To avoid any potential conflicts of interest, Cyfrin will not engage with or audit any protocol that is forked from Compound. We enforce strict client confidentiality and trust across all engagements.

Offboarding Process

In the event of transition or offboarding, Cyfrin commits to a structured and responsible handover process. This includes:

  • Deliver a complete export of audit and tools setup documentation, and testing suites
  • Host up to three live handover sessions with the incoming SSP
  • Transfer all credentials, Slack integrations, and DAO coordination tools
  • Maintain active support throughout the 60-day wind-down period
  • Provide zero lock-in: all tools used (e.g., Halmos, Aderyn) are open-source and remain usable.

We’re here to serve the DAO, not entrench a vendor. Our exit plan is as structured, streamlined, and professional as our onboarding process, ensuring Compound’s security remains continuous, decentralized, and community-owned.

Section 5: Service Level Expectations (SLA)

Cyfrin is committed to delivering timely, reliable, and high-quality security services with clear response windows and communication channels. These service levels ensure Compound receives proactive support across audits, governance, and incident response. The following SLAs define our operational standards:

  • Incident Response

    • 24/7 availability via encrypted PagerDuty hotline

    • Coordination with Compound Foundation, multisig signers, and whitehat responders

  • vCISO and Lead Security Researcher Support

    • Advisory support provided within one business day

    • Weekly check-ins and monthly strategic reviews

    • Lead Auditor as primary contact; backup vCISO ensures continuity

  • Governance Proposal Reviews

    • Standard proposals are reviewed within 48 hours

    • High-priority proposals are expedited within 24 hours

  • Security Audits

    • Scheduling lead time: 2-4 weeks post-scoping

    • Turnaround times:

      • Small (≤ 5k NSLOC): 2 weeks

      • Large (≤ 15k NSLOC): 6 weeks

    • Deliverables include severity gradation, proof-of-concept examples, and actionable mitigation guidance

Section 6: Cyfrin Updraft for Compound (Additional)

We will help Compound regain its position in the Web3 ecosystem through our security-first approach; however, the reality is that the work is just starting. We want to attract developers in Web3, Web2, and traditional finance to use and build on Compound safely and securely.

That is where Cyfrin Updraft comes in. We are the leading Smart Contract development education platform, offering over 200+ hours of step-by-step, project-based blockchain development and security courses.

These courses are led by our in-house educators and top blockchain engineers, reaching millions of developers worldwide. We have already built courses for some of the biggest protocols, chains, and tooling in Web3, including but not limited to Circle, Uniswap, GMX, Chainlink, Rocketpool, ZKsync, Tenderly, Certora, and Halmos.

What We Have Built:

  • Over 200+ hours of video and written lessons covering topics from blockchain fundamentals to advanced Smart Contract security.
  • Hands-on projects and walkthroughs tailored to developers’ needs.
  • Successful education campaigns that onboarded thousands into professional Web3 roles and developer pipelines.

Why Our Developer Education is the Best in the Industry:

  • Trusted by 220K+ community members and 60K+ active monthly developers.
  • Loved for its practical, hands-on approach to Web3 education.
  • Recognized for cultivating highly skilled and engaged developer communities.

Updraft High-Level Statistics (Last 30 Days)

  • 220K+ Updraft community members
  • 1M+ Monthly Impressions
  • 60K+ Monthly Active Developers
  • 15K+ Monthly New Students

We teach a range of technical languages, including Python, JavaScript, Rust and Solidity, focusing on building and deploying on Web3 following best practices. As part of engagement, we would suggest building out a Compound-specific course for our army of developers and traditional finance clients using Updraft.

Course Overview

Learn how to build on top of Compound, one of the foundational protocols in DeFi. Understand how lending and borrowing work on-chain, and get hands-on with the building blocks of DeFi money markets.

Module 1: Introduction to Compound

  • What is Compound?

  • Brief history and ecosystem relevance

  • Use cases: Lending, borrowing, and earning interest

  • Why Compound matters in DeFi composability

Module 2: Core Concepts & Architecture

  • cTokens: What they are and how they work

  • Supplying vs. Borrowing assets

  • Collateral factors & liquidation thresholds

  • Interest rate models

  • Role of the Comptroller and Price Oracle

Module 3: Supplying Assets

  • How to supply ETH or ERC20 tokens

  • Understanding cToken balances

  • Accruing interest over time

  • Viewing supply balances and exchange rates

Module 4: Borrowing Assets

  • Entering markets and enabling collateral

  • Calculating how much you can borrow

  • Understanding borrow rates and risk

  • Health factors and collateral ratios

Module 5: Repaying and Redeeming

  • Repaying borrowed assets

  • Redeeming your supplied collateral

  • Withdrawing accrued interest

  • Understanding redeem rates and costs

Module 6: Liquidations and Risk Management

  • What triggers a liquidation?

  • The liquidation process and incentives

  • How Compound mitigates risk

  • Safe borrowing strategies

Module 7: Using Compound in Development

  • Overview of Compound’s smart contracts

  • Mainnet forking and simulation

  • Integrating Compound into dApps

  • Best practices for DeFi development

Module 8: Exploring the Compound Ecosystem

  • Governance and COMP token

  • Audit history and security model

  • Compound v3 vs v2 (brief introduction)

  • Developer tools and SDKs

Module 9: Understanding Governance and Proposals

  • Role of governance in Compound

  • How proposals are created, voted on, and executed

  • Example walkthrough: Reviewing a past governance proposal

  • How to safely inspect and simulate proposals before voting

Module 10: Basic Security & Monitoring Concepts

  • Common risks in DeFi (reentrancy, oracle attacks, misconfigured governance)

  • What “auditing” actually means

  • How Compound uses monitoring tools like ZeroShadow, Hypernative, Halmos, and Aderyn

  • Best practices when submitting code, using third-party tokens, or proposing upgrades

Final Project

  • Build a basic dApp that supplies and borrows using Compound

  • Display real-time lending/borrowing stats

  • Simulate risk scenarios using health factors

Pricing

Please note that it is a heavily discounted weekly rate for our Lead Security Researchers, based on the length of the engagement and long-term commitment.

Category Description Yearly Cost
Audit Services Private Audits for Compound - 4 Lead Security Researchers $1.3M
Governance Reviews Unlimited, SLA-backed $100,000
vCISO + Advisory 1 FTE senior exec + 3 researchers $100,000
Incident Response & Monitoring Covered by ZeroShadow $0
Cyfrin Updraft Compound Course & Certifications $0
Tooling & Automation OSS security stack + maintenance $0
Total Internal Value $1.5m

Summary

At Cyfrin, we see ourselves as core infrastructure. Our main goal is to help Compound expand its leadership in DeFi by embedding world-class security at every level. With deep experience in lending protocols and governance systems, we bring a track record of discovering and mitigating critical vulnerabilities, both pre- and post-deployment.

We work differently: integrating early, enabling rapid iteration without compromise. Our audits are only part of the story, we actively shape secure development practices that will scale with Compounds protocol complexity. Through our Cyfrin Updraft course, we’re also training the next generation of smart contract developers with a strong foundation in DeFi and want them to use and build on Compound.

We’re not just bringing world-class security to Compound, we’re delivering a long-term strategy without vendor lock-in. Our approach goes beyond audits; enabling top talent from both Web3 and traditional finance through education to build confidently on the Compound and contribute securely to its growth.

3 Likes

Hacken - Proposal for Security Service Provider (SSP) to Compound DAO

Author: Bryn Bennett - Partner, Security & Compliance
Telegram: @bryn_hacken
Email: b.bennett@hacken.io

General Overview

Hacken is an end-to-end blockchain security and compliance provider for digital assets. Since 2017, we have worked with leading DeFi protocols and DAOs to build resilient, transparent systems. Our team of over 70 senior engineers, blockchain researchers, and white-hat hackers has delivered more than 1,600 public audits for protocols like 1inch, NEAR, and Polygon. We specialize in smart contract auditing, protocol security, and incident response, with deep expertise in Solidity, Rust, Go, MOVE, and cross-chain protocols.

For Compound, we offer a comprehensive security solution that combines expert audits, real-time monitoring, and a dedicated vCISO. Our approach is collaborative and transparent, designed to empower the DAO and protect its treasury. We are committed to open communication, knowledge sharing, and supporting Compound’s long-term growth.

Existing Relationship with Compound

While Hacken has not previously served as Compound’s direct security partner, our team has a strong track record with lending protocols and DAO governance. In May 2025, our researchers published a detailed analysis of Compound’s security history, highlighting actionable lessons and best practices. This research demonstrates our commitment to understanding Compound’s unique risks and our readiness to deliver immediate, context-aware value.


Read more: DeFi Security Best Practices: Lessons from Compound - Hacken

Onboarding Plan and Alignment

We propose a structured onboarding process, including a dedicated vCISO, a deep-dive into Compound’s protocol, and close collaboration with the Compound Foundation. Our team will review all relevant documentation, past and current audits, open and closed issues, and the source code for both Compound v2 and v3. We will also engage with community resources and previous governance proposals. During onboarding, we will coordinate with the Foundation to arrange briefings and training, ensuring a smooth and effective start.


Check out our vCISO services page & deck

Relevant Security Partnerships or Clients

Hacken has provided security services to leading DAOs and DeFi protocols such as Arbitrum, 1inch, NEAR, and Radix. Our public audit reports and incident postmortems are available on our Audit Portfolio. We have extensive experience with governance, lending, and cross-chain deployments, and we encourage the Compound community to review our distinguished case studies and client feedback.


Check out the full Hacken Audit Portfolio. Filters can be used to discover our specialties and the quality of our reports.

Section 1: Scope of Security Work

1a) Scope of Services Overview

Hacken will provide Compound with comprehensive security coverage, including:

  • Smart contract and protocol audits for new deployments, upgrades, and integrations.
  • Active participation in Compound governance, including timely proposal reviews, risk assessments, and regular engagement in forums and calls.
  • Dynamic, automated testing of every change on a mainnet-forked environment
    • We will arrange and maintain a dynamic, automated mainnet-forked testing environment with comprehensive and expanding test coverage to streamline regression testing and quickly verify the impact of any code upgrade or proposal implementation on the protocol.
  • Continuous monitoring of protocol operations and governance activity through our Extractor platform, ensuring proactive exploit detection and prevention.
  • Security advisory and vCISO services, including on-demand guidance, design reviews, documentation, and staff training.
  • Comprehensive off-chain security coverage, including penetration testing and threat-led penetration testing (TLPT) of dApps, front-end, APIs, and infrastructure.
  • Incident response and postmortem support.
  • 30-day DualDefense crowdsourced audit competitions after each Hacken audit, combining internal and external expertise for maximum coverage.
  • Optional: Front-end and off-chain system reviews, governance participation, and internal security tooling.

Competitive Features:


Our Extractor platform offers real-time, permissionless monitoring of contract deployments and upgrades, ensuring all live code matches what the DAO has approved and audited. It provides real-time threat detection, compliance monitoring, token and treasury event tracking, cross-chain coverage, and customizable detectors tailored to Compound’s needs.


Check out this case study of the Level Finance hack. If Extractor was enabled here, it would have detected the attack 7 days in advance and saved $1.1M.

DualDefense is Hacken’s unique crowdsourced audit model that combines a traditional expert audit with a 30-day crowdsourced competition, inviting thousands of vetted security researchers to review the code after the initial audit. This two-layered approach maximizes vulnerability discovery and provides Compound with an extra level of assurance before any deployment. Learn more about DualDefense.


Our bug bounty and crowdsourced audits platform, HackenProof, features over 45,000 KYC’d security researchers and supports DualDefense competitions for extra assurance.

1b) Multi-Chain Support and Upgrade Expertise

Hacken has audited protocols across Ethereum mainnet, Arbitrum, Optimism, Base, Polygon, Unichain, Linea, and other L2s. We assign a dedicated vCISO to oversee multi-chain security, coordinate with protocol engineers, and ensure secure integration and deployment across all supported networks.

1c) Resource Allocation and Availability

We propose a dedicated team structure for Compound:

  • Two FTE Smart Contract Specialists for in-depth audits and ongoing codebase monitoring.
  • One PTE L1/Blockchain Specialist for protocol-level security and cross-chain integrations.
  • One PTE Extractor Specialist for monitoring, data extraction, and anomaly detection.
  • One FTE vCISO for overall security leadership and coordination.
  • Optional: One dApp Specialist for front-end and off-chain reviews.

Our Principal Solidity Smart Contract Auditor Ataberk Yavuzer will serve as the dedicated vCISO, with backup from Offensive Security Services Director Grzegorz Trawiński and his team to ensure continuous coverage.

Ataberk Yavuzer’s CV
Grzegorz Trawiński’s CV

1d) Additional Services or Tools

  • Regular security updates and participation in governance calls.
  • Operational security workshops for DAO contributors and ISO 27001 implementation for the Foundation.
  • Custom dashboards for monitoring, anomaly detection, and reporting.
  • Automated incident response actions, pre-configured by the DAO.
  • Open-source forked testing infrastructure for CI and regression testing.
  • Penetration testing and red team operations for off-chain assets, tailored to the DAO’s risk appetite and regulatory needs.
  • Active governance engagement, including regular updates and open communication.
  • Optional formal verification for critical contracts, with competitive quotes from leading providers.

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology

Our audit process combines manual code review with advanced automated analysis, following industry best practices. Each engagement includes:

  • Manual review by multiple senior auditors to identify logic errors, access control issues, and protocol-specific risks.
  • Automated analysis using static analysis tools, linters, and custom scripts.
  • Dynamic testing on a forked mainnet environment for high-fidelity validation.
  • Fuzz and invariant testing to uncover edge-case behaviors and economic attack vectors.
  • Governance and economic risk assessment to identify non-code threats.
  • Comprehensive coverage of all code paths, dependencies, and integrations.
  • Deployment verification through Extractor’s contract hash and proxy upgrade detectors.
  • Transparent, reproducible, and actionable findings, with all steps documented and available for review.

Please check out our documentation to find our full auditing methodologies.

2b) Audit Workflow and Deliverables

Our standard workflow includes:

  • Scoping: Define audit scope, codebase, and timelines.
  • Kickoff: Secure code handoff and context gathering.
  • Review: Parallel manual and automated analysis.
  • Preliminary findings: Early notification of critical issues.
  • Draft report: Full findings, severity classification, and remediation guidance.
  • Remediation review: Verification of fixes and updated report.
  • Final report: Public or private, as required, with clear severity levels and recommendations.
  • Post-audit support: Ongoing advisory and clarification as needed.

Turnaround times are typically one to two weeks for standard audits. Urgent governance proposal reviews can be completed within 48 hours.


The Hacken Portal is an internal dashboard that lets you plan, track, and respond to audits in one place, offering Gantt charts for audit stages, real-time issue tracking, and a clear overview of all key audit details.

2c) Quality Assurance and Track Record

All findings are cross-checked by at least two senior auditors, with a dedicated QA lead reviewing methodology adherence and report clarity. Lessons learned from past incidents are integrated into future audits. Our track record includes identifying and remediating critical vulnerabilities in major DeFi protocols, with over 1,600 published audits available for review.


We invite the Compound community to review our Customers Feedback, we are very proud of it! :star_struck:

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage and Disclosure

We follow a strict responsible disclosure protocol. Upon discovery of a vulnerability:

  • Immediate notification to core Compound contacts within 30 minutes.
  • Critical vulnerabilities trigger immediate triage and remediation support.
  • Remediation planning with protocol engineers, including proof-of-concept exploits if needed.
  • Public disclosure only after a fix is deployed and user safety is confirmed, with timelines agreed upon with the Foundation.
  • All sensitive disclosures are handled via encrypted channels.

3b) Incident Response Support

In the event of a live exploit or incident, Hacken provides:

  • 24/7 technical investigation and rapid mobilization of our incident response team.
  • Direct collaboration with the Foundation, core contributors, and whitehat communities.
  • Detailed postmortems and lessons learned, shared with the DAO.

3c) Continuous Monitoring and Threat Detection

Our Extractor platform offers:

  • Automated on-chain monitoring of deployments, governance proposals, and market activity.
  • Real-time alerts for detected threats or suspicious activity.
  • Regular manual sweeps of protocol activity and governance forums.
  • Deployment integrity verification, attack detection, compliance monitoring, and custom detector development.
  • All monitoring logic and results are open for DAO oversight.

Our real-time monitoring includes custom detectors tailored to Compound’s business logic, analyzing protocol activity for anomalies in value exchange, events, and opcodes. We update and adjust monitoring setups with every contract upgrade to ensure new logic is fully covered. Automated incident response strategies are mapped to known threats, enabling on-chain auto-actions when specific conditions are met. Dedicated security experts analyze the monitoring dashboard 24/7, interpret all alerts, assess risks, and promptly report to the Compound security team. We will also provide comprehensive monitoring of the $COMP token, including delegations, large transfers, and balances on centralized exchanges.

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

Our pricing proposal will be submitted privately to the Compound Foundation as per the rfp. We offer a flat annual retainer covering all core services, ensuring predictable costs and full lifecycle coverage. We support a continuous streamed payment setup in COMP, with all terms aligned to DAO requirements and a 60-day termination clause.

4b) Milestones and Performance Metrics

We measure performance against clear KPIs, including:

  • All standard audits delivered within agreed timelines.
  • Urgent governance proposal reviews completed within 24 to 48 hours.
  • Critical vulnerabilities triaged and communicated within 30 minutes.
  • Quarterly public security updates and postmortems delivered on time.
  • Participation in all governance calls and monthly written security updates.
  • Zero critical vulnerabilities in production code post-audit.
  • Reduction in average time-to-mitigation for critical incidents.

4c) Conflict of Interest Declaration

Hacken works with a range of DeFi protocols, including some that may be considered Compound competitors. We maintain strict confidentiality and firewall policies, and are ISO 27001 compliant. Any direct conflicts will be disclosed immediately, with appropriate safeguards implemented. There are currently no known conflicts.

4d) Transition and Offboarding Plan

We are committed to a frictionless, community-aligned offboarding process:

  • Delivery of a complete handover package within 10 business days of notice.
  • Live transition workshops and Q&A sessions for the incoming provider and the DAO.
  • All documentation and knowledge made available to the DAO.
  • No vendor lock-in: all proprietary tools and configurations are transferred for immediate use.
  • Up to 30 days of post-offboarding support at no additional cost.
  • Full cooperation with the DAO’s right to terminate with 60 days’ notice.

Section 5: Service Level Expectations (SLA)

5a) Incident Response

  • Critical (CRITICAL) vulnerabilities triaged and initial notification sent to Foundation within 30 minutes of discovery.
  • High (HIGH) vulnerabilities triaged and initial notification sent to Foundation within 1 hour of discovery.
  • Remediation guidance provided for Critical/High vulnerabilities within 4 hours of initial notification.
  • Proof-of-Concept (PoC) exploits for Critical/High vulnerabilities provided within 48 hours of request (if applicable).
  • Automated detection and response through Extractor.
  • Coordination with the Foundation and contributors within 30 minutes.
  • Post-incident review shared within 7 business days.

5b) vCISO Support

  • On-demand advisory support with a response time of 4 business hours for urgent requests and 1 business day for standard inquiries.
  • Regular security briefings and strategic check-ins as agreed with the Foundation.
  • Backup coverage by the Offensive Security Services Director within 24 hours if needed.

5c) Governance Proposal Reviews

  • Standard governance proposals reviewed within 48 hours.
  • Expedited support for urgent submissions as capacity allows.
  • Findings delivered in a clear, actionable format, communicated both privately and publicly as appropriate.
  • Active participation in governance discussions.

5d) Code Audits

  • Average lead time for audit engagements is one to two weeks.
  • Standard audits completed within one to two weeks.
  • All reports follow a standardized format, with severity levels and remediation guidance.
  • Final reports delivered after remediation review and published for DAO transparency.
  • 30-day DualDefense competitions commence as final reports are published, if requested.

5e) Engagement

  • Proactive participation in all governance calls and forums.
  • Timely responses to community questions.
  • Monthly or more frequent written and verbal security updates to the DAO.
  • Educational sessions and open office hours to foster a security-first culture.

Final Considerations

Hacken is committed to supporting Compound’s next era with a security partnership grounded in transparency, technical rigor, and operational reliability. Our team brings deep experience with lending protocols, DAO governance, and cross-chain deployments, as well as a proven track record of incident prevention and response. We continuously invest in proprietary tools, public audit repositories, and open knowledge sharing to strengthen the security posture of the protocols we serve.

We view ourselves as an extension of the Compound community, focused on long-term resilience and sustainable growth. We welcome the opportunity to answer questions, participate in governance discussions, and demonstrate our commitment to Compound’s mission.

Thank you for considering Hacken as your security partner. We wish the best of luck to all teams participating. May the best team win!

19 Likes

Compound Security Initiative (CSI) - Proposal for Compound DAO Security Service Provider

We are proposing to create the Compound Security Initiative (CSI), a group founded by Compound community members, auditors, and security experts.

We see that security is a crucial part of the protocol, and in the modern DeFi era, it should include several key-stones:

  • Security pipeline should be integrated throughout the whole product lifecycle. Real security comes from the dedicated security team, “blue” team, as in traditional cybersecurity. Obviously, to have a diversification, the protocol should have periodic independent audits (that is the contribution of “red” teams), but the core security should come from its own internal “blue” team;
  • So, we believe that the task of security team is not just audit, but a full risk-based assessment, continuous cooperation with the development team, implementation of security practices on each stage of the product lifecycle (either its architecture design stage, development kickoff, intermediate releases, features review or release curation), development pipeline hardening with security practices - the whole package expected from a “blue” team;
  • We believe that Compound Foundation should have ownership over this direction. In such a case, the protocol will have a rapid feedback loop with the security team, the security enhancements will have high visibility, the security team will be able to respond directly to the protocol’s needs, and the development team will be able to work without interruptions with continuous supervision from the security team.

CSI was already involved in some developments as a security advisor for WOOF! (@woof) team in the form of a “blue” team advisor throughout several Compound enhancements. The proposal reflects the scaling of the tested approach up to the full Compound Security Initiative (CSI), which will secure Compound from all sides of the lifecycle under the Compound Foundation ownership.

General Overview

Team and background

Founding Member: Pavlo Horbonos ( @Midvel )

As an individual, I have over a decade of experience in software development and web3/blockchain development, with half of that focused on web3 security. The professional experience included the building and launch of different protocols, leadership and advising as CTO or Head of Security. I’m focused on in-depth R&D in the web3 space, covering both the technical and risk assessment aspects. Thus, a significant part of my expertise lies in DeFi, with a current focus on lending protocols and risk analysis within the DeFi field.

While keeping an up-to-date overview of the web3 technological and security landscapes, I keep the initiative on knowledge sharing and strengthening the web3 security community, which is reflected in my main media:

[LinkedIn] [X] [Medium]

As a web3 security leader, I built a security team from diverse security researchers and web3 engineers. I’m integrating the red + blue team approach, thus we provide auditing and code assessment services (“red” approach) and advisorship and direct integration with the development team on security aspects (“blue” approach), building the defence in-depth, conducting risk assessment on early stages, and offering a continuous support during the lifcecycle of the product.

In Q2 2020, I started building the auditing team called Blaize Security. We worked with Mysten Labs, Everstake, Ava Labs, Drosera, E Money Network, 01node, Dusk Network, Allbridge, and a row of other projects, securing them as a security vendor. Part of the public reports can be found here: GitHub - blaize-security/blaize-security-audits: Public security reports

In 2025, my team and I (@Midvel) decided to go our own way, pushing the web3 security initiative on protecting products in the web3 space from all angles - same red+blue team approach but scaled from all sides. Same team, same experience - new targeted initiative.

The team includes a diverse set of security researchers and web3 engineers with qualifications in all modern web3 ecosystems. Skillset includes:

  • Solidity stack for EVM chains (L1s, L2s, Cosmos evmos chains, and other EVM instances)
  • Golang stack and blockchain assessment expertise for geth, evmos, Cosmos SDK and other chain technologies
  • Rust stack for Solana, Polkadot, Casper, and other Rust-based chains
  • C/C++ stack for BTC-family, EOS chains, and other C++ based technologies
  • Move stack for Sui and Aptos
  • Specific stacks for chains like StarkNet, ICP, Kadena, TON, etc

My team and I have worked for more than 5 years in the web3 security industry, making a long-running security initiative.

Existing Relationship with Compound

Currently, CSI is engaged with @woof as a contractor security advisor for the security advisory and internal audits.

The engagement currently includes:

  • advising on a partial liquidation solution from a security standpoint, with future engagements planned for risk assessment during the modeling phase and internal audit of the implementation;
  • advising on a bytecode repository with version control solution and deployment pipeline improvements from a security standpoint, with a solution review from the security side; with future engagements planned for internal audits;
  • security advising for the Sandbox team, engaging with the developers in a Blue team mode;
  • advising the WOOF! (@woof ) team on the Compound repository and infra improvements;
  • plus, engagements with a few currently unannounced improvements planned for the protocol.

Thus, the team is familiar with the protocol, and I’m actively engaged with the protocol’s codebase and infrastructure.

Relevant Security Partnerships or Clients

Throughout my web3 security journey, I worked with Mysten Labs, Everstake, Ava Labs, 01node, and numerous other projects. Since I’m leading the web3 security initiative, I keep a close connection with security-related projects like CyVers and Drosera, since pro-active security is a must-have in a modern age.

Part of the public reports from the period when I led the team at Blaize Security can be found here: GitHub - blaize-security/blaize-security-audits: Public security reports

Section 1: Scope of Security Work

1a) Scope of Services Overview

My team covers all connected services in a red+blue team manner:
  • regular security audit of a release version of the code;
  • cooperation with the development team with the review/audit/assessment of all intermediate releases or separate features;
  • cooperation with the development team on the assessment of the solution and recommendations on its hardening from the security side;
  • risk assessment of the solution;
  • risk assessment of the protocol, modeling of stress situations for the protocol, analysis of the protocol economics;
  • advising of the development team, development pipeline strengthening (security best practices, layered defense, active protection tuning up, CI/CD strengthening, infra review, etc)
  • test strategies development, advising on testing practices integration;
  • deployment support and supervision;
  • review of the governance proposals;
  • integration of active security and monitoring/analytics services;

That includes work with certain offchain components as well (bridge relayers, sequencers, workers, offchain components of oracles, etc)

The team is currently not working with pure web2 components, frontend pentests, load testing of web2 infra, and related services.

1b) Multi-Chain Support & Upgrade Expertise

All mentioned networks are supported. The team has experience in crosschain bridges auditing, including projects based on Chainlink CCIP, LayerZero, Wormhole, and others; in multichain deployments review for DeFi protocols; for crosschain operations review and crosschain messaging protocols auditing.

All newly emerged L2s are studied within the team based on our R&D initiative to extend on every network. Thus, once new technology/L2/chain emerges, it goes through the R&D team to add it to the expanding list of qualifications.

The role of vCISO in this process is:

  • setting the R&D strategy to have a vision on what technology should be analyzed first and what risks may be met at that direction;
  • continuous education on a risk-based approach for the analysis;
  • supervision over the deployment process;
  • cooperation between the community and the security team: ensuring the clear communication of all the work done, offering of new practices and instruments, checking on proposals from the community on the ecosystem hardening, analysis of offered integrations/tools/enhancements (in cooperation with necessary specialists)
  • continuous analysis of the state of the system, predicting the needs (from the security standpoint) for modeling/analysis

Taking the vCISO role in a wider sense:

  • setting the strategy on the development pipeline hardening - cooperation with the development team on adoption of certain testing strategies, integration of additional tools (fuzziers, analyzers, deployment helpers - any that will bring strength into the development), adoption of best practices
  • assessment of the current state of the protocol - that best practices are followed, that recommendations are applied, that the team is security-oriented;
  • continuous cooperation with the development team on knowledge sharing, security-oriented approach, and experience sharing and even on educting the team on the security-based approach;
  • risk assessment for the protocol, vision on future threats that the protocol may meet, and thus - resolving risks in cooperation with the development team;
  • a link between developers and auditors, which supports and shares the context between them;
  • work with the community and educate it on the best practices and safe behavior within the ecosystem
  • cooperation with the ecosystem projects, ensuring that all projects under the Compound umbrella share the same mindset.

1c) Resource Allocation and Availability

The proposal includes the exclusive dedication from me and my team under the Compound Security Initiative, offering priority within the pipeline, working on a by-demand basis. Compound Security Initiative can offer a guaranteed allocation of two teams, with the possibility of extension in case of necessity. Plus my own time as vCISO for the Compound.

The team will develop a rotation strategy and a knowledge-sharing strategy to prevent any potential bottlenecks. The context will be preserved through a curated knowledge base between the teams, ensuring that no time will be lost during the rotation.

1d) Additional Services or Tools (if any)

The team can additionally:
  • prepare educational resources in a form of articles for the Compound forum
  • participate in community calls
  • evaluate external tools for the security pipeline strengthening and assist in their integration

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology

Our methodology is built around several base points:
  • Risk-based approach. We analyze the protocol within the environment in which it will work. Therefore, within the audit we integrate risk modeling elements to deduct the most possible attack vectors, and that include economical risks analysis (depending on market conditions, on price movements, on different risk profiles of users, etc), integration risk analysis (both direct dependencies on 3rd party protocols and components, and indirect influence within the niche or via shared resources), user behavior related risks (humar errors, interface usability issues, different approaches from users), and internal risks (incorrects settings combinations, edge cases within regular flows, incorrect interactions between the protocol modules, etc)
  • Business logic validation. We dissect the project from the business logic perspective, detect all actors (users of different types, different pro-active entities, hidden players, access control of different levels, etc), all components and modules, and analyze internal flows and interactions between all of them to detect deadlocks, edge cases, substandard behavior, fluctuations in behavior or abnormalities.
  • Line-by-line review. The core of the audit is the review of code by at least 2 auditors, with cross-verification of results to ensure that each line was reviewed. This also includes the use of static analyzers and linters, as well as best practices analyses and possible optimizations in terms of gas usage (or its equivalent), and software optimizations (such as code complexity, readability, and dependency management).
  • Code testability verification. We review the existing tests suite coverage in terms of adequacy and completness. We write our own set of tests to ensure that all code is testable, we conduct an exploratory testing phase (search for edge cases and new hypotheses), we develop PoCs for all high-impact issues, we provide fuzzy-testing in case of necessity or by request.

Thus, we ensure that we secure the protocol as a complex system, from the code side, environment side, and business logic side.

2b) Audit Workflow & Deliverables

Scoping and estimation

We require the codebase to make an estimation over it; we avoid blind estimations, as the quotation should include only the services necessary for a particular codebase. The scope for quotation includes only functional files - actual smart contracts and libraries (or equivalents in terms of only functional code of offchain workers, or only functional code from chain layer, etc). However, the audit scope also includes review of interfaces, tests, settings, configs and other non-functional items, even if the review is formal. All standard elements and libraries (forked or as 3rd-party dependencies) are always formally compared with original to ensure that no changes are made.

This stage usually takes up to 24 hrs (1 day in timeline) depending on the size of the codebase. After that the scope, the necessary team, the budget, the start date and the timeline are set.

Manual stage

We start the audit from the manual stage, which includes the business logic assessment, risk-based assessment, line-by-line review, usage of analyzers, hypotheses construction. It ends with the intermediate report that contains all issues discovered by the moment, results of business logic analysis, and list of hypotheses to be proved during the testing stage. The intermediate report is shared with the customer, so they can start working on fixes.

Testing stage

It is usually run after the initial manual stage, though can be run in parallel based on the nature of the audit. It includes a review of the existing test suite, development of own set of tests, PoCs for issues and hypotheses, exploratory testing, and fuzzy testing. In case of complex systems, it also includes integration and end-to-end testing (e.g. fork tests, or deployment on private network, etc). All issues discovered during this stage are added to the report and notified to the customer.

Fixes review and consulting

During the audit, we establish direct communication with the customer. Therefore:

  • all critical issues are communicated immediately, to give more time for their remediation;
  • we have ongoing communication regarding the business logic and substandard behavior;
  • we provide ongoing consulting on the discovered issues and best ways to fix them;
  • we can communicate directly on fixes and their review.

So, right after the manual stage, intermediate report delivery, we can advise and communicate on potential fixes.

Additionally, we work on fixes and consulting until the last issue is resolved . Regardless of whether more issues are discovered, if fixes take longer to deliver, or for any other reason, we always ensure that we deliver a report with all issues communicated and resolved to a common result between the customer and auditors. Thus we have no fixed number of review rounds or fixed timeline for review (as fixes delivery can take more time from the development team) - we work up to the last issue resolved.

Report

The final report is delivered after all stages are finished. It includes:

  • protocol overview section with the description of main actors, components, assets, settings and launch specifics with certain notes from the business logic analysis stage
  • analysis section with all issues listed. Each issue has clear description, recommendation and post-audit comment in case of specific actions connected with it
  • additional sections describing testing stage and existing tests suite (if necessary), best practices recommendations, deployment flow specifics, etc
  • rating section with a clear depiction on how the final rating was calculated.

As for the severity levels, it includes:

  • critical issues - direct losses by the protocol or by users, or violation of the protocol’s integrity or availability
  • high-impact issues - same as critical, but with lower likelihood or with additional steps to recreate the issue, or with workaround preventing the issue
  • medium issues - noticeable impact on user flow, protocol internal processes, funds distribution, usability and other aspects
  • low - issues with low likelihood, low impact, or with high gas spending
  • info - unclassified issues connected to the sub-standard business logic or implementation decisions, which may lead to high risk issues, but which depend on the customer’s risk-aceptance level
  • best practices - no-risk recommendations and code improvements

2c) Quality Assurance and Track Record

Over the last five years, my team and I have worked in the web3 security space, conducting over 200 audits that uncovered approximately 150 critical and high-impact issues, which were subsequently mitigated. Notably, no post-audit security breaches were detected following our work.

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure:

At the start of the audit we establish the communication channel with a person responsible for audit results acceptance and keep direct communication throughout the audit Thus, in case of a critical or high-impact issue discovered, it is immediately reported to that person to develop a common strategy on mitigation and next steps. The issue is never publicly disclosed, unless specifically allowed by a Customer. However, if the issue will be a part of a full report (from a regularly delivered service), it will be publicly disclosed once the report is published.

  • In case of critical issue is found, it is prioritized up to the full resolution plan.
  • Since communication is ongoing, the remediation plan will be developed immediately in cooperation with the client.
  • We also provide a patch design.
  • All communication is held in a messenger of the Customer’s choice.

So, the lifecycle of such an issue is: discovery, immediate communication through the previously established channel, preparation of the recommendation and patch (if necessary), remediation plan preparation together with the customer, and review of the implemented fixes. Public disclosure is not a part of this lifecycle, as it is up to the customer if disclosure should happen immediately or within the regular report.

3b) Incident Response Support:

In case of the exploit, we will

  • conduct a technical investigation in 24hrs from the moment of contact to detect the root cause and develop a countermeasure
  • communicate through the previously established communication channel
  • Verify the integrity of the protocol after patching
  • Supervise the recovery of the protocol’s functions
  • Monitor the protocol’s activity after the recovery
  • In case of exploit, it is prioritized within the company, thus all resources are used throughout the process.

3c) Continuous Monitoring & Threat Detection:

In the monitoring and prevention segment, we previously worked closely with CyVers.

As for the internal solutions, we actively use Tenderly dry-runs and alerts, solutions based on Prometheus and Grafana (mostly for the chain-level activities). Such a solution is usually based on a custom request from the Customer, thus its specifics (either Oracles monitoring, or certain transactions monitoring, or whale activity, or abnormal token transfers) depend on a structure of the request.

Section 4: Commercial Terms and Commitmen/h2>

4a) Budget Request and Pricing Model:

Shared as a private attachment

4b) Milestones and Performance Metrics:

  • quotation is delivered in 24hrs after the code is received (up to 48 hrs in case of large codebases)
  • audit start is within 2 weeks period from the quotation (1 week for the exclusive conditions for the Compound protocol)
  • intermediate audit report is delivered within the timeline set at the quotation stage

As for the cooperation with Compound the KPIs may include:

  • activity report by the end of each month
  • development pipeline hardening suggestions delivered on a monthly basis
  • standard features/intermediate patches/minor releases should have audits delivered within 2 weeks of code readiness (at least in the intermediate report state)
  • critical issues triaged in 24hrs after the discovery
  • be-weekly participation in forum activities (in a form of suggestions on protocol improvements or best practices improvements)
  • participation in all community calls and governance discussions
  • review or commentary on each RFC or suggestion published on Compound forum

4c) Conflict of Interest Declaration

The CSI is dedicated exclusively to supporting Compound.

4d) Transition and Offboarding Plan

In case of cooperation termination, we will ensure the transfer of the knowledge base within a 30-day period before the end of the 60-day termination period.

Section 5: Service Level Expectations (SLA)

5a) Incident Response

Target response time is within 1 hour, with the aim of resolution within 24 hrs. Escalation, triage, and mitigation processes are incident-dependent, though the initial assessment and research are aimed to be performed within the first 4 hours of the incident, with further actions being incident-dependent.

5b) vCISO Support

Exclusive availability for a vCISO support within the same day of the request. I personally will be the DAO’s primary contact.

5c) Governance Proposal Reviews:

Governance proposal can be reviewed in 48hrs after the request. In case it contains any new and previously unaudited code, that fact should be communicated prior and the new code audit is processed via a regular process.

Urgent reviews are supported within the same day of the request.

5d) Code Audits:

Within the exclusive conditions of cooperation with Compound lead time is 1 week.

Final considerations

The goal of the Compound Security Initiative is to provide the 24/7 “blue+red” team approach exclusively for Compound ecosystem, tailored for its needs, with a direct communication with the development team and with services targeted on a security on all lifecycle stages.

3 Likes

OpenZeppelin Proposal for SSP to Compound

General Overview

Company Name and background

Founded in 2015, OpenZeppelin is the standard for secure on-chain applications at any scale.

We secure the foundations of the decentralized economy through world-class security services, secure development, and open-source tools. Our mission is to protect the open economy.

OpenZeppelin is embedded across the entire development lifecycle helping teams build with confidence, secure critical infrastructure, and operate safely in production across 30+ networks.

As creators and maintainers of the industry-standard OpenZeppelin Contracts library, our work is relied on by thousands of protocols and developers. We authored and maintain foundational standards like EIP-1271, EIP-1967, EIP-2771, EIP-6093, EIP-6372, EIP-7201, EIP-7751, and EIP-7913, shaping how the ecosystem approaches upgradeability, meta-transactions, token behavior, and protocol governance. We actively engage in Ethereum standardization efforts and collaborate with external contributors to push the ecosystem forward.

OpenZeppelin is a pioneer in security education and applied research. We created Ethernaut, one of the most widely used CTF platforms in blockchain, security best practices content, and research contributions. Our Security Researchers directly shape new technologies through secure architecture guidance and early design reviews with industry pioneers such as Taiko with their based rollup stack,

OpenZeppelin also develops and maintains critical security tooling such as Defender and SafeUtils, used across the industry for upgrade safety, monitoring, and operational security.

Existing Relationship with Compound

OpenZeppelin has provided security services to Compound since 2019 and served the Compound DAO as its primary security partner since 2021. Our multi-year collaboration has resulted in a foundational understanding of Compound’s evolving architecture, operational workflows, and security posture. OpenZeppelin has audited Compound V2 and V3 markets, governance mechanisms, cross-chain bridges, multi-chain deployment migrations, and governance proposals.

We operate not merely as auditors, but as an integrated security function for the protocol, offering comprehensive and continuous support across audits, governance, incident response, and strategic guidance. This proven, proactive model is instrumental in fortifying the protocol, preventing critical exploits, and enabling Compound’s growth. As Compound looks to the future, OpenZeppelin is uniquely positioned to provide the agile, expert, and context-aware security services required to support its most ambitious initiatives.

Relevant Security Partnerships and clients

OpenZeppelin’s Security Research team possesses extensive experience in DeFi security, having secured some of the most prominent projects in the space, including Compound, Uniswap, Aave, Ava Labs, Arbitrum, Optimism, Matterlabs, Euler, Linea, Lido, 1inch, TheGraph, Scroll, Across/UMA, Ethereum Foundation, Venus, Lombard, Radiant, Origin, Morpho, Mantle, Worldcoin, Sandbox, and Synthetix. Our track record includes over 700 audits and over 8000 total issues identified, including over 400 Critical and High vulnerabilities.

Section 1: Scope of Security Work

To ensure seamless coordination and clear accountability, OpenZeppelin delivers all services through a unified in-house team. This integrated structure enables efficient execution, consistent quality, and streamlined communication across all engagements, particularly important during time-sensitive processes, incident response, or protocol upgrades.

1a) Scope of Security Services

OpenZeppelin will provide comprehensive security coverage to the Compound DAO across auditing, proposal reviews, advisory, monitoring, and incident response among others.. This includes:

Audit Services

  • Code Reviews: Contract audits, migration reviews, and audit-readiness evaluations of on-chain and off-chain code in Solidity, TypeScript, Rust, Go, and additional languages as needed for Compound protocol and infrastructure changes, including new versions, Grants Program projects, treasury operations, and contracts used by governance proposals

  • Proposal Reviews: Security assessment of all governance proposals, formal reports are delivered when issues are identified

  • Asset & Network Evaluation: Token assessments for new borrowable and collateral assets; network assessments for new network deployments

Monitoring and Automation Development

OpenZeppelin provides comprehensive 24/7 monitoring across Compound’s multi-chain deployment, with automated alerting and response capabilities designed to detect and mitigate threats before they materialize. Specifically, we will monitor for:

  • Governance Events: Alerts for new proposals, voting activity, and proposal queueing/bridging/execution; automated proposal queueing and execution

  • Market Activity: Transaction monitoring and digests per market across multiple networks

  • Security Alerts: Voting power accumulation tracking, price feed anomaly detection, community multisig transaction monitoring

Advisory Services

  • vCISO: Strategic security leadership via a virtual CISO, available on-call during security incidents and for scheduled sessions (1 business day in advance).

  • Incident Response Commander: Act as Incident Commander during active security incidents, directing technical operations and incident handling. Support public communications to ensure clarity, transparency, and effective user messaging.

  • Governance Security: Governance safeguards, decentralization enhancements, and security council formation/operations

  • Operational Security: Key management training, deployment protocols, and treasury delegation. In the last few years, operational security (OpSec) incidents have been responsible for many of the largest losses in the ecosystem. Our advisory team supports key contributors and Foundation members with best practices for secure multisig operations, key management hygiene, social engineering resistance, and device hardening. We also offer personalized onboarding sessions and materials for high-value governance participants.

  • Development advisory and security: We work with protocol engineers and implementation vendors to advise on secure development practices. This includes lightweight code reviews, threat modeling, economic design input, and audit readiness preparation.

1b) Multi-chain Support & Upgrade Expertise

OpenZeppelin pioneered smart contract upgradeability in Ethereum, creating the transparent proxy pattern and authoring EIP-1967 and EIP-7201, now widely adopted as the standard for secure upgrades across the ecosystem.

OpenZeppelin has been a pivotal security partner for Compound, conducting over 75 security audits and identifying over 395 issues across the board and playing a central role in the evolution from Compound V2 to Compound V3.

We bring significant value to Compound through:

  • Extensive Multi-chain experience: We have supported Compound V3’s expansion across multiple blockchain networks, providing security audits and advisory services across both Layer 1 and Layer 2 chains such as Ronin, Unichain, Mantle, Scroll, Linea, Morpho, Optimism, and Polygon. Our efforts have focused on safeguarding critical components like the compatibility of Comet lending markets and ensuring the secure deployment and operational readiness of governance modules, bridge receivers, and community multi-sig infrastructure, showcasing deep expertise in mitigating multi-chain and cross-chain risks. Alongside supporting Compound V3 deployments, we bring extensive experience collaborating with leading multi-chain ecosystems, offering a strong advantage through in-depth knowledge of protocols such as Linea, Arbitrum, Optimism, Mantle, and Scroll for future market deployments and protocol upgrades.

  • Layer 2 and Emerging Chain Expertise: Our Security Research team remains deeply engaged with the latest advancements in emerging Layer 2s by actively collaborating with leading L2 builders such as Scroll, Linea, Matter Labs, and Taiko. Our Security Research team has delivered over 70 audits across emerging L2s, identifying 750+ vulnerabilities, and collaborating directly with protocol teams to co-design foundational infrastructure like Arbitrum’s Stylus Library and Taiko’s Based Rollup stack. We have also been a long-term security partner for Matter Labs, providing multiple security audits and advisory services, which helped the team accelerate mainnet readiness by 40%.

  • Proven Track record in Secure Upgrade Mechanisms: With a strong track record in establishing standardized approaches and securing major protocol upgrades, such as zkSync’s Layer 2 upgrade system and State Transition and The Graph’s Horizon governance enhancement (Governance, Rewards Manager), we bring robust technical depth and strategic alignment to any evolving deployment landscape.

  • vCISO Involvement in Operational Security: OpenZeppelin offers a virtual CISO, available for scheduled advisory sessions and during critical incidents. This dedicated resource provides strategic security guidance with 1-business-day advance scheduling for routine matters and prompt responses for security incidents.

The vCISO bridges technical audits with practical implementation, helping teams translate security findings into actionable deployment steps. Key activities include consulting contributors on design and implementation choices, developing security policies and operational runbooks, providing pre-submission feedback on governance proposals, and coordinating security requirements across contributor teams.

This advisory role ensures security considerations shape Compound’s decisions during design and planning phases, not just through post-implementation audits.

1c) Resource Allocation and Availability

Allocation and Availability

For each scope, OpenZeppelin assigns dedicated researchers supported by our core team:

  • Two full-time Blockchain Security Researchers exclusively dedicated to Compound
  • One Security Research Manager (formerly a Lead Blockchain Security Researcher) to support the assigned Security Researchers and ensure quality standards are maintained
  • One Project Manager who coordinates communications, scoping, estimation, schedule, and delivery
  • One vCISO who provides oversight and context to coordinate all Compound scopes

Execution

New for 2025-2026: We introduce a dual-path service structure that delivers maximum security value for Compound. This scalable model, combined with Foundation-directed prioritization, ensures urgent work receives swift attention while scheduled scopes maintain predictable delivery, all with a reduced investment.

Priority Queue: The dedicated team of three researchers, two active plus one on standby for continuity during absences, handles time-sensitive work in priority order: incidents, governance proposal reviews, estimates, and other Foundation-prioritized items. This exclusive allocation ensures prompt response capacity for urgent and short-notice requests.

Scheduled Scopes: Additional teams, not already allocated to Compound, are assigned to scopes upon scheduling. This separation enables parallel execution of multiple scopes and urgent reviews without delays. Scheduled scopes offer strict time-bound delivery with protected resources isolated from Priority Queue demands. Estimated scopes can be scheduled for future execution, with timeline and team size based on estimated effort, scope parallelizability, and researcher availability.

Scheduled scopes are delivered within strict time bounds, with protected resources isolated from Priority Queue demands, although in the absence of those, Priority Queue resources might be flexibly allocated to Scheduled Scopes in the described terms.

Staggered quarterly rotations for security researchers ensure knowledge transfer and inject fresh security insights from across the industry. Additionally, this structure enables Compound to execute multiple scopes in parallel while maintaining responsiveness for urgent reviews and minimizing delays while also ensuring predictable delivery timelines without resource conflicts.

1d) Additional Services or Tools Offerings

OpenZeppelin will maintain protocol monitoring that alerts the community through the Compound Discord Server. Researchers will use proprietary tools for static analysis, advanced testing, cross-chain simulations, and report generation to expedite delivery.

Additional Services

  • Design Reviews: Early-stage evaluations of protocol and system architecture to identify security risks before implementation.

  • Dapp/web audits: Security assessments of frontend applications and web integrations interacting with protocol infrastructure

  • Penetration Testing: Evaluates the security controls of applications and infrastructure using the same tactics, techniques and procedures that attackers may use to identify and exploit vulnerabilities. The objective of testing is to identify vulnerabilities and deviations from security best practices that can result in unauthorized access and compromise of sensitive data or systems.

  • Applied Research: Collaboration with development vendors on security-focused research into novel protocol mechanisms, economic models, and system interactions to design standards tailored to Compound’s architecture and evolution, enabling the secure adoption of new technologies and features.

Tools

  • DAO proposals automated analysis and simulations: A proprietary internal tool that collects proposal payloads, identifies interacting contracts, runs simulations, and surfaces output changes for deeper investigation, and to evaluate effects and identify risk prior to execution

  • DAO funds tracking: A proprietary cross-chain tool to track DAO asset flows, helping identify, categorize, and recover funds when needed

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology

Manual Review & Coverage

Security researchers perform an independent line-by-line review of all in-scope code, eliminating blind spots through dual verification. We leverage extensive knowledge bases covering collateralized lending, DeFi protocols, standards (ERCs), oracles, common vulnerabilities, and documented exploits, plus deep Compound-specific institutional knowledge developed since 2019.

Audit Tooling Stack

  • Static analysis: Proprietary scanner + Slither for visualization

  • Dynamic testing: Custom Compound fuzzing framework, Foundry/Echidna/Medusa

  • Invariant testing frameworks

  • LLM-enhanced workflow: Isolated code path analysis with custom prompts, all findings human-verified

Non-Code Risk Identification

  • Governance attacks: Voting power concentration, proposal manipulation vectors

  • Economic attacks: Liquidation cascades, oracle manipulation, MEV exploitation

  • Game theory analysis: Incentive misalignment, rational actor exploitation

  • Cross-chain risks: Bridge vulnerabilities, message passing attacks

Specialized Domain Coverage

We engage cryptographers for ZK systems, infrastructure experts for node/network layers, and economic modelers for complex DeFi mechanisms. Multi-language capabilities include Solidity, Rust, Go, with proven L1/L2 experience across all Compound deployment networks.

Full Coverage Assurance

Comprehensive vulnerability checklist covering logic errors, edge cases, DoS vectors, flash-loan attacks, upgradeability risks, privileged roles, fund security, oracle integrity, and standards compliance. Out-of-scope dependencies verified for proper integration.

2b) Audit Workflow and Deliverables

Pre-audit

Order of Operations:
  1. Scope Submission (80% Complete): Developer submits scope estimated to be 80% code complete with codebase access

  2. Estimate Authorization: Foundation provides written authorization to proceed with estimation

  3. Estimate Scheduling: In the absence of security incidents or governance proposals, audit estimates are queued and completed in order of priority or order received. Audit estimates can be scheduled to eliminate potential delays

  4. Scope Confirmation: Parties confirm scope alignment

  5. Pre-Audit Deliverable: OpenZeppelin delivers either an effort estimate with proposed schedule or an audit-readiness report

  6. Audit Scheduling: Upon acceptance of the proposed date, the audit is scheduled and resources are allocated

  7. Final Scope Submission (100% Complete): Developer submits completed code

  8. Scope Finalization: OpenZeppelin validates final scope fits within estimated duration and confirms frozen commit hash

Scope Completeness

The 80% completion estimate is provided by the developers as a guideline. Before the audit begins, the code should be feature-complete, with no major functionality missing, include basic documentation, compile successfully, and have reasonable test coverage to support effective review.

Audit-Readiness Determination

OpenZeppelin may deliver an audit-readiness report instead of proceeding with a full audit if the code is clearly not close to completion, if fundamental design issues should be addressed to optimize development and audit efforts, or if the volume and severity of findings indicate low quality or an incomplete scope. In these cases, we may additionally recommend a design review to help guide next iterations of the code.

Scope Changes

If, during final scope validation, the code appears less complete than initially expected, we may adjust the audit schedule based on revised effort estimates and auditor availability. Mid-audit code changes are typically out of scope, though we may include them if they can be reviewed without affecting the planned timeline or if OpenZeppelin deems it reasonable to include them without compromising security or quality.

Timing

Estimated completion timelines for unscheduled scopes depend on their complexity and the presence of higher-priority work. Governance proposals and incident response take precedence. For more detail, see the SLAs outlined in Section 5.

Audit

Order of Operations:

  1. Kickoff Call (Optional): Technical discussion between auditors and development team within first 2 days

  2. Audit Execution: Two researchers perform line-by-line code review following OpenZeppelin methodology

  3. Technical Queries: Auditors request clarification on design decisions and implementation details as needed

  4. Critical Issue Disclosure: Any high or critical severity findings shared immediately via private channel

  5. Progress Updates: Weekly status published to forum

  6. Initial Report Delivery: Comprehensive findings delivered via OpenZeppelin Audit Module, PDF (optionally encrypted), or Markdown format

  7. Audit Adjustments: OpenZeppelin may pivot to an audit-readiness report if code quality issues prevent meaningful security assessment. Audits may be cancelled and rescheduled if frozen commit changes impact review schedule.

  8. Communication Protocol: Technical questions require response within 1 business day to maintain schedule. Delayed responses may impact audit completion timeline. Critical findings for live code trigger immediate escalation to Head of Security Research and scope submitter.

Fix Review

Order of Operations:

  1. Fix Submission: Developer addresses findings within agreed timeline (typically 1 week)

  2. Fix Format: One pull request per issue containing only changes addressing that specific finding with comments to include in the final report

  3. Auditor Review: Original auditors verify each fix properly addresses the vulnerability

  4. Status Assignment: Each issue marked as Resolved, Partially Resolved, Acknowledged, or Not Resolved

  5. New Issue Identification: Any vulnerabilities introduced by fixes are documented

  6. Final Delivery: Finalized reports are delivered to the contributor and published to the forum as long as it doesn’t expose live vulnerabilities.

  7. Fix Review Adjustments: Changes outside the scope of initial report issues or otherwise substantial changes that require reviewing more than 10% of the resulting codebase trigger publication of initial report and scheduling of new incremental audit. Fixes must not squash or rebase commits to maintain audit trail integrity. Late fix submissions may result in abbreviated review focusing only on critical and high severity resolutions.

  8. Developer Requirements: Each fix may have an accompanying explanation of approach taken. Acknowledged issues are expected to include rationale for accepting risk. Test cases demonstrating fix effectiveness are expected for high and critical issues.

Report Finalization

Publication Timeline: Final reports are shared on the Compound forum within 5 business days of completing the fix review. If fixes are not submitted, the initial report is published 2 weeks after delivery to ensure transparency. In urgent cases, such as when a scope is up for a governance vote or already integrated, reports are published immediately.

Report Contents: Reports include clear descriptions of all findings with severity ratings, developer responses and explanations, and the resolution status of each issue. A transparent audit trail of interactions between developers and reviewers is also provided. Reports link to relevant commits and pull requests and are written to be accessible to both technical and non-technical readers.

Post-Publication: After publication, OpenZeppelin actively monitors forum discussions to help address community questions. If any clarifications or corrections are needed, they are appended directly in the forum thread.

2c) Quality Assurance and Track Record

Specific to Compound, the following four critical incidents we prevented during our last term as the DAO security provider demonstrate the tangible value of early detection:

Beyond Compound, our team has identified and responsibly disclosed other several critical vulnerabilities such as:

  • $15B at risk - Convex Finance vulnerability: uncovered a critical vulnerability in the Convex Finance protocol that put approximately $15 billion in user funds at risk. OpenZeppelin coordinated a cautious response, ultimately resolving the issue by involving publicly known parties in the multisig and working with Convex to patch the bug without triggering a crisis or loss of funds.

  • Live vulnerability discovery in ticketing system used at EthCC: uncovered a vulnerability that would have made it possible to skip payment for event tickets.

  • Backdooring Gnosis Safe Multisig wallets: Critical vulnerability discovered in Gnosis Safe Multisig deployments that allowed attackers to silently backdoor wallets and gain full control of funds.

These documented incidents represent a small sample of the losses we prevent, avoiding substantially higher costs of post-incident response, reputational damage, and threats to protocol integrity.

3 Likes

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage and Disclosure

OpenZeppelin employs a robust protocol for handling vulnerabilities, adapting our response based on whether a vulnerability affects live code and whether the exploit is actively occurring or not.

Vulnerability Discovered in Audits (Not Actively Exploited)

This protocol applies when a vulnerability is identified during an audit or review, and there’s no indication of active exploitation.

  1. Upon discovery of a potential vulnerability during an audit, OpenZeppelin’s security researchers immediately assess its severity and whether it affects live code or not.
  2. High/Critical vulnerability affecting live code:
    1. Rapid Internal Triage & Escalation: If deemed Critical or High severity and affecting live code, the issue is immediately escalated internally to the Head of Security Research for rapid triage and validation.
    2. Immediate Confidential Disclosure: OpenZeppelin immediately shares confirmed Critical/High findings through private, secure channels with the stakeholders, prioritizing collaborative resolution.
    3. Emergency Mitigation Actions: emergency mitigations (e.g., pausing contracts) are discussed with stakeholders and those are either prepared or directly executed if the likelihood of exploitations and damage are not negligible.
    4. Prioritization of Severe Vulnerability: Where deemed necessary all other work might be re-prioritized, and resources reallocated to address the issue.
    5. Remediation Plan & Patch Audit: OpenZeppelin collaborates with stakeholders to design and develop a remediation plan. Once a fix is implemented, a dedicated patch audit and verification are conducted to ensure the vulnerability is fully addressed. This process iterates until the fix is deployed and verified.
    6. Coordinated Public Disclosure: After the fix is deployed and verified, a coordinated public disclosure is made, including a post-mortem analysis and security advisories to inform the broader community.
  3. Vulnerabilities not affecting live code:
    7. Standard Reporting: For issues which are not live, the audit workflow continues, and the issue is tracked internally. High or critical issues might be early reported to the development team for quicker resolution while the audit continues according to its schedule.
    8. Report to Compound Team: The final findings are reported to the Compound team through standard communication channels.
    9. Scheduled Remediation: Remediation for these vulnerabilities is scheduled within the standard development cycle, allowing for planned implementation and review.

Vulnerability Detected (Actively Exploited)

This protocol is activated when continuous monitoring, other threat detection mechanisms or third party notifications identify an actively exploited vulnerability.

  1. Live Exploit Detection & Notification: Continuous monitoring systems (e.g., OpenZeppelin Defender, Forta) detect on-chain activity or anomalies indicative of a live exploit. Alerts are immediately triggered and sent to OpenZeppelin’s internal teams and Compound’s designated contacts (Slack, Discord, PagerDuty, etc.).
  2. Rapid Identification & Escalation: OpenZeppelin security researchers and incident response specialists rapidly identify the nature of the exploit and immediately escalate the incident.
  3. Technical Investigation & Root Cause Analysis: A thorough technical investigation is launched to understand the exploit’s mechanics, identify the root cause, and assess the extent of its impact.
  4. Security Council Coordination: OpenZeppelin coordinates closely with the Compound Foundation, key contributors, and potentially whitehat security researchers to form an ad-hoc security council.
  5. Emergency Mitigation Actions: Immediate emergency mitigation actions are advised and, where applicable, directed (e.g., pausing affected contracts, freezing funds).
  6. Recovery & Damage Control Advice: OpenZeppelin provides expert advice on recovery strategies and damage control to minimize further impact and secure affected assets.
  7. Post-Incident Review & Lessons Learned: Following resolution, a comprehensive post-incident review is conducted to analyze the incident, identify lessons learned, and implement measures to prevent similar occurrences in the future.

Preventive Measures & Continuous Improvement (Applicable to Both Scenarios)

Preventive Measures

Our audit planning strategically focuses on critical integration points and historically risky components. Auditors are meticulously matched to engagements based on their domain expertise, and client test coverage and documentation are assessed upfront. Our knowledge base is continuously updated with insights from past incidents.

Continuous Improvement

Formal post-mortems are conducted for any high/critical issues that may have been missed, driving tooling updates (e.g., new static analysis rules, methodology changes). Cross-team knowledge sharing through regular meetings and documentation ensures collective learning, and client feedback is consistently integrated into our future security approaches.

Expected Timelines

Live critical or high severity vulnerabilities, whether discovered during audit or not, receive immediate triage with emergency mitigation measures initiated within hours. We collaboratively develop remediation plans, providing both immediate protective measures and permanent fix recommendations with subsequent patch audit verification.

Secure Communication

Private channels are established with the Compound Multisig and Foundation for sensitive disclosures, ensuring urgency and discretion throughout the vulnerability lifecycle, from discovery to public disclosure post-resolution.

3b) Incident Response Support

Our team of experienced professionals will work closely with stakeholders to provide timely and effective recommendations to help navigate through an incident and mitigate the impact on related systems and operations. OpenZeppelin will take the role of Incident Commander during an active incident and direct the operations and incident response process throughout the incident. We’ll also help Compound navigate the public communications process to ensure that your users are kept informed and public messaging is clear and effective.

3c) Continuous Monitoring and Threat Detection

OpenZeppelin provides comprehensive 24/7 monitoring across Compound’s multi-chain deployment, with automated alerting and response capabilities designed to detect and mitigate threats before they materialize.

Monitoring Infrastructure

Our monitoring stack currently leverages OpenZeppelin Defender to continuously track smart contract activity across an expanding number of markets and networks. Alerts route through multiple channels including Discord for community awareness and Slack, webhooks, and PagerDuty integration for internal notifications. Internal Datadog dashboards provide real-time visibility on the health of the monitoring and automation system.

Detection Capabilities

Market Activity Monitoring: Transaction-level tracking of borrows, withdrawals, supplies, and liquidations across all Compound deployments. Positions involved in transactions are analyzed and net impact is summarized in alerts including notation of relatively large position changes or whale activity. Liquidatable position detection identifies accounts approaching insolvency before liquidation occurs.

Governance Surveillance: New proposal detection with automated decoding of calldata and simulation of execution outcomes. Voting power tracking identifies sudden delegation changes or voting power accumulation approaching proposal/quorum thresholds. Status alerts for pending proposals share vote tallies regularly. Cross-chain proposal monitoring ensures synchronized tracking of bridged governance actions.

Oracle and Price Feed Monitoring: Anomaly detection for price deviations are available for price feeds with fallback mechanisms.

Multisig Operations: Community Multisig transaction monitoring for owner changes, Pause Guardian assignments, and parameter modifications increase transparency and accountability for privileged actions by trusted delegates.

Security-Critical Events: Signature-based detection of leading threat indicators identify potential transactions that upgrade or pause market assets, consolidate voting power to meet thresholds for proposing and quorum, and execute privileged actions on protocol contracts.

Automated Response Systems

Governance Automation: Mainnet proposal queuing and execution when timelock period expires. L2 proposal execution of queued proposals on L2 networks. Failed simulation and execution retry logic with escalation to manual intervention.

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

This section was submitted privately to the Compound Foundation.

4b) Milestones and Performance Metrics

This section was submitted privately to the Compound Foundation.

4c) Conflict of Interest Resolution

OpenZeppelin confirms that the company currently works with other clients in the same or adjacent domains as Compound, including some who may be considered protocol forks or direct competitors. Although this is a common aspect of the blockchain space due to its permissionless ethos and open source structure, we approach each client engagement with strict adherence to confidentiality, integrity, and professional responsibility.

To mitigate any conflicts of interest and ensure the protection of client confidential information, we implement the following safeguards:

  • Contractual Agreements: OpenZeppelin enters into contractual agreements with all clients containing terms tailored to the nature of the services, which include confidentiality obligations.

  • Confidentiality Agreements: All OpenZeppelin team members are bound by confidentiality agreements, which are bolstered by a strong internal compliance function that ensures all staff members understand their obligations and how to meet them.

  • Policies Addressing Conflicts of Interest: OpenZeppelin’s Code of Conduct and Market Integrity Policy address conflicts of interest and provide rules and guidance on how to identify, prevent, and manage conflicts of interest appropriately.

  • Internal Security Program: OpenZeppelin has established its organizational security program aligned with SOC 2 to protect sensitive data and information. OpenZeppelin’s security program is audited by an independent firm on an annual basis. For more information regarding our security program and particular data protection controls, please see our Trust Center.

  • Insurance: OpenZeppelin maintains comprehensive insurance coverage, including cyber insurance and E&O insurance.

Given the critical nature of OpenZeppelin’s security services, we take our obligations seriously and are committed to handling any actual or perceived conflicts with transparency and diligence.

4d) Transition and Offboarding Plan

OpenZeppelin acknowledges the DAO’s current right to terminate with 60-day notice and commits to ensuring continuity during any such 60-day transition period following notice of termination.

Existing Public Record: Our Compound security work is already publicly documented through audit reports, quarterly forum updates, published security advisories, and governance proposal reviews. This comprehensive public record minimizes the knowledge transfer necessary for any successor to accept responsibility and complete their earliest accepted scopes.

Transition Coordination: Upon identification of a successor, we will schedule coordination meetings to establish clear handover dates for: new scheduled scopes with their estimates, governance proposal review responsibilities, short-notice security requests, monitoring, incident response, and any remaining queued scopes. We will work directly with the incoming provider to agree on specific transition dates for each service area. Any accounts currently managed will be transitioned to the Foundation or successor as needed, including the transfer of all associated financial responsibilities and updating of billing information to reflect the new account holder.

Transition Commitments: During the 60-day period, we will complete any in-progress scopes to avoid security gaps, maintain full security services until the final day, and remain available upon request to answer questions. We will publish a brief final update summarizing the status of all transferred responsibilities and provide direct contact information for any post-transition clarifications.

Section 5: Service Level Expectations (SLA)

This section was submitted privately to the Foundation.

Section 6: Final Considerations

We appreciate the Compound community’s time and consideration of this proposal, and we remain committed to supporting the protocol’s continued growth and security.

4 Likes

[Post 1/3]

Quantstamp + HyperNative + ZeroShadow Security Assessment and Partnership Proposal for Compound



Executive Summary

Today, we propose the creation of the Compound Security Trusted Council, known as COSTCO, a joint collaboration between zeroShadow, Hypernative, and Quantstamp.

COSTCO combines the strengths of these three security companies to provide a comprehensive security framework for the Compound protocol. The benefits of a joint collaboration are manifold. By uniting diverse perspectives under a shared goal, this approach creates a more cohesive and strategic framework for safeguarding the Compound protocol. It also introduces stronger safeguards against conflicts of interest by ensuring that the designated vCISO from Quantstamp remains accountable to externally aligned parties and the broader interests of the DAO.

The proposed responsibilities of each of the companies are highly complementary:

  1. Quantstamp’s smart-contract audits and vCISO governance ensure secure-by-design practices before code deployment.
  2. Hypernative takes over in production, analyzing on- and off-chain signals through its machine-learning engine to detect exploits and market manipulations in real time, often minutes before the first malicious transaction can settle.
  3. In case of real world incidents, zeroShadow’s 24/7/365 incident-response unit mobilises immediately, containing damage, orchestrating communications, and pursuing asset recovery.

Beyond emergencies, zeroShadow and Hypernative are a core part of COSTCO, helping to drive proactive security decisions, ensuring the contracts and the protocol are well-positioned to address a broad range of risks.

Crucially, these capabilities are linked in a continuous feedback loop: Quantstamp’s audit findings mitigate attack vectors and seed Hypernative’s detection rules; while Hypernative’s telemetry guides zeroShadow’s playbooks.

COSTCO would work very closely with the Compound Foundation, but also very transparently with the Compound community. Together, this collaboration transforms three standalone services into an integrated security fabric, empowering Compound to scale innovation and governance with confidence that every layer of the protocol is protected.

An overview of the proposal can be found here.

About Quantstamp

Quantstamp is a global leader in blockchain security, on a mission to secure the future of web3. Since 2017, we have performed over 1,100 audits across 25+ programming languages and 50+ ecosystems, securing more than $200 billion in digital asset risk from malicious actors. Our global team of security professionals has worked with many of the top protocols and organizations in the space, including Maker, Compound, Polygon, Arbitrum, Sandbox, and Circle, while also serving as trusted advisors to startups, enterprises, governments, and NGOs. Beyond audits, Quantstamp contributes to the long-term growth of the ecosystem through strategic investments and hands-on support for scaling projects.

Our technical team includes Ph.D. graduates in computer science and mathematics with deep expertise in formal methods, information security, and secure systems design. Their backgrounds enable them to thoroughly analyze complex algorithms and intervene in mission-critical scenarios. With a strong track record of developing security tools and publishing peer-reviewed research, the team has secured infrastructure for leading networks like Ethereum 2.0, Solana, BNB Chain, Avalanche, Mantle, and TON. Notable partners and clients include Visa, 1inch, Ethena, Blockdaemon, Trust Wallet, and Pantera. All publicly available audit reports can be found on our certificates website.

About Hypernative

Hypernative offers the most advanced ML-driven threat detection platform in Web3, capable of real-time, pre-transaction monitoring across 300+ exploit and anomaly vectors. For the Compound team, this enables proactive defense across governance, treasury, and protocol layers, protecting DAO operations and assets.

Hypernative is the industry leader in pre-transaction threat prevention, monitoring over $100B in digital assets and protecting 200+ customers across 60+ chains.

About zeroShadow

zeroShadow is a Web3-native security and Incident Response firm specializing in both proactive defense and real-time threat containment. As the operational layer paired with smart contract monitoring platforms, zeroShadow not only responds to active threats but also helps teams harden systems, tune detection logic, and reduce attack surface before incidents occur.

With over 150 customers, 350+ security incidents handled, and more than $250M in assets frozen or recovered, zeroShadow is a trusted response partner for DAOs, protocols, and exchanges. Our team combines deep blockchain expertise with hands-on experience across some of Web3’s most complex breaches, ensuring threats don’t just get flagged, they get prevented, contained, and resolved.



Existing Relationship with Compound

​Quantstamp has a long-standing relationship with Compound, having performed multiple audits for the protocol. In 2020, Quantstamp conducted a comprehensive audit of Compound’s core smart contracts. That same year, Quantstamp collaborated with Gauntlet to review proposed updates to Compound’s governance system, including smart contracts enabling delegated voting power and a new timelock module to improve transparency and decentralization. In 2021, Quantstamp audited the “claim cooldown” functionality to further support the protocol’s secure evolution.

Since then, Quantstamp has continued to stay engaged with Compound’s ecosystem by routinely auditing forks of the protocol. This ongoing work has allowed us to maintain deep familiarity with Compound’s architecture, design patterns, and smart contract logic, ensuring Quantstamp remains well-positioned to support the protocol going forward.

Notable Security Partnerships and Clients

Across COSTCO, we have made significant contributions and achievements that demonstrate our expertise in the blockchain space. These accomplishments serve as a testament to our commitment to excellence and our ability to drive innovation in the rapidly evolving decentralized landscape, and include previous audit experience, research grants, and other projects.

DAOs

Maker (“Sky”), Curve, Canton Network, Venus, SSV Network, XDAO, JPEG’d, ParagonsDAO, Olympus DAO, Balancer DAO

DeFi

Compound, Lido, Uniswap, Chainlink, Morpho, Ethena, Curve, 1Inch, Radiant Capital, PancakeSwap, Tensorplex, YieldBasis, Hashflow, Ondo, Synfutures, Storm Trade, Ambient (Crocswap)

Institutional & Enterprise

Ethereum 2.0 (Prysm and Teku implementation), Solana Runtime, TON, BNB Chain, Cardano Chain and USDA, Avalanche Network, LayerZero, Flow, Kraken, Karpatkey, Circle, Galaxy Digital

Outside of audits, Quantstamp co-authored the Enterprise Ethereum Alliance DeFi Risk Assessment Guidelines, a framework developed by the Enterprise Ethereum Alliance to identify, assess, and mitigate risks associated with decentralized finance protocols.

Case Studies

The following references are case studies of Quantstamp’s white glove cybersecurity audits and services for clients in the blockchain space most relevant to Compound. We picked case studies highlighting close collaboration with clients over long periods of time that match the nature of this engagement.

Case Study 1: Venus Protocol

Venus Protocol is a decentralized lending and borrowing platform on BNB Chain that allows users to supply, borrow, and earn interest on crypto assets, as well as mint synthetic stablecoins. As one of the most prominent DeFi protocols in the BNB ecosystem, Venus handles significant on-chain value and requires continuous security assurance to maintain user trust and protocol stability. Built in part as a fork of Compound, Venus benefits from Quantstamp’s deep familiarity with the underlying architecture and smart contract design.

Quantstamp has supported Venus under a yearly security retainer, which began in 2024 and was renewed for a second year due to the strength of the collaboration. Quantstamp provides a dedicated, full-time team of auditors with domain expertise in the Compound codebase and Venus’s custom modifications, enabling us to guide key deployments, perform detailed PR reviews, and support rapid development cycles. This structure allows for fast onboarding, expedited turnaround times, and high-priority service for both scheduled audits and urgent reviews. This ongoing partnership enables Venus to innovate confidently while maintaining a strong security posture.

A sample of public audits for Venus can be found below:

Case Study 2: Kiln

Kiln is a leading crypto infrastructure platform specializing in enterprise-grade staking solutions. It provides white-label staking services that enable institutions, custodians, and DAOs to easily earn rewards across multiple blockchains while maintaining control and compliance. As a core player in the staking ecosystem, Kiln supports billions in assets and requires robust, ongoing security to support its operational integrity.

Quantstamp has partnered with Kiln for over two years to deliver comprehensive smart contract, infrastructure audits, and governance proposal reviews and participation, helping ensure the reliability and resilience of its staking platform. Through Quantstamp’s collaboration with Chainproof, they also provide protocol-level insurance to mitigate staking-related risks, a critical layer of trust for institutional clients. Beyond security assessments, Quantstamp actively supports Kiln’s governance processes by validating transactions and participating in protocol-level confirmations. This multifaceted partnership reflects the commitment to securing the staking layer of web3 through both technical and operational contributions. Example reports can be requested here.

Case Study 3: ERC-6900 Working Group

In November 2023, Quantstamp conducted an audit with Alchemy on their initial Modular Account v1 codebase, the first production-ready account of the ERC-6900 standard, a standard specifying components and interfaces for modular smart contract wallets. Throughout the audit, the auditors immersed themselves deeply into the standard, version v0.6 at the time, and found opportunities for improvements not just to the implementation, but to the architecture of the standard as a whole. Quantstamp’s suggestions ultimately helped shape ERC-6900v0.7, and as a result of the efforts, Quantstamp was invited as a co-author to the standard itself in April 2024, co-authored by engineers from Trust Wallet, Circle, and Alchemy. Over the last year, Quantstamp’s co-authors not only formed close relationships with those teams, e.g., having conducted a panel discussion together, but also jointly developed the latest v0.8 of the standard over multiple months.

9 Likes

[Post 2/3]

Section 1: Scope of Security Work


1a. Scope of Services Overview

Quantstamp will work alongside Hypernative and zeroShadow to deliver end-to-end security coverage for Compound. As the primary point of contact and lead provider for all audit-related matters, Quantstamp’s full-time, three-member security research team will focus on continuous review, assessment, and verification of both on-chain and off-chain components. Together, this collaboration ensures a holistic security approach across the full protocol stack.

  • Smart Contract Audits: Manual and automated code reviews to identify vulnerabilities, logic errors, and edge-case risks
  • Infrastructure Audits: Assessment of validator nodes, cloud setups, API gateways, and related services for misconfigurations or exploitable gaps
  • Off-Chain System Reviews: Evaluation of infrastructure components such as backend services, APIs, and CI/CD pipelines for potential attack surfaces.
  • Front-End Reviews: Security checks of web interfaces and user interactions to identify issues like unsafe inputs, data leakage, or phishing risks
  • Deployment Checks: Review of configuration and deployment processes to ensure secure and accurate contract deployment
  • Governance Reviews: Security-focused analysis of governance proposals, parameter changes, and delegation logic to mitigate systemic risk
  • Penetration Testing: Simulated real-world attacks against protocol components or infrastructure to uncover vulnerabilities before adversaries do
  • Deployment Verification: Final validation that the audited code matches the deployed bytecode, ensuring no unapproved changes are introduced post-audit
  • vCISO: Provision of a dedicated Senior Security Engineer that will act as a vCISO, see below for a full description
  • Virtual Security Operations Center (vSOC) to deliver full-spectrum monitoring and incident response, covered in more detail in Section 3c

vCISO Scope of Services

The vCISO will serve as a dedicated security lead and partner for Compound and chair the COSTCO Security Council. Core responsibilities include:

  • Serve as the primary security advisor and point of contact to the Compound Foundation and DAO contributors. vCISO is not just a security engineer but a strategic partner who will go hand in hand with any decision that the community, foundation, or the protocol makes.

  • Chair COSTCO, coordinating input from Quantstamp, Hypernative, and zeroShadow to inform security-related DAO decisions.

    • COSTCO will serve as an advisory board to the vCISO, offering guidance on areas beyond the vCISO’s individual expertise. By bringing together experts across multiple specializations, COSTCO ensures comprehensive coverage of potential scenarios and challenges.
    • COSTCO will also hold the vCISO accountable for their decisions, particularly in situations where conflicts of interest could arise, as the Council consists of three independent companies.
  • Provide on-demand guidance on protocol upgrades, governance proposals, architecture changes, and risk trade-offs.

  • Bridge audit findings with actionable governance outcomes, ensuring clarity and alignment across stakeholders.

  • Lead and document threat modeling, security reviews, and architecture discussions for new initiatives.

  • Maintain evolving security requirements, checklists, and best practices tailored to Compound’s governance lifecycle, including guidance for multi-chain deployments, L2 integrations, and upgrade workflows. The vCISO will oversee operational security across supported networks, ensure deployment safety checks, and coordinate with domain experts for emerging ecosystems if the domain expertise is missing in COSTCO.

  • Scope and prioritize security reviews and audits, coordinating timelines, technical resources, and remediation plans.

  • Act as the central point of contact for interpreting and triaging audit results, including post-review consultation and DAO reporting.

  • Represent security concerns in Compound governance discussions and community calls, offering expert input on proposals.

  • Ensure smooth collaboration between audit, monitoring, and incident response teams, creating a closed-loop security system for the protocol.

1b. Multi-Chain Support & Upgrade Expertise

Quantstamp’s experience is extensive and diverse, including coverage of 50+ ecosystems on which Compound is deployed. Their experience encompasses over 1,100 audits across 25+ programming languages. Quantstamp is immediately prepared to support Compound across most ecosystems.

The following are examples of Quantstamp’s multi-chain support, accompanied by references to public reports.

  1. Venus Multichain Support
  2. Trust Wallet Biz, with deployment review for BSC and Mainnet contracts
  3. Echelon Market, lending protocol deployed through Aptos, Movement, and Initia
  4. Primex, including a dedicated deployment check on all contracts as part of the report.
  5. Kiln, cross-chain deployments, with deployment review

Quantstamp has significant auditing and research experience covering L2s. For example, Quantstamp received an Ethereum Foundation L2 Rollup Security Framework grant that led to the creation of the L2 Security Framework, as well as a paper on attack vectors for rollups.

For emerging L2s, Quantstamp proactively ramps up the team on the newest technologies, positioning us to provide support in any novel ecosystem. vCISO will be able to support and inform decisions on new L2s and also help prepare and plan for such an audit. For a more in-depth vCISO discussion, please see Section 1a (vCISO Scope of Services).

For deployed smart contracts and ongoing monitoring, Hypernative has extensive experience in chain integrations, which include +50 EVMs, as well as extensive coverage of non-EVM chains.

Across hundreds of cases, zeroShadow has followed stolen funds through complex cross-chain movements on EVM, Solana, Cosmos, and specialized chains. zeroShadow also has expertise in creating real-time alerting mechanisms across a multitude of chains that allow for quick incident response efforts.

1c. Resource Allocation and Availability

COSTCO proposes assigning three full-time auditors from Quantstamp to Compound, ensuring consistent availability and deep protocol familiarity. This dedicated team allows us to schedule audits quickly and avoid delays due to overlapping client commitments. To support uninterrupted coverage, Quantstamp also maintains a backup rotation of three additional auditors who are fully briefed and ready to step in as needed. This structure enables us to provide seamless support and maintain 24/7 coverage, even in the event of staff absences due to illness, PTO, or other unforeseen circumstances.

One of the auditors, who is a Senior Security Engineer at Quantstamp, will act as a full-time vCISO for Compound. See Section 1a for a full description of the role of vCISO.

In the unlikely event that availability across all 6 designated auditors is impacted, Quantstamp is prepared to rapidly ramp up additional team members to ensure continued audit progress. While this worst-case scenario is highly improbable, Quantstamp has robust internal processes in place to preserve context and ensure continuity, ranging from thorough documentation and internal briefings to version-controlled repositories and audit handoff protocols. By maintaining both dedicated staffing and built-in redundancy, Quantstamp can deliver consistent, high-quality service without bottlenecks.

1d. Additional Services or Tools

In addition to delivering core audit, advisory, monitoring, and incident response services across Compound’s key use cases, COSTCO is committed to supporting Compound’s long-term resilience and decentralization. Below are several value-added offerings available as part of this partnership:

Governance & DAO Support

  • Governance Participation: We are eager to become active participants in Compound governance, contributing security-focused insight to proposals and discussions.
  • On-Chain Insurance via Chainproof: Through Quantstamp’s regulated insurance partner Chainproof, backed by Sompo and reinsured by Munich Re, we can offer optional protocol insurance to protect user deposits and enhance DAO credibility. Compound also receives preferential pricing and access to this insurance offering.

Security Training & Readiness

  • Security Training & Awareness: With a dedicated audit team in place, we can provide optional training sessions for core developers and community contributors, covering secure development practices, threat modeling, and emerging attack patterns.
  • Tabletop Exercises: Beyond rapid response, zeroShadow runs hands-on simulated attack drills with the Compound team to test and strengthen incident management plans. These exercises improve coordination, speed, and decision-making during real events.
  • Hypernative Academy: Hypernative will design a tailored training plan to grow each year of the partnership:
    • Year 1: 5 individuals
    • Year 2: +5 (total of 10)
    • Year 3: +5 (total of 15)

Regular sessions will help participants build fluency with the monitoring platform and respond effectively during operations and emergencies.

Monitoring & Customization

  • Professional Services: zeroShadow offers customized service packages where their team will configure, tune, and maintain alerts based on expert recommendations and Compound’s unique risk landscape
  • Internal Tools: Quantstamp maintains a suite of internal tools, including scanners and ecosystem-specific checklists, to enhance visibility into protocol risk. This includes AI-powered tooling that they actively develop to improve issue detection and standardize review processes at scale

24/7 Continuous Support

  • Around-the-clock coverage across all geographies
  • Communication through your preferred channels (Slack, Telegram, etc.)
  • Real-time assistance in investigating alerts and anomalies
  • Participation in additional calls or check-ins as needed to support urgent questions or emerging threats

Section 2: Technical Methodology and Audit Process


2a. Audit Methodology

The primary objective of a security audit is to identify vulnerabilities, design flaws, and other security-related concerns within the codebase. While the audit assumes the code is of production-level quality, the team will still highlight areas for improvement, regardless of maturity, and provide recommendations to enhance overall robustness. The audit will be conducted following the methodology outlined below.

Manual Review & Tooling

Each audit begins with a thorough manual review of the codebase, conducted by a dedicated team of three full-time auditors with domain-specific expertise (e.g., DeFi protocols, L1 architectures, cross-chain bridges). This layered approach enhances the depth of analysis while reducing the likelihood of blind spots.

To complement manual review, Quantstamp leverages a suite of automated tools, including:

  • Static analyzers and linters for pattern detection and code quality checks
  • Custom in-house scripts and checklists tailored to specific ecosystems (e.g., ERC standards, bridges, rollups)

In parallel, Quantstamp is actively integrating AI-powered analysis into their workflow to identify known attack vectors more efficiently and to further standardize and scale the review processes.

Non-Code Risks

In addition to code-level vulnerabilities, the team assesses a range of non-code risks that could impact the security or stability of the protocol. These include:

  • Governance attack surfaces (e.g., quorum thresholds, voting delays, proposal queuing vulnerabilities)
  • Economic exploits (e.g., oracle manipulation, MEV extraction, incentive misalignment)
  • Upgradeability risks (e.g., proxy misconfigurations, insufficient timelocks on upgrades)
  • Access control weaknesses (e.g., overly broad permissions, emergency powers lacking checks)
  • Ecosystem dependencies (e.g., reliance on third-party contracts, oracles, or bridges)

By identifying and contextualizing these risks, we help teams harden their protocols against a broader range of real-world threats beyond the code itself.

Coverage & Blind Spot Reduction

To ensure comprehensive coverage and minimize blind spots, Quantstamp takes a structured and collaborative approach to every engagement:

  • Each audit begins with a kickoff call to align on system architecture, key objectives, and areas of highest risk
  • Quantstamp encourages continuous client collaboration to surface hidden assumptions and uncover “unknown unknowns”
  • The auditors follow rigorously maintained internal checklists and threat models, refined across 1,100+ prior audits
  • A senior QA engineer oversees each engagement to ensure consistency, validate reasoning, and identify potential gaps in coverage

2b. Audit Workflow & Deliverables

Quantstamp follows a structured, transparent audit process designed to provide actionable insights and maintain a high standard of quality from start to finish. Below is an overview of each phase of the audit workflow:

Scoping & Planning

  • A kickoff meeting aligns on scope, architecture, threat model, and any unique features of the system
  • The project is evaluated for complexity and staffed with auditors whose expertise matches the domain

Audit Execution

  • The codebase is reviewed manually and with automated tooling
  • Findings are logged in real-time, discussed internally, and shared early with the client if critical
  • Ongoing communication ensures alignment and clarification throughout the audit

Internal Review & QA

  • A senior QA engineer conducts a final review to validate audit quality and completeness
  • The audit team performs a retrospective to identify any systemic risks or unclear areas requiring further analysis

Reporting

  • Quantstamp provides a clear, structured audit report that includes:
    • Issue classification by severity (Critical, High, Medium, Low, Informational)
    • Technical explanations for each finding
    • Specific, actionable remediation guidance
    • Optional reviewer notes or contextual insights where helpful

Fix Verification

  • Once the client submits fixes, Quantstamp verifies each one and updates issue statuses (Fixed, Mitigated, Acknowledged)
  • A final report is delivered; upon request, Quantstamp can publish the report publicly, as well as in the Compound Forum

Turnaround Times

  • Typical turnaround times vary based on scope and complexity. Average timelines for completion are as follows:
    • Small audits: 0.5 to 2 weeks to complete
    • Mid-sized audits: 2-5 weeks
    • Large audits: 6+ weeks
  • Quantstamp works closely with clients during scoping to ensure deadlines are realistic and mutually agreed upon

2c. Quality Assurance and Track Record

Below is a highlight of COSTCO’s track record, including case studies of Quantstamp’s recent significant audit findings and track record examples from COSTCO’s vSOC partners, Hypernative and zeroShadow. As it is difficult to highlight reports without publicly naming clients where the issues have been found, we have anonymized the examples below.

Case Study: [redacted] Protocol A

During an audit of [redacted] Protocol A, Quantstamp discovered a critical vulnerability in already deployed contracts that put $600,000 USD at risk. A war room was immediately assembled, consisting of the core audit team and a select group of Company A employees designated by their CEO. The team acted swiftly and successfully mitigated the vulnerability without incident. Following the audit, Quantstamp delivered a report to Company A detailing nearly 40 findings. After the recommended fixes were implemented, a public audit competition validated the results by identifying no additional vulnerabilities within the same scope.

Case Study: [redacted] Protocol B

Quantstamp conducted an audit for a codebase in very poor shape and already deployed a closed beta, at the time already containing ~$2m in TVL. The audit team discovered close to a dozen high-severity vulnerabilities, as multiple aspects were deeply flawed, including fully circumventable access control on all aspects of the protocol. Immediately, additional safeguards were put in place for the existing beta that mitigated the attack surface. 5 rounds of fix reviews were conducted, as the complex nature of the fixes introduced more and more issues, with the scheduled finale release coming closer and closer. The auditor team realized that the client’s management was fairly decoupled from the engineering side, which is why they opened separate conversations with that team to properly highlight the risks and the necessity for a delay of the official release. Ultimately, the official release went smoothly, and the protocol now holds millions in TVL.

Case Study: Cork Protocol

A recent example from Quantstamp’s incident response process is from May 2025, where Cork Protocol suffered a $12M exploit. Quantstamp jumped in immediately, even though the vulnerability hadn’t been part of their prior audit, to assist with incident triage, coordinate a multi-firm war room, and help craft a detailed post-mortem report. Quantstamp facilitated collaboration between Cork, Hypernative, zeroShadow, and other key parties to pause vulnerable contracts and prioritize fund recovery. Quantstamp helped to draft a transparent and technically accurate post-event analysis, helping Cork publicly document the root cause and implement long-term process improvements.

Monitoring Case Studies: Clearstar, Kinetic, OlympusDAO

On the monitoring side, here are some examples of the track record of Hypernative:

Clearstar is a strong example of Hypernative’s automated response capabilities. During a live exploit affecting an integrated protocol, Hypernative detected malicious behavior in real time and triggered an automated exit from the protocol, saving funds without any manual intervention.

Kinetic relied on Hypernative to detect and front-run an exploit targeting their contracts, which allowed the team to pause activity and prevent a $5M loss. The alert came before the attack was executed, demonstrating Hypernative’s core strength: preemptive detection and mitigation across complex protocol infrastructures.

Olympus DAO uses Hypernative to monitor treasury and governance operations. In one instance, Hypernative flagged unauthorized multisig activity and suspicious fund movement, enabling Olympus to intervene before user funds were impacted. For a protocol with DAO-controlled assets, this kind of real-time visibility and actionable alerting is essential.

Example of Proactive Risk Mitigation

During Quantstamp’s audit with Alchemy for Modular Account v2, they discovered a vulnerability in the ERC-4337 EntryPoint V0.7 that could lead to loss of funds (ALC-2). The vulnerability was disclosed to the core 4337-team that was later patched in V0.8. This was not part of an official bug bounty, but it prevented an important issue from continuing to be present.

8 Likes

[Post 3/3]

Section 3: Risk Management and Incident Response


3a. Vulnerability Triage & Disclosure

We follow a structured, responsible disclosure process for all vulnerabilities, with clear prioritization based on severity and real-time coordination with Compound Foundation and key stakeholders. Our goal is to act with discretion, urgency, and transparency, minimizing risk while ensuring long-term resilience.

We handle vulnerability discovery according to the context in which the issue is identified:

Discovered During an Audit

  1. Critical vulnerabilities are prioritized immediately
  2. Once confirmed by the audit team, Quantstamp notifies Compound via pre-established secure communication channels
  3. Quantstamp’s team shares a detailed issue description and works collaboratively to design and review the fix
  4. Once remediated, the fix is verified and included in the final report

Discovered via Monitoring/Bug Bounty (No Exploit Detected)

  1. The issue is verified internally to rule out false positives
  2. Compound Foundation is notified immediately via secure channels
  3. Quantstamp initiates a joint triage process with COSTCO
  4. COSTCO assists in designing a mitigation plan, auditing the fix, and reviewing deployment procedures following the processes outlined in relevant Sections
  5. A public post-mortem may be published after the issue is resolved to ensure transparency and contribute to ecosystem learning

Discovered After Exploitation (Live Incident)

  1. This scenario triggers our incident response protocol
  2. Detection is confirmed through Hypernative monitoring or partner alerts
  3. zeroShadow leads initial incident handling and informs COSTCO; vCISO joins the war room for coordinated response
  4. COSTCO maintains numerous on-chain forensics and law enforcement contacts that would be brought in immediately
  5. COSTCO and vCISO assist in triage, impact analysis, fix design, and deployment, followed by retrospective review and disclosure as appropriate

Discovered During Bug Bounty

  1. If a valid report is submitted through Compound’s bug bounty program, COSTCO will assist in triage and technical verification
  2. COSTCO collaborates with the submitter (if needed), Compound Foundation, and DAO contributors to evaluate the impact and priority
  3. COSTCO provides fix guidance, conducts fix audits, and supports responsible disclosure
  4. This ensures that even externally reported vulnerabilities are handled with the same rigor and responsiveness as internally discovered issues

3b. Incident Response Support

zeroShadow’s 24/7/365 incident response team is battle-tested, having helped recover over $250 million in stolen funds across major events and clients like ByBit and WazirX.

Their incident response approach is grounded in a rigorous risk management framework that ensures critical issues receive immediate, focused attention while lower-severity findings are appropriately managed without disrupting ongoing operations.

zeroShadow prioritizes rapid triage and classification to assess the scope, severity, and potential impact of each alert or event. This enables us to quickly decide when to escalate and temporarily pause other activities to address high-risk threats, such as active exploits or governance takeovers, while continuing routine monitoring for less urgent concerns.

Throughout this process, zeroShadow will closely collaborate with Compound’s team to ensure alignment on priorities and risk tolerance. zeroShadow’s response team brings access to specialized expertise as needed, supporting the design and implementation of tailored mitigation strategies that balance security, operational continuity, and governance requirements.

This adaptive prioritization model helps Compound maintain robust security without unnecessary disruptions, delivering the right focus at the right time.

3c. Continuous Monitoring & Threat Detection

Hypernative offers real-time monitoring and detection of suspicious events across 60+ blockchains by actively monitoring chain mempools. The platform is incredibly flexible and customizable, and designed to help meet a variety of use cases from security exploit detection to stablecoin depegs to arbitrage to DAO proposal initiation. If it’s happening on-chain, Hypernative can detect it and provide associated alerting and automated actions.

The system itself is based on Watchlist objects, where Compound can define contracts, protocols, bridges, addresses, or anything else across many EVM and non-EVM chains. Watchlists may also include CEX addresses or other contract addresses not explicitly controlled by Compound for a broader market view. Hypernative offers multiple alerting channels including Slack, Telegram, Discord, PagerDuty, Splunk, and custom webhooks. Additionally, Hypernative provides integration with key custody vendors including: Fireblocks, Utila, Bitgo, and others, and enables an on-chain configured action to fire when a security event is detected.

Hypernative also offers a variety of popular templates as custom agents designed to help you monitor position health, rate deviation, and account liquidity across Compound v2 and v3, along with custom configuration conditions. These custom agents serve as your eyes on-chain, and when specific events occur will fire off and alert you accordingly. You may also utilize the previously mentioned automated on-chain action in the event of a potential hack and pause a protocol, automatically unwind a position, or any other action explicitly supported by a given contract.

Additionally, Hypernative offers out-of-the-box risk categories enabling you to select which types of risks are most important to you, covering security, financial, technical, community, and even phishing/drainer risk. Hypernative’s advanced ML models are able to identify risk conditions as they are happening on-chain and will enable you to respond accordingly so an adverse event doesn’t ever occur. The case studies mentioned highlight instances of Hypernative users front-running attacks and protecting against loss of funds. This helps not only protect capital and liquidity but also plays well for a brand operating in the DeFi world.

COSTCO provides a Virtual Security Operations Center (vSOC) to deliver full-spectrum monitoring of Compound’s smart contracts, governance infrastructure, and financial health metrics to ensure 24/7 coverage between audits, enabling proactive security intervention.

The Virtual Security Operations Center (vSOC) is deeply embedded within Hypernative’s detection platform, not just consuming alerts, but actively shaped, customized, and tuned to Compound’s specific architecture.

vSOC does not just leverage Hypernative, it operates within it, with full access to your environment and the agility to continuously evolve detection logic and alerting rules as Compound’s needs grow and change:

  • Configure and optimize all detection logic
  • Validate alerts in real time, decompile them, and reduce noise
  • Script invariant checks and monitoring rules
  • Integrate external RPCs and data sources to improve signal fidelity
  • Rapidly incorporate new attack vectors as they emerge

This model ensures every Hypernative alert is meaningful, actionable, and escalated correctly, forming a closed-loop system that connects detection with expert-driven response.

By embedding directly within your monitoring stack, COSTCO delivers high-impact security operations without requiring the Compound DAO to build or staff a dedicated internal team. This approach provides a more cost-effective, battle-tested alternative to building and managing these capabilities in-house, while maintaining flexibility, customization, and deep protocol context.

Example Use Cases:

  • Liquidation enforcement: Detect if actual liquidation proceeds deviate from the configured incentive (e.g., 5-8%), or if the incentive is modified unexpectedly
  • Governance concentration: Monitor for abnormal delegation spikes or consolidation of governance power
  • Protocol health: Track TVL volatility, IRM changes, interest rate parameter shifts, or liquidity outliers across cToken pools
  • Context-aware correlation: Monitor off-chain events (e.g., fiat instability, exchange halts, depegs) that may cause sudden on-chain behavior shifts within Compound, helping to pre-empt liquidity or governance risk.

Hypernative’s Monitoring Stack & Detection Capabilities

  • On-Chain & Off-Chain Coverage: Supports Ethereum, Base, and additional chains with real-time data ingestion
  • 300+ Threat Vectors Tracked: Includes smart contract anomalies, governance tampering, oracle manipulation, whale voting, frontend compromise, and multisig/key abuse
  • Data Sources: Mempool monitoring, contract graphing, off-chain oracles, price feeds, governance portals, and social sentiment indicators
  • Machine Learning Models: Behavior-based ML detects anomalies with clustering and statistical scoring to reduce false positives
  • Latency Advantage: 1–7s latency for on-chain events across 60+ chains. Hypernative is the only vendor proven to track attacker behavior in real time, even across rapid address-switching within a single block (e.g., Bybit incident)

Examples of Flagged Anomalies

  • Whale voting behavior or abrupt delegate shifts
  • Oracle feed divergence or rate manipulation
    TVL, liquidity, or borrow/lend ratio anomalies across cToken pools
  • Suspicious contract deployments interacting with core Compound components
    Proxy upgrades or admin actions without expected governance approval
  • Multisig drain behavior or irregular cross-chain liquidity movements

Alerting & Escalation Workflow

  • Alerts are routed in real-time to Compound Foundation, contributors, and security delegates via:
    • Slack, Telegram, Discord, Email
    • PagerDuty, OpsGenie, Webhooks
    • Custom triggers for Safe multisigs or Guard module protections
  • Compound stakeholders also have access to Hypernative’s dashboard to visualize incidents, simulate transactions, and customize alert logic via a visual builder or Python SDK.

Between Audits

  • Continuous monitoring ensures threats are caught at the point of execution, not post-incident, so Hypernative users can front-run exploits and protect or rescue funds.
  • During post-audit run time, this live system provides ongoing coverage of protocol risk, governance security, and economic health on a block-by-block basis

Statistics and case studies:

Hypernative’s data latency is the fastest processing and lowest latency in the market.

  • Latency = Their API latency, i.e., how long it takes to process an API call. This depends on the logic employed for assessment, commonly 1-3 seconds.
  • Latency = delay between an on-chain event and Hypernative updating the DB. Each chain has its own block timing, they are updating the database following the tip of each blockchain, but typically ranges from 1-7 seconds across the +60 blockchains Hypernative supports presently

To wrap up on latency, traditional real-time monitoring vendors:

  • ‘’Real-time" tracking means being able to monitor and follow a hacker’s activity instantly, while it is happening, even if the attacker is quickly moving funds across thousands of different addresses in mere seconds
  • Hypernative is the only monitoring vendor that is able to do this level of tracking during specific incidents (i.e., the Bybit incident)
  • Other vendors could not keep up as the attacker rapidly switched between many addresses within a single block
  • When Hypernative says “real time,” it means they can track attackers immediately, no matter how quickly or how many times the attacker changes addresses, even if it happens thousands of times in just one block. Other vendors cannot do this, and Hypernative boasts industry-leading performance statistics:
    • 99.8% Threat Detection Rate
    • <.001% False Positive Rate
    • $2 billion+ customer funds saved

Section 4: Commercial Terms and Commitment


4a. Budget Request and Pricing Model

We propose a flat annual fee for a comprehensive 12-month security retainer that covers all core services, including audits, advisory, monitoring coordination, and incident response.

COSTCO offering includes:

  • 1 Full-Time Senior Security Engineer (vCISO & Audit Lead): Embedded with the Compound team year-round (52 weeks/year) to lead audits, provide strategic security guidance, and serve as the primary point of contact
  • 2 Dedicated Security Auditors: Available for 40 weeks per year to form a 3-person audit team, covering all of Compound’s smart contract audits, governance reviews, fix verifications, and deployment checks
  • Continuous Monitoring & Threat Detection: 24/7 protocol monitoring and anomaly detection, with real-time alerts across 300+ threat vectors and dedicated support for alert triage and response coordination
  • Incident Response Support via vSOC: Global, timezone-diverse team with 15-minute acknowledgment and 3-hour action windows, as well as war room coordination, post-mortems, and fund recovery support

This structure ensures high responsiveness, minimal lead time, and continuity across all engagements, without the need to scope and price each audit individually.

We are open to a streamed payment structure via a smart contract or other DAO-preferred mechanism.

4b. Milestones and Performance Metrics

Quantstamp, Hypernative, and zeroShadow are committed to measurable performance and transparent reporting. We track key success metrics across audit delivery, incident response, and community engagement to ensure accountability and continuous improvement. Below are sample KPIs we would propose for this engagement:

Audit Performance

  • Standard audits begin within 1 business day of request
  • Rapid audit turnaround time under 3 weeks for small- to medium-sized audits
  • Critical vulnerabilities identified during audits will be communicated to Compound within 12 hours of discovery
  • Final reports delivered within 5 business days of receiving the remediated code
  • Audit reports can be published on Quantstamp’s certificates website and shared with the community upon request
  • Quantstamp’s overarching goal is to ensure that no unaudited or unaddressed critical issues are deployed to mainnet

Community Engagement

  • vCISO will become a core part of the Compound team and community and will participate in all governance calls (timezone permitting), with a special focus on the security segment calls
  • Provide quarterly public forum security updates on behalf of COSTCO, which will showcase the work that all 3 companies have done and get feedback from the community on how we can improve
  • Security input provided during proposal reviews, governance calls, and design discussions to catch issues before code is finalized
  • See more info in Section 1a

vSOC (Monitoring + Incidence Response) Performance

  • Continuous coverage across 60+ blockchains, with new block ingestion and threat detection every block (~12s on Ethereum)
  • Detection engine powered by machine learning, simulations, and heuristics, scanning over 300+ unique threat vectors
  • Alert delivery through integrated channels (Slack, Telegram, Discord, email, PagerDuty, Webhooks)
  • Access to Hypernative’s dedicated support engineers, escalation paths for governance stakeholders, and pre-configured on-chain mitigation options such as contract pausing, multisig intervention, or fund routing through their Guard module
  • 99.8% Threat Detection Rate
  • <.001% False Positive Rate
  • $2B+ customer funds saved

4c. Conflict of Interest Declaration

Quantstamp, Hypernative, and zeroShadow work with a wide range of projects across the web3 ecosystem, including protocols that may overlap in scope or design with Compound. While potential conflicts of interest can arise in a diverse client portfolio, we uphold strict confidentiality standards and employ rigorous internal controls to prevent any cross-contamination of sensitive information. Our teams follow well-defined procedures to isolate engagements and protect the integrity of each client’s data. We are trusted by leading organizations in both DeFi and traditional finance, including enterprise clients and top-tier protocols, and we take that trust seriously in every partnership we form.

4d. Transition and Offboarding Plan

Throughout the duration of our engagement, Quantstamp, Hypernative, and zeroShadow will maintain thorough internal documentation to support seamless knowledge transfer if the agreement is not renewed. In the event of a transition, we will collaborate closely with any incoming security provider to ensure they receive the necessary context, documentation, and technical insights to continue supporting Compound without disruption. Our teams have established processes for developing and executing continuity plans, which can be activated quickly to support an orderly handoff. We fully acknowledge the DAO’s right to terminate the agreement with 60 days’ notice and are committed to ensuring a smooth and professional transition should that occur.

Section 5: Service Level Expectations (SLA)


5a. Incident Response

During the staffing for Compound, we will develop a team that is spread across a wide range of time zones, ensuring that we will have full coverage for response times. During the week, we aim for the following response timelines:

Global team of elite blockchain investigators with rapid support for:

  • Smart contract exploits, Frontend phishing and impersonation, Governance takeovers, Compromised multisigs, Suspicious transactions, and more
  • Guaranteed acknowledgment within 15 minutes, with actionable guidance typically provided well within our 3-hour response window. Alerts trigger immediate notifications via PagerDuty, Slack, Telegram, and email, ensuring no time is lost in mobilizing the right response

5b. vCISO Support

Compound will have direct access to a full-time Senior Security Engineer from Quantstamp, who will serve as both vCISO and Audit Lead throughout the engagement. This individual will be the primary contact for advisory support, while a designated backup vCISO will ensure continuity during any absences or periods of high demand. See Section 1a for a full description of the responsibilities of a vCISO.

Availability & Response Times

  • Standard advisory requests will be responded to within one business day
    Same-day support is available for time-sensitive requests submitted between 11:00 AM – 5:00 PM EST
  • We ensure at least a few hours of business-day overlap with Compound’s team, regardless of time zone

This flexible structure ensures consistent communication, timely support, and proactive involvement in Compound’s evolving security needs.

5c. Governance Proposal Reviews

Quantstamp will provide structured, timely reviews of Compound governance proposals to ensure security and risk are properly assessed prior to execution. Their team is available to support both standard proposal timelines and urgent, last-minute reviews when needed.

Suggested Turnaround Times

  • Emergency Proposals (e.g., time-sensitive config changes): within 0–24 hours
  • Regular Scheduled Proposals (assuming prior Quantstamp audit of proposal’s interaction/payload) within 48 hours.

These timeframes can be adjusted depending on the complexity of the proposal and the clarity of the supporting documentation. For multi-stage proposals, Quantstamp recommends sharing drafts early to allow for iterative feedback.

Findings & Communication
Quantstamp’s proposal reviews will include a written assessment outlining any identified risks, mitigations, and implementation guidance, summarized in a classic audit report. These reports will be published in the Compound Community forum and, on request, directly relayed to appropriate stakeholders. Quantstamp’s goal is to support informed, transparent, and secure decision-making at every stage of Compound’s governance lifecycle. Quantstamp will furthermore collaborate closely with the Hypernative team to inform them about the deployments of proposal contracts, enabling them to pay extra attention during the contract’s crucial initial setup and lifecycle. COSTCO will maintain a constant line of communication between all involved companies and immediately inform zeroShadow about anomalies.

5d. Code Audits

With a dedicated, full-time team assigned to Compound, audit engagements can typically be scheduled within 1 business day due to the fact that the team is fully committed to the Compound protocol, depending on current workload and prioritization. To support uninterrupted coverage, Quantstamp also maintains a backup rotation of three additional auditors who are fully briefed and ready to step in as needed. During times of high demand, those extra auditors can be allocated to work in parallel, which would be charged to the same retainer contract.

Audit duration depends on scope complexity:

  • Small/Medium Audits (i.e., isolated modules or minor upgrades): 0.5–5 weeks
  • Complex Audits (i.e., core protocol upgrades, L1 infrastructure): 6+ weeks

After the initial report is delivered, Compound has 2 weeks to submit fixes. Quantstamp’s team will verify and mark each issue (Fixed, Mitigated, Acknowledged), then issue a final report. Revisions can be made during or shortly after the fix review.

Reports include severity classification, technical explanations, actionable guidance, and optional reviewer notes, designed for clarity and usefulness across both technical and non-technical stakeholders.

10 Likes

(post deleted by author)

1 Like

[Part 1 of 2]

Summary

Company/Team Name and Background

CertiK is a pioneer in blockchain security, combining expert manual review with best-in-class AI technology to protect and monitor blockchain protocols and smart contracts. Founded in 2018 by professors from Yale University and Columbia University, CertiK’s mission is to secure the web3 world. CertiK applies cutting-edge innovations from academia to enterprise, enabling mission-critical applications to scale with safety and correctness.

To date, CertiK has worked with nearly 4,900 clients, secured over $560 billion worth of digital assets, and monitoring almost 18,000 projects. Our clients include leading projects such as Aptos, Ripple, Sandbox, Polygon, BNB Chain, and TON.

CertiK is backed by InsightPartners, Sequoia, Tiger Global, Coatue Management, Lightspeed, Advent International, SoftBank, Hillhouse Capital, Goldman Sachs, Coinbase Ventures, Binance, Shunwei Capital, IDG Capital, Wing, Legend Star, Danhua Capital, and other investors

CertiK’s High-Level Achievements & Statistics

  • CertiK has secured investments from 12 top-tier funds, including Insight Partners, Sequoia, Coatue, Goldman Sachs.

  • In June 2020, CertiK raised $7.6 million in Series A funding led by IDG Capital.

  • After its second round of financing in 2021, CertiK reached a valuation of $240 million.

  • Between 2021 and 2022, CertiK completed four consecutive rounds of financing, propelling its valuation to $2 billion.

  • In 2024, CertiK held approximately 45% of the global market share.

  • In September 2024, CertiK underwent a brand upgrade and introduced its new slogan: “Elevating Your Entire Web3 Journey,” reflecting its comprehensive service capabilities for the industry, project teams, and Web3 users.

  • CertiK is the first Web3 security company to simultaneously achieve SOC 2 Type I and Type II certifications, and has also obtained an ISO 27001 certification.

  • CertiK is the only blockchain security company to be named in CB Insights’ “Top 50 Global Blockchain Companies” in 2022 and has been recognized as a Global Innovator by the World Economic Forum.

  • CertiK’s annual and quarterly security reports have garnered significant industry recognition and are frequently cited by core Web3 media outlets such as CoinDesk and Cointelegraph.

  • CertiK has offices in 12 locations worldwide, including in the United States, China, South Korea, India, the UAE, Malaysia, France, and the United Kingdom.

  • Since 2020, CertiK has conducted 70+ white-hat initiatives, reported 4,000+ security incidents, identified 115,000+ code vulnerabilities, and safeguarded digital assets worth more than $560 billion from potential threats.

Existing Relationship with Compound

Although CertiK was not a Compound Protocol direct auditor, our team has secured the world’s leading DeFi protocols and top-tier enterprises, giving us unparalleled breadth and depth of experience. We have provided smart-contract audits and formal verification, continuous monitoring, and advisories for Venus Protocol, XRPL/Ripple, TON Foundation, Minswap Labs, Qubetics.com, Aptos, Coreum, DBS Bank Limited, OKX, Binance Exchange, Gala Games, Shentu Chain, Crypto.com, AntGroup, Ethereum Foundation, CMC, and many more. This extensive client roster allows us to tailor security across diverse architectures, compliance regimes, and scale requirements. This positions us to deliver immediate, context-aware value for Compound Protocol.

We’ve audited the following leading lending protocols including Venus Protocol, Justlend, Wemix, 1inch, and PancakeSwap.

Full list of lending protocol clients can be found here: https://skynet.certik.com/boards/lending-and-borrowing

Relevant Security Partnerships or Clients

Here are several recognitions from existing clients:

Covalent- “CertiK was actually one of the original smart contract auditors. CertiK is great. We’ve had nothing but good experiences with them. They were fast, they were easy, they got the job done, and we’ve never had any complaints. So it’s been an all around good experience.”

TON - “We were impressed with the suite of products offered by CertiK, which ranged from full-scope auditing, to security dashboards, and ongoing white hat support. CertiK saw the vision of what TON blockchain could be and wanted to develop that relationship early on, and to really think of different ways to add value across the board.”

Kucoin - “CertiK is the leading security firm in the crypto industry, which means a project that has been audited by CertiK gains a meaningful endorsement.”

MystenLabs - “It’s important that we have a culture of building really strong software that is well-audited, well-reviewed, and that’s only going to make the space safer. Lack of security is an impediment to growing the ecosystem. So we love what CertiK is doing to ensure that the space is safe, and more importantly keeping user funds safe and secure.”

Polygon - “We don’t want to preach security, we want to show everyone that we are secure. That’s why we did our two audits with CertiK, and why we enabled Skynet too. So everyone can do their own research, it’s all out there. ”

Bitget - “You are the leaders in the security space. All your founders are from top research institutions… We can totally rely on CertiK in terms of security.”

Scope of Security Work

Scope of Services Overview

Initially, CertiK’s main focus was on patented formal verification technology to audit Web3 smart contracts. The company has since evolved to provide the most comprehensive security service suite in the industry, covering the entire lifecycle of Web3 enterprises and ecosystems.

Here are some of CertiK’s key services:

  • Security audits integrate formal verification, AI-driven auditing, and expert manual reviews to provide code security assurance.

  • CertiK Node supports validator and full nodes across 12 public blockchains, securing more than $1.2 billion in assets to date. This service enhances network security while providing 24/7 real-time monitoring and advanced API data services to ensure stable and efficient blockchain operations.

  • Skynet is a one-stop security platform for Web3 users, integrating security analysis, real-time alerts, due diligence, and data insights. Users can assess more than 16,000 projects through security scores, ranging from real-time ratings to educational tasks and wallet protection.

  • SkyInsights provides real-time transaction monitoring, anti-money laundering/anti-terrorist financing (AML/CTF) compliance solutions, and risk analysis to ensure that Virtual Asset Service Providers (VASPs) meet regulatory requirements.

  • CertiK Ventures is CertiK’s venture capital division, established in May 2024, with an initial investment of $45 million. Its goal is to support innovative projects in the Web3 and blockchain sectors through strategic investments and security solutions.

  • Penetration testing services are designed to simulate hacker attacks in order to identify security vulnerabilities in systems, networks, or applications. Through this proactive testing approach, CertiK helps clients detect and address potential security issues in advance, thereby enhancing system security.

  • Team Verification is an identity validation and due diligence service specifically designed for the Web3 ecosystem, providing strong third-party validation for crypto project teams. This service helps establish trust with the community and investors, while promoting transparency without disclosing the project team’s private information.

  • Bug Bounty platform offers a fully managed, end-to-end supported Web3 bug bounty service with no service fees. Project teams can efficiently tap into the expertise of global ethical hackers to proactively identify and fix potential attack vectors, preventing malicious attackers from exploiting vulnerabilities for harm.

Multi-Chain Support & Upgrade Expertise

Implementing blockchain technologies requires algorithmically confirming that your protocols work as intended. This is achieved through our meticulous manual review and cutting-edge AI analysis, which is augmented by mathematical proofs, ensuring no detail is overlooked. This is why we employ the best-in-class L1 Chain Audit methodologies.

Having reviewed more code and secured more total value than any other firm, CertiK is the auditor of choice for top crypto exchanges such as Binance, OKEx, and Huobi. We scrutinize every layer of Web3, from the smart contracts on Ethereum, BNB Chain, and Polygon to the core code of Layer 1 networks. Our coverage spans, and is not limited to, Ethereum, Binance Smart Chain, Sui, TON, Polygon, Cardano, Avalanche, Moonbeam, Solana, Oasis, VeChain, EOS, Cosmokava, Terra, Hedera Hashgraph, Multichain, Algorand, Polkadot, and Kadena.

Moreover, we apply advanced Formal Verification to Level 1 audits and stand as pioneers in the industry. Every protocol is rigorously inspected as we certify, through mathematical proofs, that a protocol’s logic and invariants are maintained under all conditions. Each audit is initiated with a line-by-line review conducted by our seasoned security engineers, and when necessary, is supplemented with SMT-based proofs from our Formal Verification experts.

Each finding is proven with supplemental evidence. This creates clear, transparent reports which retain the integrity to corroborate with the firm’s final statement. We prioritize the remediation strategy, ensuring all risks are effectively addressed.

Resource Allocation and Availability

For the entire security lifecycle, CertiK allocates a fully integrated multi-disciplinary team including:

Smart Contract Audit Team

  • The team includes 3 FTE Solidity Security Engineers who focus on advanced code reviews, vulnerability triage, and remediation guidance. There is also 1 PTE Formal Verification Engineer who is available as needed for proofs and invariant checks related to the mathematics involved.

Blockchain and Infrastructure Specialists

  • The team consists of 2 PTE Blockchain Security Analysts who conduct protocol-level assessments of cross-chain integrations and consensus-layer reviews. Also, 1 FTE Monitoring Engineer employing Skynet™ for live- chain watching and anomaly detection performs monitoring tasks.

vCISO Leadership

  • 1 FTE vCISO provides strategic oversight, governance counsel, and cross-team coordination, granting security governance, agility, and command.

  • He is supported by a backup who is guaranteed to fill in within one day, ensuring no leadership gaps.

Front-end & dApp Security

  • A role 1 FTE dApp Security Engineer can perform interface reviews, off-chain parts examinations, and hardening of APIs.

Coverage and Continuity

  • All essential functions are supported by 24/7 on-call rotation shifts with automatic escalation triggers.

  • To maintain institutional continuity, there are predefined cross-team handover processes as well as a unified knowledge database.

  • Priority allocation is guaranteed. The engagement receives guaranteed exclusive resource allocation. There are capacity buffers intended to absorb peak demand or urgent requests.

Additional Services or Tools

The platform offered by CertiK provides an integrated set of security tools and value-added services that seamlessly fit into your development and governance workflows:

Continuous On-Chain Monitoring

  • Skynet Real-time threat monitoring and alerting with dashboard visualization

  • Customizable on-chain watchlists, with anomaly detection, alerts, and executive summary reporting

Developer & Governance Tooling

  • Simulators for governance proposals allow users to preview the on-chain outcomes of proposals and pinpoint hazardous parameter shifts.

Penetration Testing & Custom Red Team Activities

  • Off-chain pentesting and red teaming are scoped to the custom threat model of the protocol

  • Custom risk workshops and compliance assessments, gap analyses for ISO27001, and regulatory compliance assessments

Formal Verification & Advanced Proofs

  • Critical module formal verification using SMT-based methods done in-house Full-scale mathematical proofs offered by top academics at competitive pricing for intricate proofs

Technical Methodology and Audit Process

Audit Methodology, Workflow & Deliverables

Our audit process begins by obtaining the source code and setting up a tailored environment. Auditors review project documentation and perform threat modeling before using in-house tools and manual review to uncover security vulnerabilities and design flaws. A report is then presented to the client with findings and recommendations. The final report highlights the improvements made to the project as a result of our auditing efforts and demonstrates how a CertiK audit secures a Web3 project against critical vulnerabilities.

For more detailed information, we recommend reading our blog post where we give a comprehensive overview of our auditing methodology: https://www.certik.com/resources/blog/how-we-audit-a-comprehensive-guide-to-certiks-auditing-methodology.

Quality Assurance and Track Record

In regard to audits related directly to Compound, we have completed 35+ audits for Venus (Compound V2 Fork) from deployments of their isolated pools to small updates regarding upgrades to their contracts. In those audit engagements, we have found findings of varying severity and complexity. Here we highlight a small selection of the findings related to Compound V2’s architecture found during our Venus audits, but there are many more that can be found at https://skynet.certik.com/projects/venus.

In addition, we would like to highlight our quality in comparison to the previous SSP and other auditing firms in regards to codebases similar to Compound. We encourage you to compare the audit reports linked below. We believe they show that we will uphold the same quality standards set by the previous SSP. Note that the audits are not done on the same commits, and often one audit firm audited the code, changes were made to address the findings, and then another firm audited the code again. When comparing, we recommend checking the base and final commits to determine the order in which the audits were performed and if there was any overlap. We provide two specific instances that highlight our quality, but we encourage reviewing all the audits for their quality and comparing our performance vs. the other auditing firms, which can be found at https://docs-v4.venus.io/links/security-and-audits.

  1. Here we provide links to all audits for the Venus ERC4626 Vaults. We were the only firm to point out many rounding error issues present in the codebase.

    1. Certik: https://github.com/VenusProtocol/isolated-pools/blob/1faa46139aaec06e0eb2e48341bff22cd6c38c6c/audits/129_erc4626_certik_20250514.pdf

    2. Pessimistic: https://github.com/VenusProtocol/isolated-pools/blob/1faa46139aaec06e0eb2e48341bff22cd6c38c6c/audits/131_erc4626_pessimistic_20250502.pdf

    3. FairyProof: https://github.com/VenusProtocol/isolated-pools/blob/1faa46139aaec06e0eb2e48341bff22cd6c38c6c/audits/130_erc4626_fairyproof_20250414.pdf

  1. Here we provide links to all audits for Venus Token Converter audits. In particular this was also audited by the previous SSP OpenZeppelin. In particular, we would like to point out that we were the last firm to audit the codebase and were still able to find 1 major and 3 medium severity findings.

    1. CertiK: https://github.com/VenusProtocol/protocol-reserve/blob/f31dc8bb433f1cff6c2124d27742004d82b24c32/audits/074_tokenConverter_certik_20231107.pdf

    2. OpenZeppelin: https://github.com/VenusProtocol/protocol-reserve/blob/f31dc8bb433f1cff6c2124d27742004d82b24c32/audits/066_tokenConverter_openzeppelin_20231010.pdf

    3. PeckShield: https://github.com/VenusProtocol/protocol-reserve/blob/f31dc8bb433f1cff6c2124d27742004d82b24c32/audits/068_tokenConverter_peckshield_20230927.pdf

    4. FairyProof: https://github.com/VenusProtocol/protocol-reserve/blob/f31dc8bb433f1cff6c2124d27742004d82b24c32/audits/067_tokenConverter_fairyproof_20230828.pdf

2 Likes

[Part 2 of 2]

Risk Management and Incident Response

Vulnerability Triage & Disclosure

CertiK maintains a rigorous and transparent vulnerability management process, designed specifically for large-scale DeFi protocols like Compound. Vulnerabilities may be identified through scheduled audits, continuous monitoring, or third-party/community reporting, and are triaged according to severity (Critical, High, Medium, Low).

For Critical and High Severity:

Immediate notification is sent to designated Compound security leads via secure, encrypted channels. No details are ever disclosed publicly until a verified fix is deployed. CertiK engineers can join Compound’s incident response group directly, working side-by-side with protocol developers to investigate, reproduce, and address the vulnerability as quickly as possible.

For All Tiers:

CertiK provides detailed written analysis, remediation guidance, and coordinated disclosure, following a process aligned with Compound’s governance and operational structure. Timelines are flexible but always prioritize protocol safety and minimizing user risk.

Our responsible disclosure process emphasizes full lifecycle management: from detection to fix deployment to post-mortem review. We actively support post-incident transparency, and have published dozens of public postmortems for incidents across the industry, helping advance security standards for all DeFi protocols.

Incident Response Support

CertiK operates a dedicated incident response team available 24/7, with senior engineers and security analysts on call. When a potential exploit or live incident is detected - whether by CertiK, Compound, or another party - our team mobilizes immediately to:

  • Analyze the attack vector and assess scope and impact

  • Join Compound’s war-room and coordinate technical mitigation and communications

  • Develop and validate patches, review emergency governance actions, and assist with testing and deployment

  • Provide ongoing situational updates and tactical recommendations

CertiK has a proven track record of supporting protocol teams during high-pressure events, including the full incident lifecycle from rapid triage to root-cause analysis to long-term risk reduction. Our engineers routinely collaborate with protocol teams, multisigs, whitehats, and ecosystem partners to ensure all incident response actions are executed safely and efficiently.

For example:

Example 1: @ArcadiaFi was attacked on July 15. Our response process was as follows:

  1. 2025-07-15 04:05 (UTC): The attack transaction was sent on-chain. Our system immediately detected it as a suspicious attack transaction, and analysts began investigating.

  2. 2025-07-15 04:32 (UTC): Analysts confirmed it was an attack and roughly identified the root cause.

  3. 2025-07-15 04:48 (UTC): Through the CertikAlert account, we were the first to alert the community about this attack transaction.

  4. 2025-07-16 (UTC): A detailed incident investigation report blog was published.

Example 2: Sonne Finance, a fork of Compound V2, was exploited on May 14, 2024, resulting in a loss of approximately $20 million. We conducted a comprehensive post-incident technical analysis of the exploit, which leveraged a precision-loss vulnerability in the exchangeRate calculation when a newly created market was empty.

Our detailed investigation covered:

  • Technical root cause, tracing how precision rounding enabled the attacker to redeem more assets than entitled, mirroring flaws seen earlier in Hundred Finance and other Compound forks.

  • Attack flow analysis, reconstructing the multi-step sequence used to manipulate exchangeRate, perform flash loans, and extract assets.

  • Fund tracking, including on-chain tracing of stolen assets (~$20 million across VELO, USDC.e, WETH, WBTC, USDT, wstETH) and identification of victim and attacker addresses

This incident marked the largest exploit on the Optimism network in 2024, and our analysis not only provided insights into the vulnerability itself but also informed recommendations for securing Compound forks against similar risks.

Our ability to rapidly dissect and communicate Compound-related vulnerabilities demonstrates a strong familiarity with the Compound V2, its operational patterns, and known attack surfaces, which is an asset we bring to monitoring, alerting, and incident response efforts for the Compound protocol.

Our @CertiKAlert Twitter account has been active since early 2022, serving as a public-facing channel to share real-time security alerts and incident updates with the broader Web3 community. The account focuses on delivering timely, accurate, and transparent information about ongoing threats, active exploits, and major protocol incidents.

Over the past three years, we have published alerts on more than 700 security incidents across the DeFi and Web3 ecosystem, covering exploits, phishing campaigns, rug pulls, governance attacks, and scams. These alerts often include preliminary root cause insights and follow-up postmortems, helping both users and protocols respond faster. With a strong and growing follower base, @CertiKAlert has become one of the most recognized and trusted sources for Web3 security updates.

Continuous Monitoring & Threat Detection

We have developed and deployed a comprehensive, general-purpose on-chain attack detection system capable of identifying a wide range of malicious or suspicious behaviors in real time across multiple DeFi protocols. This system continuously monitors blockchain activity, detects anomalies, and raises alerts for potential threats before they escalate. In the past year alone, the system has successfully identified over 300 confirmed on-chain exploit events.

The types of behaviors we detect include, but are not limited to:

  • Liquidation manipulation: detecting coordinated actions to manipulate collateral or borrowing positions for unfair liquidations

  • Oracle exploits and price manipulation: identifying unusual price feed discrepancies, sudden shifts, or manipulations targeting undercollateralized positions

  • Reentrancy attacks : monitoring for recursive contract interactions that may exploit vulnerable functions

  • Suspicious fund flows: such as rapid in-and-out transfers, chain-hopping, or obfuscation patterns typical of laundering or exploit cash-outs

  • Governance manipulation: including malicious proposal execution patterns or large voting power shifts

  • Flash loan-based exploits: combining large capital injections with protocol abuse in a single transaction

  • Unusual contract interaction graphs: such as automated interactions with multiple protocols in ways not seen in typical user behavior

In addition, we leverage AI-powered tooling to automatically summarize and interpret suspicious transactions detected by the system. These tools assist analysts in quickly understanding the nature, impact, and potential intent behind each flagged activity, significantly reducing manual investigation time.

Our AI layer provides:

  • Natural language summaries of attack patterns and transaction flows, enabling faster incident reviews

  • Classification of threat types, such as exploits, phishing, rugpull etc.

  • Quantitative analysis of fund flows, including net inflow/outflow calculations, cross-entity transfers, and temporal flow patterns to help pinpoint attacker behavior

  • Mathematical modeling of abnormal movement, such as sudden liquidity drains or looping fund paths across protocols

CertiK provides continuous, real-time monitoring and threat detection tailored to Compound’s architecture and risk profile. Our monitoring solution is flexible and can be fully customized for Compound’s needs, including:

  • Protocol-Specific Invariant Monitoring: CertiK can define and continuously monitor custom invariants unique to Compound - such as abnormal liquidation patterns, oracle manipulation, governance proposal anomalies, large fund transfers, or cross-chain bridge events. These invariants are updated and extended as the protocol evolves.

  • Anomaly and Attack Detection: Our systems leverage both on-chain and off-chain data, supporting automated alerting for suspicious activity or deviations from expected protocol behavior. Alerts are routed to both CertiK’s security team and Compound’s designated contacts for immediate action.

  • Governance Monitoring: CertiK will assign a security engineer to review all new governance proposals and can develop or integrate custom monitoring for governance-specific risks, including suspicious proposals or attempts at protocol manipulation.

  • 24/7 Coverage and Escalation: Monitoring is active around the clock, with escalation procedures ensuring any critical alerts are acted on immediately by both CertiK and Compound’s teams.

  • Automated Whitehat Rescue:
    CertiK can perform rapid, automated whitehat interventions to recover protocol funds in the event of an exploit. This minimizes losses and ensures real-time protection for Compound.

Operational Security Services:

In addition to technical monitoring, CertiK offers operational security services designed to strengthen Compound’s overall security posture. These services address risks beyond smart contract vulnerabilities - focusing on human factors, key management, process gaps, and incident readiness.

Our Operational Security program includes:

  • Incident Response Training: Simulated, live-fire incident response drills on forked networks. This helps Compound practice and refine their response to real-world attack scenarios - covering smart contract exploits, oracle failures, compromised admin keys, governance attacks, and more.

  • Multisig Operational Security: Review and training for multisig participants, best practices for key storage and transaction signing, and expert manual review of high-value transactions.

  • Governance Process Security: Monitoring and manual review of governance proposals for hidden risks or malicious payloads, as well as participation as a security delegate if desired.

  • Web2 Security & Access Controls: Assessment and guidance on internal access controls, key management, and resistance to phishing or unauthorized access.

  • Frontend & Social Media Monitoring: CertiK continuously monitors Compound’s websites and social channels for DNS hijacks, phishing sites, malicious clones, and impersonators. We help detect and take down fraudulent copies, and assist with recovery in the event of DNS or account compromises.

Commercial Terms and Commitment

CertiK proposes a 12-month engagement, commencing August 18, 2025, as per Compound’s RFP.

Compensation is streamed in COMP tokens (USD-pegged value) via the Compound Streamer contract, with payment stopping upon a 60-day termination notice by the DAO.

All terms are structured to align with DAO governance and operational expectations. No upfront lump sums, no exit penalties.

Engagement Structure

  • Duration: 12-month engagement, commencing August 18, 2025 (per Compound RFP).

  • Scope:

    • Full protocol and governance audits

    • Standard and urgent governance proposal reviews

    • Continuous monitoring and threat detection

    • Incident response (24/7, with 15 min SLA)

    • vCISO/advisory services

    • Quarterly security reporting

    • Onboarding and offboarding support for transition

  • Service Exclusions:

    • Third-party code audits (for code not owned/operated by Compound)

    • Bug bounty management

    • Legal/tax advice

    • Non-Compound emergency/extraordinary events (billed separately if needed)

Budget Request and Pricing Model

The information about the budget request and pricing model has been privately shared to the Compound Foundation

Milestones and Performance Metrics

  • Audit & Proposal Review Timelines:

    • Governance proposal reviews: <24 business hours (Mon–Fri)

    • Full protocol audits: 2–6 weeks from code delivery (size/complexity dependent)

  • Incident Response:

    • 24/7/365 coverage; 15-minute initial response and escalation for critical incidents
  • Reporting:

    • Quarterly security updates/reports to Foundation and DAO

    • Real-time notification and summary of any critical incidents

  • Outcome-Based Metrics:

    • CertiK will ensure that any critical vulnerabilities identified in the Compound protocol are promptly reported to the DAO/core contributors

    • 100% governance proposals reviewed prior to execution

    • Active participation in governance discussions and security design

    • Monthly/quarterly security updates are posted for DAO visibility

Conflict of Interest Declaration

CertiK is a leading global Web3 and blockchain security service provider that performs services to a wide range of clients, including entities that may be considered competitors of Compound DAO. While CertiK works with clients in similar sectors, we maintain strong confidentiality protocols and systems in place to ensure that proprietary information is fully protected across all client engagements.

  • Termination:

    • 60-day notice by either party, with payment stream stopping at end of notice period

    • No exit penalties or fees

  • Change in Scope:

    • If actual scope of work increases or decreases by >25% (measured by volume of audits/proposal reviews/incidents), both parties will mutually review and adjust retainer/terms accordingly

Transition and Offboarding Plan

  • Documentation & Knowledge Transfer:

    • All audit reports, issue logs, monitoring artifacts, and process documentation maintained in accessible DAO-owned repositories (e.g., GitHub, Notion)

    • At termination, CertiK will prepare and deliver a comprehensive security status report and provide onboarding for any successor provider

  • Continuity:

    • CertiK continues all monitoring, advisory, and incident response up to formal end date

    • No proprietary lock-in; all necessary information and artifacts are provided to ensure seamless transition and ongoing operations

Compliance & DAO Rights

  • SOC2 Type II compliance (can provide reports upon request)

  • Insurance: CertiK maintains appropriate professional liability/insurance policies

  • Audit Rights: DAO may review performance, processes, and financial records relating to this engagement at any time

Business Continuity: CertiK maintains documented business continuity and disaster recovery plans; 24/7/365 service is guaranteed

All terms are designed to align with Compound’s operational preferences, budget cycles, and community governance requirements. CertiK’s objective is to maintain full transparency, predictable budgeting, and seamless operational continuity throughout the engagement.

Service Level Expectations (SLA)

CertiK’s SLA guarantees agile and clear support in all security engagement touchpoints:

Incident Response

  • Automated Security Operations Center (ASOC) 24/7 monitoring with shift coverage.

  • Acknowledgment of critical incidents within 15 minutes

  • Proof-of-Concept exploit code shared within 48 hours after request.

  • Comprehensive post-mortems delivered within 7 business days.

I Support

  • vCISO urgency tier 1 advisory promise SLA of 4 business hours, and other standard inquiries within 1 business day response time.

  • Routine tactical check-ins default monthly, or as agreed.

  • Backup vCISO response claim within 24 hours to protect against coverage gaps.

Governance Proposal Reviews

  • Standard review turnaround is 24 hours.

  • “At-risk” or urgent proposals expedited to same-day review, dependent on capacity.

  • Findings provided are also structured for private governance and public DAO discussions.

Code Audits

  • Proposal to kick off the average engagement lead time of 1-2 weeks.

  • Full protocol audits: 2–6 weeks from code delivery, depending on size/complexity.

  • Accompanying the audit, clients receive segmentation of risks into various severity grades and tailored step-by-step remediation instructions.

3 Likes

Representative in the RFP:

Sven Michael - Business Development Manager
sven@zokyolabs.com
@sven_zky

General Overview

Zokyo is a blockchain security firm founded in 2018, specializing in smart contract audits, application and infrastructure penetration testing, economic security modeling, and advanced Web3 research. Our mission is to secure the future of decentralized ecosystems through in-depth technical security assessments and long-term advisory services to top-tier projects.

As a trusted partner in security, development, and investment, Zokyo has worked with industry leaders such as LayerZero, Filecoin, Chainlink, SushiSwap, 1inch, and more. To date, Zokyo has audited hundreds of smart contracts across major chains, securing digital assets worth over $200 billion.

The core team brings together seasoned blockchain engineers, security researchers, and cryptographers with hands-on experience across EVM-compatible, Rust-based, and other blockchain ecosystems. Together, Zokyo combines technical excellence with a pioneering mindset to address complex security challenges in the Web3 space.

Existing Relationship with Compound

For the past few years, Zokyo has performed over ten security audits of the Compound protocol without a single post-release security incident related to the audited smart contract code. One public example of this work is the Paribus audit, which demonstrates our continued involvement in securing forks and iterations of the Compound protocol.

Relevant Security Partnerships or Clients

Zokyo has worked with multiple leading DeFi protocols, especially those involving cross-chain bridging and complex governance models:

  • LayerZero: Extensive smart contract audits and security architecture reviews.
  • 1inch: Smart contract audits focused on aggregation logic and on-chain routing security.
  • SushiSwap: Multiple audits, including Trident AMM and cross-chain deployments.
  • Chainlink: Security assessments for protocol modules and data feed mechanisms.

Additional references and published audit reports:

  • Testimonials: zokyo.io (see client feedback at the bottom of the homepage)
  • Audit Reports: A repository of audits is available on our website and GitHub (an archive of public security assessments showcasing our methodology, transparency, and track record)

Section 1: Scope of Security Work

1a) Scope of Services Overview

The Zokyo team will provide comprehensive information and guidance to ensure a clear understanding of the audit process, findings, and remediation recommendations. Our focus is to enhance the security and robustness of the Compound protocol by performing the following tasks (including but not limited to):

  • Review of Economic Risks: assess the protocol’s economic model to identify and mitigate financial risks that could affect its stability and security.
  • Proof of Correctness for Complex Mathematical Functions: rigorously verify complex algorithms to confirm their correctness and error-free operation.
  • Documentation and Business Logic Review: analyze all available protocol documentation and underlying business logic.
  • Manual Code Review: identify syntactical, semantic, and logical errors through detailed manual examination of the code.
  • Static Analysis: detect known vulnerabilities and issues using automated static analysis tools.
  • Unit Testing: run and develop unit tests using both open-source and closed-source solutions.
  • Test Development: write and execute new test cases to verify the desired behavior of the code.
  • Fuzz Testing: employ fuzzing techniques to discover unknown vulnerabilities or bugs.
  • Test Coverage Expansion: develop a comprehensive suite of unit tests from scratch to achieve over 95% code coverage.
  • Recommendations: provide actionable suggestions for code improvements.
  • Review of Remediations: verify and validate changes made in response to audit findings.
  • Reporting: prepare detailed audit reports documenting findings, risks, and recommendations.
  • Re-Audits and Verification: perform follow-up audits including re-testing and updated code reviews as necessary.
  • Penetration Testing: conduct security assessments of the Compound frontend.
  • Implementation Support: assist the team in applying and verifying audit recommendations.

1b) Multi-Chain Support & Upgrade Expertise

We bring extensive experience across the Ethereum mainnet and leading Layer 2 networks, including Arbitrum, Optimism, Base, and Polygon, with active research into newer rollups such as Scroll, Linea, Mantle, etc. Our cross-chain experience includes bridge audits and asset onboarding reviews, ensuring a thorough understanding of risks in multi-chain deployments.

Deep DeFi Audits Across Major Chains

  • Ethereum Mainnet: Conducted 10+ full protocol audits, covering lending pool logic, governance modules, oracle integrations, interest-rate models, and upgradeable proxy patterns.
  • Optimism & Arbitrum: Performed cross-chain bridge audits, rollup challenge-period reviews, reorg-resilience testing, and validation of upgrade flows.
  • Polygon, Base & zkSync: Delivered rapid “first-look” threat models and live-net reviews shortly after mainnet launches, covering everything from sequencer economics to fraud-proof mechanics.

Cross-Chain Infrastructure & Upgrade Cycle Reviews

  • Audited relay and watchtower contracts for collateral synchronization across chains.
  • Simulated end-to-end cross-chain liquidations and stress-tested governance migrations (e.g., token-bridge transitions, Comptroller upgrades, collateral adapter changes).

L2 Coverage & ZK-Specific Capabilities

  • Research Bench: Our on-chain research team monitors emerging L2s and ZK-rollups (e.g., StarkNet, Polygon zkEVM, Scroll), producing internal threat models within 72 hours of mainnet deployment.
  • On-Demand Expertise: Access to protocol engineers, former core developers, and ZK-proof cryptographers for deep architectural reviews and novel virtual machine implementations.
  • Testnet Engagement: Continuous participation in red-team exercises and bounty programs on emerging testnets, gaining practical insights before mainnet releases.

vCISO Engagement & Strategic Security Support

Zokyo’s proposed virtual CISO (vCISO) will provide end-to-end strategic security guidance throughout the protocol’s upgrade lifecycle:

  • Co-lead threat modeling workshops to validate security assumptions, define approval gates, and establish rollback strategies.
  • Integrate security into CI/CD pipelines and coordinate pre-deployment penetration testing.
  • Manage incident response playbooks, define on-call rotations, and maintain live dashboards with SLA-backed monitoring.

1c) Resource Allocation and Availability

Zokyo will allocate four (4) full-time Senior Security Engineers, including a Senior Lead Cybersecurity Engineer, dedicated exclusively to Compound for the full duration of the engagement. This stable core team ensures deep protocol familiarity, seamless integration of new proposals, and minimized handover risks.

Team Structure and Communication

  • Senior Lead Engineer: Serves as the primary technical point of contact, responsible for security oversight and quality assurance.
  • Project Manager: Manages timelines, status updates, and logistics to ensure smooth collaboration and reduce operational overhead.

Redundancy and Bottleneck Mitigation

  • Zokyo maintains redundant staffing capacity to accommodate workload surges, urgent governance reviews, and unforeseen team absences.
  • For audits involving complex fuzzing, formal verification, or financial mechanism modeling, we assign additional resources (including specialized security researchers and DeFi analysts) to maintain both depth and delivery speed.

Context Preservation and Knowledge Continuity

  • All Compound-related work is documented in a secure internal knowledge base, including audit findings, remediations, governance history, and architectural decisions.
  • The team conducts regular internal syncs to maintain continuity of context across parallel engagements or staffing changes, ensuring no loss of institutional knowledge.

1d) Additional Services or Tools

Zokyo offers a suite of tools and services to support Compound’s full security lifecycle. Unlike firms focused exclusively on code-level reviews, we provide DAO-specific solutions such as proposal simulators, malicious delegate detection models, and real-time quorum monitoring. This full-stack approach enhances the security of decentralized treasury and governance operations.

  • Governance Security Workshops — Technical training sessions for delegates and contributors covering secure proposal design, governance risks, and threat modeling practices.
  • On-Chain Monitoring Dashboards — Custom dashboards that track governance activity, oracle anomalies, voting manipulation, and suspicious contract behavior in real time.
  • Incident Simulation Drills — Tabletop exercises simulating scenarios such as flash loan exploits, collateral instability, and governance hijacks to improve response preparedness.
  • Persistent Protocol Context — A secure internal knowledge base documenting audit history, remediations, governance changes, and architectural decisions to ensure continuity across upgrades and team transitions.

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology

Zokyo applies a comprehensive and scalable methodology to assess, harden, and support upgrades to the Compound protocol. Our approach combines rigorous verification techniques, economic simulations, threat modeling, formal methods, and governance-aware analysis.

In addition to conducting deep technical audits, we collaborate with the community and proposal authors to define audit scope, prioritize risks, and strengthen security practices across the protocol lifecycle.

  • Economic and Technical Evaluation — We assess comprehensive evaluations of the economic risks introduced by new proposals, ensuring they do not compromise the protocol’s stability or security. This includes rigorous proof-of-correctness techniques to verify alignment with intended logic and incentive models.
  • Security Checklists and Threat Modeling — Zokyo develops structured checklists and risk models based on the proposal type, whether protocol upgrades or new collateral assets. We work with the community to define scope and determine the appropriate depth of review.
  • Best Practices and Development Guidance — Our team documents and shares secure development guidelines, informed by known attack patterns and protocol-specific vulnerabilities, to support long-term resilience.
  • Proposal Support and Advisory — We provide targeted security advisory sessions to proposal authors, helping ensure each submission meets security requirements and is properly scoped for audit review and scheduling.
  • Formal Methods and Invariant Validation — For math-heavy changes, we apply techniques such as symbolic execution, SMT solvers, and invariant assertions to verify components like interest rate curves, liquidation functions, and time-based incentives. We focus on identifying issues such as rounding and overflow that may have high financial impact.
  • Adversarial Economic Simulation — Zokyo leverages an internal DeFi simulation engine that models flash loan attacks, governance collusion, MEV extraction, and systemic exploits. We simulate economic edge cases using adversarial agents to proactively surface governance and incentive vulnerabilities. This engine has previously been applied to model and strengthen liquidity incentive mechanisms and economic edge cases for protocols such as SushiSwap and 1inch.
  • Risk Classification and Scoring — Risks are categorized across technical, economic, and governance layers, and scored based on likelihood and severity to support prioritization and DAO decision-making.
  • Dynamic Audit Depth — We adjust review intensity based on impact. Minor changes receive streamlined reviews, while major upgrades trigger formal verification and adversarial modeling.
  • Technical Toolkit — Our audits combine manual code review with automated tools such as Echidna for fuzzing, Slither for static analysis, and proprietary economic models. We ensure high test coverage and review reused components to avoid integration risks. Where applicable, audits include cross-chain behavior, bridge interactions, and replay protection.

2b) Audit Workflow & Deliverables

Zokyo follows a structured and transparent audit process designed to ensure complete coverage and clear communication throughout the engagement.

  • Scoping and Estimation
    The process begins upon receiving the project scope. Our Senior Lead Cybersecurity Engineer reviews all materials and prepares a preliminary estimate based on code size, complexity, and architecture.
  • Proposal and Confirmation
    Once the scope is approved, our Operations Manager prepares a Statement of Work for client review and confirmation. After mutual agreement, the project is formally scheduled.
  • Kickoff and Allocation
    Following confirmation, our Project Manager coordinates any final details, assigns the audit team, and initiates the engagement. If the team is pre-reserved, work begins immediately after scope approval.
  • Manual Review and Intermediary Report
    Assigned auditors perform a full manual code review, complemented by static analysis tools, unit tests, and fuzzing where applicable. Upon completion, we deliver an intermediary report outlining all identified vulnerabilities, categorized by severity, with specific remediation guidance.
  • Fix Window
    Clients are given a 7-day window to implement fixes. Once updates are submitted, our team performs a re-review to validate changes and confirm that no new issues were introduced.
  • Final Report and Delivery
    Following successful validation, we deliver a final audit report that includes:
    • Executive summary and project overview
    • Audit scope hash and commit hash
    • Detailed findings categorized as Critical, High, Medium, Low, or Informational
    • Status of each issue: Resolved, Unresolved, or Acknowledged
    • Technical recommendations, risk impact analysis, exploit scenarios, remediation suggestions, and post-fix verification
  • The report is formatted, designed, and delivered as a PDF. Reports may be made public via our website and GitHub or kept private, depending on client preference.

Audit turnaround time depends on codebase size and complexity.

Simple audits (up to 1,000 lines of code) take 2 to 6 business days.
Medium scopes (1,000 to 3,000 lines) require 7 to 20 business days.
Complex audits (over 3,000 lines or custom architecture) may take 20 or more business days.

We remain flexible and can adjust schedules based on urgency, team availability, and the broader engagement context.

2c) Quality Assurance and Track Record

Zokyo’s audits have resulted in no recorded critical vulnerability exploits for clients who implemented our recommendations. This track record reflects the effectiveness of our methodology and thoroughness.

In rare cases where post-launch issues arose due to non-critical bugs or third-party integrations, Zokyo acted swiftly to assist with incident investigation, exploit tracing, and live remediation. We view these incidents as opportunities to improve by refining our checklists, expanding test scenarios, and sharing root cause analyses with the wider ecosystem.

A notable example is our audits of LayerZero, where we identified cross-chain replay and message verification vulnerabilities before mainnet deployment, helping to prevent major exploits.

All completed public audit reports are available on our website and GitHub for transparency and community reference.

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure

Zokyo will apply a strict and swift process to handle critical vulnerabilities, ensuring the highest level of security for Compound. Upon identifying a critical issue during audits, monitoring, or bug bounty programs, we will promptly escalate it to Compound’s designated security contacts using encrypted channels such as PGP or other protocols agreed upon with Compound.

We will follow a responsible disclosure policy throughout the process. In case of critical vulnerabilities, all engineers will pause non-essential activities to focus on triage, validation, and containment efforts.

Compound’s leadership and technical stewards will be alerted immediately with a detailed and evidence-supported vulnerability report. Our support will extend beyond reporting, as we will collaborate closely with developers to design, test, and implement remediation patches, assisting through fix implementation, review, and pre-deployment verification.

Public or community disclosure will occur only after a patch is deployed and with mutual agreement between Compound and Zokyo to prioritize user safety and protocol stability.

Critical vulnerabilities will receive urgent attention. Initial triage, root cause analysis, and mitigation planning will begin within hours of detection. Every step from initial discovery to final disclosure will be documented in a secure, access-controlled incident log to ensure full accountability and facilitate comprehensive postmortem reviews.

3b) Incident Response Support

  • 24/7 Technical Response: Zokyo will provide round-the-clock incident response for live security events. Our dedicated team will lead immediate root cause analysis, exploit containment, and coordinate recovery efforts.
  • Collaborative Triage: We will work closely with Compound’s Foundation, core development team, and, if necessary, whitehat partners to coordinate a comprehensive response including rapid patch development and deployment.
  • Postmortem and Improvements: After each incident, we will provide detailed postmortem reports containing root cause analysis, lessons learned, and recommendations to enhance future resilience. An example of a postmortem analysis we conducted for one of our clients can be found at the following link.

Example:
During a recent audit, Zokyo identified a critical vulnerability in a fork of a major DeFi protocol that was also present in the original live contracts holding user funds. We promptly contacted the original protocol’s team, advised pausing the affected contracts, and provided hands-on support throughout remediation, including designing and auditing the fix. This approach protected the fork and safeguarded the broader ecosystem.

3c) Continuous Monitoring & Threat Detection

Zokyo will maintain continuous vigilance between audits using a real-time monitoring system tailored for DeFi protocols like Compound.

  • Custom Anomaly Detection Scripts: The system will track on-chain activity to identify irregular governance voting patterns, including unexpected whale votes, sudden quorum changes, and coordinated proposal actions. It will also monitor oracle price feeds and detect abnormal protocol interactions such as flash-loan manipulation, sudden liquidity shifts, and suspicious contract calls.
  • Intelligent Alert Workflow: Detected anomalies will trigger automated, encrypted alerts sent directly to Compound Foundation’s security operations team and, when appropriate, to DAO governance channels. This enables rapid human review and timely intervention.
  • Transparent Off-Chain Dashboards: For enhanced transparency, Zokyo will offer deployment of off-chain dashboards that visualize protocol health, highlight flagged events, and provide community stewards with a real-time view of governance and market activity.

Operating 24/7, this monitoring closes the gap between scheduled audits and provides early warnings against evolving threats. By combining automation with expert oversight, Zokyo will help ensure Compound remains resilient against both known and emerging risks.

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

Details submitted privately to the Foundation as required. Zokyo supports continuous streamed payments in COMP, aligned with Compound’s preferred setup.

4b) Milestones and Performance Metrics

Audit Timeliness

  • Audit Report Delivery: 100% of standard audits delivered within 2–3 weeks of code readiness. Expedited reviews are available for high-priority governance upgrades.
  • Responsiveness:
    • Critical issues escalated to the Compound team within 6 hours of discovery.
    • High and medium issues escalated within 24 hours.

Report Quality

  • Clarity and Actionability: Each report includes severity ranking, reproduction steps, remediation guidance, and proof-of-concept scripts for critical findings.
  • Zero Critical Issues in Production: Our ongoing goal is to achieve and maintain zero critical vulnerabilities in production for clients implementing Zokyo recommendations.

Community and DAO Engagement

  • Monthly Security Updates: Delivered consistently to the DAO (target: 12/12 months).
  • Governance Participation: Active attendance and contribution to 100% of Compound governance calls, including live security updates and answering questions live.
  • Public Reporting: Quarterly security summaries and public audit reports are published for transparency.

Incident Response and Follow-Through

  • Incident Resolution Speed: Patches or mitigation steps delivered within 6 hours for critical threats.
  • Postmortem Analysis: Delivered within 72 hours of any notable event, including root-cause analysis and recommendations.

Continuous Improvement Metrics

  • False Positive Rate: Ongoing refinement of monitoring systems to minimize false positives and reduce alert fatigue.
  • Stakeholder Satisfaction: Feedback is collected after each audit and major incident to improve quality and communication.

4c) Conflict of Interest Declaration

Zokyo confirms that there are no current conflicts of interest involving Compound competitors or protocol forks. While we have experience working on legacy Compound forks with minor modifications, we maintain strict confidentiality and impartiality in all engagements.

4d) Transition and Offboarding Plan

If Zokyo’s engagement is not renewed, we will ensure a smooth handover so the incoming security provider can pick up without disruption.

  • Full Handoff Package: We will deliver clear, organized documentation covering all audits, vulnerabilities (with status), test results, monitoring configurations (if any), and relevant context from governance or infrastructure reviews.
  • Knowledge Transfer: We will host live walkthrough sessions with the new provider and make our lead engineer available for technical Q&A during the 60-day notice period.
  • DAO Rights: We fully respect Compound DAO’s right to terminate with 60 days’ notice. During this window, we’ll finalize ongoing reviews, begin structured offboarding, and ensure access rights are cleanly transitioned.

Zokyo’s goal is to leave Compound in a stronger, more secure position—regardless of engagement status.

Section 5: Service Level Expectations (SLA)

5a) Incident Response

Zokyo will maintain a 24/7 incident response posture to ensure rapid containment and mitigation of critical protocol threats.

Response Time Objectives

  • Initial Acknowledgment: ≤15 minutes for critical issues
  • Full Triage and Risk Assessment: ≤4 hours
  • Patch or Mitigation Proposal: Initiated within the same business day

Coverage Model

  • Incident response will be supported by a rotating on-call roster of senior security engineers.
  • All alerts will be routed through encrypted channels such as Signal, PGP-secured email, or secure Slack/Telegram bridges, depending on Compound’s preferences.

Escalation Workflow

  • Detection: Triggered via audit, anomaly monitoring, or third-party disclosures (e.g., whitehat reports or bug bounty submissions).
  • Validation: Zokyo’s internal security team will assess severity, confirm exploitability, and reproduce the issue.
  • Notification: Core Compound contacts will be alerted immediately using pre-established secure channels.
  • Mitigation: Zokyo will collaborate directly with Compound developers to design, test, and validate a fix.
  • Post-Fix Review: Rapid retesting and support for safe redeployment.
  • Postmortem: Root cause analysis, checklist updates, and optional public disclosure following DAO consensus.

5b) vCISO Support

Zokyo’s vCISO function will provide Compound with continuous strategic security oversight and rapid-response advisory services throughout the engagement.

On-Demand Advisory Availability

  • Standard requests will be addressed within one business day.
  • High-priority or governance-sensitive matters will be escalated for a same-day response.

Recurring Security Engagements

  • Weekly Security Syncs: Standing calls to review active proposals, technical risks, governance timelines, and new threats.
  • Design Reviews: Conducted as needed for upcoming proposals or architectural changes, with flexibility for ad-hoc deep dives.
  • Pre-Governance Alignment: Immediate availability ahead of major governance milestones or protocol upgrades.

Primary and Backup Contacts

  • Primary Contact: A Senior Lead CyberSecurity Engineer will serve as the primary vCISO contact, coordinating DAO security, advisory, and audit strategy.
  • Backup Contact: A Senior Security Engineer or Project Manager will be assigned to ensure continuity and responsiveness during urgent governance cycles or time-sensitive requests.

5c) Governance Proposal Reviews

We will provide fast and reliable reviews of governance proposals to support secure and timely DAO decision-making.

Review Turnaround Times

  • Standard Proposals: Reviewed and responded to within 48 hours of request. When feasible, reviews are often delivered within 24 hours.
  • Urgent or Time-Sensitive Proposals: Accelerated reviews are available within 12 hours, including weekends or holidays, if required.

Delivery and Communication

  • Findings Format: All reviews are delivered in a structured format, clearly outlining identified risks, severity levels, and remediation recommendations.
  • Community Transparency: Summarized findings are communicated via governance forum posts or shared live during governance calls, based on sensitivity and Compound’s preferred disclosure process.
  • Follow-Up Support: Zokyo remains available after each review to answer delegate questions, clarify risks, and support last-minute adjustments before voting.

5d) Code Audits

As part of the 12-month engagement, Zokyo will assign a dedicated audit team to Compound. This ensures continuity across workstreams, shortens onboarding time, and enables deeper protocol familiarity. Audit scheduling will follow Zokyo’s internal queue, with priority coordination in alignment with Compound’s roadmap.

Audit Scheduling and Lead Time

  • Standard Lead Time: 2–4 weeks from request to kickoff, depending on project volume.
  • Scalability Commitment: If lead time is projected to exceed 3 weeks, Zokyo will scale the team to maintain delivery timelines without compromising quality.

Expected Turnaround (Post-Scope Confirmation)

  • Simple Audits (≤ 1,000 LoC): 2–6 business days
  • Medium Audits (1,000–3,000 LoC): 7–20 business days
  • Complex Protocols (> 3,000 LoC or custom architecture): 20+ business days

Audit Report Standards

All audits will be delivered as structured, professional reports in PDF format and will include:

  • Executive summary and methodology
  • Git commit hash and audit scope
  • Categorized vulnerabilities (Critical to Informational)
  • Risk impact analysis, exploit scenarios, and remediation guidance
  • Status tags for each issue: Resolved, Unresolved, Acknowledged
  • Final verification summary after fix validation

Fix Review and Re-Audit Process

A 7-day fix window is provided after initial report delivery. Once remediations are submitted, Zokyo will perform a full re-review to validate patches and ensure no regressions have been introduced.

Final Report and Publishing

After successful validation, the final report will be shared with the Compound team. Reports may be published publicly on Zokyo’s website and GitHub, depending on Compound’s preference, supporting transparency and community trust.

Final Considerations

Zokyo’s mission is rooted in decentralization, transparency, and empowering open protocols to scale securely. With deep experience in governance-intensive, cross-chain ecosystems and a proven record in DAO collaboration, we are well-positioned to support Compound through this next chapter of protocol evolution.

We look forward to being a long-term security partner for Compound and contributing to a safer, more resilient future for permissionless finance.

3 Likes
Request for Proposals: Compound DAO Security Service Provider

Immunefi Magnus Security Proposal

Powered by Dedaub, Runtime Verification and Sigma Prime

1/2


0. Overview

This collaborative proposal was built to anticipate the unique security needs of the Compound DAO at this pivotal moment in its history. We believe Compound can accelerate its growth as a DeFi leader if it strikes the right balance between innovation and reliability, especially with its v4 upgrades and the upcoming community-driven ecosystem roadmap.

The consortium of security providers behind this proposal, powered by Magnus, Immunefi’s end-to-end onchain security platform, is assembled with the aim to comprehensively cover security in a time of significant evolution, acting as an innovation enabler while ensuring it does not sacrifice safety.

The consortium is coordinated by Immunefi and led by a renowned group of core security firms: Dedaub, Runtime Verification and Sigma Prime. This team is enhanced by supporting partners, also integrated in Immunefi’s Magnus platform: ChainPatrol, FailSafe, Fuzzland, OpSek and Shield3.

While the core partners ensure the scope of the RFP is fully met, the supporting firms provide additional optionality for wider threat coverage, in a coherent manner and without introducing excessive costs. The consortium is steered by a dedicated vCISO who will leverage this combined talent pool and the Immunefi Magnus platform to address Compound’s security needs in an all-inclusive and efficient manner.

Partners, Background and Relevant Clients

About the Core Partners

About Dedaub

Dedaub is a leader in web3 security, with top auditor expertise and tooling. It is best known for their on-chain decompiler for EVM smart contracts, continuously operating since 2018, with close to 10,000 registered users. Hundreds of security researchers, as well as other investigators of smart contracts without verified source code, use the decompiler daily. Derivative tools, under the Dedaub Security Suite, include a comprehensive monitoring and alerting infrastructure.

As an auditor, Dedaub has conducted numerous audits and impact studies for the Ethereum Foundation and has audited some of the top names in web3, including:

  • Chainlink: Auditor for the majority of Chainlink projects, both on- and off-chain code. (All reports of the past 3 years are under NDA and not available on the public site.)
  • EigenLayer: Multiple audits of middleware and core AVSes (e.g., EigenDA), many more audits of partners in the EigenLayer ecosystem (e.g., EOracle, third-party AVSes).
  • Liquity: Multiple audits of the core Liquity protocol, including Liquity v2 (Liquity Bold), as well as official add-ons (ChickenBonds) and audits of derivative protocols in the Liquity ecosystem (e.g., Yeti, VaultEdge, Stable Jack, Felix, Gravita).
  • 0x: Multiple audits of different decentralized functionality for the exchange.
  • Others: Over 250 other audits of several prominent DeFi protocols, e.g. LayerZero, GMX, Pendle, Lido, Blur, Nexus Mutual, and more.

As whitehat hackers and security researchers, Dedaub has received several million in whitehat bounties for numerous vulnerabilities discovered in deployed protocols. This includes identifying the #1 largest vulnerability by exploitable dollar value in crypto, in a historically-major decentralized bridge. Dedaub is continually participating in war rooms for major hacks, is regularly consulted for widespread, ecosystem-level vulnerabilities (due to the value of Dedaub tooling for impact queries), participates in several protocol or L2 Security Councils, and is a founding member of the Security Alliance (SEAL).

About Immunefi

Immunefi is a leading onchain security platform, offering a comprehensive suite of services through its Magnus platform to more than 350 protocols and dapps. In just over four years, it has directly prevented hacks worth over $25 billion USD and its community of Security Researchers has been awarded over $121 million USD for responsibly disclosing more than 5,000 web2 and web3 vulnerabilities, including +1,150 criticals — nearly six critical bugs a week since Immunefi was founded in December 2020.

In addition to Compound, Immunefi works with renowned projects including Sky (formerly MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, StarkNet, EigenLayer, Astar Network, ZKsync and more, all publicly available on the website.

It’s also a proven security partner to other large ecosystems:

  • Whitelisted for Arbitrum’s Security Subsidy Fund and current Arbitrum Security Council Member.
  • Ran the Ethereum’s Foundation first large-scale audit competition, with a $1.5M rewards pool.
  • Selected by Plume as the end-to-end security partner to support its L1 and its ecosystem.
  • Optimism Growth Cycle and Retro Public Good Funding Grant Recipient.
  • Created the Immunefi Security Core Unit (IS-001) to provide security to the Maker (now Sky) ecosystem, including operational security audits, disaster recovery and on-call security advisory.

Magnus, Immunefi’s new unified security platform, helps CISOs and security teams deal with tool overload and blindspots across an ever evolving threat spectrum. Projects can manage engagements through a single command center combining solutions from best-in-class partners with Immunefi’s native, purpose-built tooling. All while leveraging intelligence Immunefi’s proprietary vulnerabilities dataset, the industry’s largest.

About Runtime Verification

Founded in 2010 and active in the blockchain space since 2017, Runtime Verification is a recognized leader in web3 security, specializing in formal verification, symbolic execution, and deep protocol audits. It is best known for developing Kontrol, an open-source formal verification engine that integrates directly with Foundry and is used by security researchers and core protocol teams to write and prove smart contract invariants.

Its approach to auditing is also grounded in formal methods: every engagement begins with a detailed design review, analyzing the protocol’s mechanisms and producing clear, structured specifications. These guide the code review process and often surface critical issues before a single line is audited.

Runtime Verification has audited high-impact systems like Ethereum 2.0, Gnosis Safe, Lido, Optimism, and Stellar’s Soroban Smart Contract Platform. A complete list of previous engagements can be found here. Its team also brings expertise in Rust, Go, cross-chain messaging mechanisms, and infrastructure audits, allowing us to support a wide range of blockchain projects beyond Solidity smart contracts.

About Sigma Prime

Sigma Prime is a leading blockchain security and research firm with almost 10 years of experience in decentralized technology. Founded in 2016, Sigma Prime has performed hundreds of security reviews for leading protocols and applications while building and maintaining Lighthouse, a prominent Ethereum consensus client written in Rust. Their areas of specialization include:

  • Smart contract security audits (Solidity, Rust, Go, MOVE).
  • Blockchain core infrastructure security (L1s, consensus, networking, cryptography).
  • Cross-chain and Layer 2 protocol security.
  • DeFi protocol security with particular expertise in lending protocols.
  • Traditional infrastructure and application-layer penetration testing.

Sigma Prime has a team of 50+ security researchers, engineers, and academics, across both security practice and R&D, including:

  • Extensive background in both blockchain security and traditional cybersecurity.
  • Active members on various prominent protocol security councils (e.g. EigenLayer, Polygon, Lido).
  • Several team members with advanced academic credentials and published research.
  • Senior staff with red team and enterprise penetration testing backgrounds.
  • Experience spanning complex governance systems (e.g. Aave), lending protocols (Aave, Term Finance, Burrow Finance, Interest Protocol, Gearbox), and cross-chain deployments across major L1s and L2s.

Sigma Prime’s public audits repository demonstrates work with the Ethereum Foundation and protocols such as, Lido, Omni, Mantle, Optimism, Kelp, Swell, Term Finance, RocketPool and more:

  • Chainlink: Ongoing engagement for variety of projects and cross-chain integrations.
  • EigenLayer: Multiple audits of restaking infrastructure and AVS ecosystem.
  • Polygon: Continuous security services across ZK-rollup and sidechain deployments.
  • Aave: Historical security partnership with comprehensive lending protocol expertise.
  • Synthetix: Historical security reviews for synthetic asset protocols.

It is also a founding member of the Security Alliance (SEAL).

About the Supporting Partners

About ChainPatrol

ChainPatrol offers real-time security for web3 brands, communities and teams, including brand monitoring, wallet blocking, phishing, impersonation, fake domains, unlimited takedowns and support triaging with 24/7 automated thread detection and personalized support.

ChainPatrol has previously worked with Compound and currently works with Optimism, Arbitrum, zkSync, Curve, Metamask, The Graph, Polymarket, Consensys, among others.

About FailSafe

FailSafe offers real-time threat detection and automated incident response. Its monitoring solution covers production deployments, detects anomalies, and mitigates risk before it becomes loss, going beyond alerts with programmable, on-chain responses such as pause, block, and unwind.

FailSafe works with Hyperliquid, YieldGuildGames, ByBit, Base, Haven1, BNB Chain and Kelp.

About Fuzzland

Fuzzland offers 24/7 onchain pentesting powered by advanced fuzzers, AI and formal verification with customizable alerts and optional proactive and reactive attack intervention via MEV techniques to front and back run hacks before they are executed. It has successfully rescued $33M in assets so far.

Fuzzland works with Mantle, Curve, Chainlink, Resonance, Nubit, Treehouse, IoTeX, among others.

About OpSek

OpSek offers operational security audits and training to web3 organizations and high net worth individuals, working with teams from Optimism, Aligned Layer, Contango and more to mitigate operational failures.

It’s founded by Security Alliance members with signers on Optimism and Polygon’s security councils.

About Shield3

Shield3 offers wargames and incident response preparedness and has worked with Compound, Aave, Yearn, Optimism, Base, Uniswap, Lido and the Ethereum Foundation.

It’s a founding member of the Security Alliance.

Existing relationship with Compound

Some Magnus consortium partners have or have had a direct relationship with Compound:

  • Immunefi designed and currently runs Compound’s Bug Bounty Program, which includes 24/7 managed triage as well as a Safe Harbor module.
  • ChainPatrol has previously protected Compound from brand impersonation threats and Shield3 ran an incident response tabletop exercise with Compound in 2023.
  • Dedaub, Sigma Prima and Runtime Verification haven’t directly worked with Compound, but have audited protocols derived and forked from Compound, protocols that expose Compound integrations (e.g., DeFi Saver, Yearn, Vesper), as well as competing lending protocols (e.g., Liquity, Term Finance, Yeti, Aave, and Alchemix).

Our collective experience with similar complex DeFi protocols positions us to rapidly gain deep protocol familiarity without impacting Compound’s timeline or budget.

For that, we propose a self-funded rapid protocol familiarization strategy to ensure we can deliver immediate value, leveraging our core team’s deep experience with analogous systems.

I. Leveraging Existing Expertise:

  • Historical Lending Protocol Partnerships: Comprehensive understanding of lending pool mechanics, collateralization, liquidation processes, and governance structures, including Aave, Liquidity, Euler, Maker (now Sky), Morpho, Maple, Yearn and more.
  • Chainlink Integration Experience: Public experience with complex oracle systems and multi-chain architecture similar to Compound’s cross-chain deployments.
  • DeFi Protocol Expertise: Experience with numerous other DeFi protocols including lending, governance, and cross-chain systems
  • Multi-Chain Experience: Established work across all major L1s and L2s where Compound operates.
  • Bridge and Cross-Chain Security: Deep experience with cross-chain deployment security considerations.
  • Complex System Analysis: Proven track record rapidly onboarding sophisticated protocols including multiple Chainlink protocols, EigenLayer’s restaking mechanisms and Polygon’s multi-chain infrastructure.

II. Self-Funded Preparation Phase and Initial Assessment:

  • Dedicated R&D Time: Each core partner will dedicate internal time (at no cost to Compound) to comprehensive Compound protocol analysis. Any supporting partner ultimately enlisted to secure Compound will do the same.
  • Architecture Deep Dive: Systematic study of Compound V3 implementations across all deployment networks.
  • Historical Context Analysis: Review of Compound’s evolution, past security considerations, and governance decisions.
  • Comparative Protocol Analysis: Detailed comparison with other lending protocols to identify Compound-specific security considerations.
  • Coordination with Relevant Stakeholders: The core group will hold interview meetings with relevant stakeholders for additional discussions and knowledge sharing.

III. Operational Readiness Timeline:

  • Pre-Engagement Phase: Complete protocol familiarization using internal R&D resources before the engagement begins in September.
  • Team Cross-Training: Ensure multiple engineers achieve Compound expertise before engagement commencement.
  • Immediate Readiness: Full operational capability from day one of the paid engagement period, with no learning curve impacting Compound’s timeline or budget.

This approach ensures Compound receives immediate expert-level service while benefiting from our investment in protocol expertise, rather than paying for our learning curve.

We will also coordinate a transition plan with OpenZeppelin if our proposal is approved.


1. Scope of Security Work

Scope Overview:

The scope of this proposal spans the full security lifecycle, with a core offering augmented by supporting partners that can be engaged ad hoc. We propose adopting a more flexible approach than usual to provide the most effective security posture, with optionality to cover any security gaps that may surface.

Whereas in the past the Compound DAO has favoured a single-vendor approach, it’s clear the security community is now capable of combining the convenience and efficiency of a single provider with the scalability and breadth of coverage that only a broad base of best-in-class firms can guarantee.

Such a structure is crucial because, to succeed, Compound should go beyond addressing just smart contract and governance risk through code and proposal reviews and monitoring. After all, to boost technical innovation, developing a robust and lasting security culture across the DAO is of the essence.

This unique approach is possible because Immunefi’s vCISO and all partners can coordinate and orchestrate its execution in a frictionless, unified manner. The providers are being integrated in the Magnus platform and share ongoing, formal partnerships which predate and transcend this proposal.

Now let’s analyse the scope in further detail:

I. Core Audit and Review Activities:

  • Smart contract audits for new deployments and protocol upgrades, including formal verification when appropriate.
  • Governance proposal technical reviews and payload/calldata validation.
  • Emergency governance proposal rapid reviews.
  • Token integration and collateral onboarding security assessments.
  • Cross-chain deployment and bridge integration reviews.
  • Protocol upgrade security analysis.

II. Front-End and Off-Chain Systems:

  • Selective front-end security reviews focused on security sensitive and core functionality following a clear definition of scope and functionality
  • Infrastructure penetration testing capabilities including evaluation of deployment and operational security
  • Comprehensive evaluation of REST APIs, GraphQL endpoints, and WebSocket connections
  • Assessment of systems that interact with or support blockchain operations and their interactions with smart contracts
  • Deep Rust and GoLang expertise in reviewing complex off-chain L1 and L2 systems, encompassing the entire protocol ecosystem beyond smart contracts

III. Security Advisory and vCISO Services:

  • Dedicated vCISO appointed by the core partners and coordinated by Immunefi with clear ownership of the three workstreams to effectively coordinate the consortium with the DAO.
  • vCISO chairs an internal Security Council, comprising Immunefi, Dedaub, Sigma Prime, and Runtime Verification, which can be potentially upgraded to a standard Compound Security Council.
  • vCISO steers and supervises monthly “Security Townhalls”, bringing together the auditors and key stakeholders to surface issues, align priorities, and discuss potential incidents.
  • Maintains an up-to-date security knowledge base, helping preserve context and insights gained across audit and monitoring cycles through Immunefi’s Magnus on-platform Guardian AI.

IV. Monitoring and Incident Response:

  • 24/7 incident response powered by dedicated Immunefi and Dedaub’s resources and by the core team’s diverse geographical coverage, with escalation to SEAL 911 if required.
  • Ongoing monitoring with a selection of tools to be decided by the vCISO and the security council after the initial assessment, including Dedaub’s Security Suite, Fuzzland’s Blaz+ and FailSafe.

V. Notable Exclusions and Limitations:

  • Comprehensive front-end UI/UX reviews (security-critical components only).
  • Economic modeling and market simulation (technical security focus).

Multi-Chain Support & Upgrade Expertise:

The Magnus consortium has notable experience across all networks where Compound’s v3 is deployed and anticipates the same for Compound v4. We highlight the following points:

I. Network Experience:

  • Ethereum Mainnet: Deep expertise from Sigma Prime’s Lighthouse consensus client development, Dedaub’s EVM tooling and Immunefi’s EVM BBP and audit competition experience.
  • Layer 2 Networks: Comprehensive experience across Arbitrum, Optimism, Base, Scroll, Polygon, and Mantle.
  • Emerging Networks: Active work with emerging protocols and novel blockchain primitives and architectures through various client engagements.
  • Cross-Chain Architecture: Proven track record with bridge protocols and multi-chain deployments.

II. Protocol Upgrade Expertise:

  • Experience with complex upgrade mechanisms for major DeFi protocols.
  • Comprehensive review of migration logic and state transition safety.
  • Cross-chain consistency verification for synchronized upgrades.
  • Backward compatibility assessment for existing user positions.

III. Staying Current with Emerging L2s:

  • Active participation in L2 security working groups and security councils as described in the general overview section.
  • Strategic partnerships with L2 infrastructure providers.
  • Regular internal training on new virtual machine implementations and research on new developments.

Resource Allocation and Availability:

Resource allocation and availability reflects tried and tested engagements that our core audit partners have already performed. This includes priority audits, continuity protocols, and engaging extra personnel on a per-need basis, to prevent bottlenecks and maximise eyes on the code.

I. Dedicated Team Structure:

  • 2-3 Core Engineers each from Dedaub and Sigma Prime: Dedicated pool of senior security engineers for Compound work available every week as per scoping requirements.
  • Up to 2x 12 Weeks of Engineers for Formal Verification Audits: With 12-months access to Runtime Verifications’s Cloud-Based Formal Verification Platform for its Kontrol engine, KaaS.
  • 1 Lead: Security manager or firm director with authority to prioritize Compound engagements.
  • Full Team Access: Ability to scale to our partners’ entire security teams for complex reviews.
  • Dedicated vCISO and Internal Security Council: With proven experience and with a role further detailed in this proposal.

II. Bottleneck Prevention:

  • Our structure provides parallel audit capacity for at least 2 simultaneous engagements:
    • Sigma Prime will cross-train team members ensuring coverage during absences.
    • Dedaub is a naturally-elastic audit team, with security engineers typically focused on developing technology and investigating security incidents and so available to join audits as needed to eliminate temporary bottlenecks.
  • Pre-defined rapid scaling procedures for urgent reviews.
  • Flexible internal scheduling with explicit Compound prioritization authority.

III. Context and Continuity Preservation:

  • Dedicated senior security engineers with the vCISO managing a custom Compound knowledge base and documentation system on Guardian AI on the Immunefi Magnus platform.
  • Structured team rotation maintaining multiple experts, with at least one engineer with prior experience with Compound protocol.
  • Ensurance that at least one dedicated Compound auditor can be available for any short-deadline engagement.
  • Comprehensive handoff procedures, historical tracking and regular internal training.
  • Communication and oversight with monthly all-hands meetings with the core partners, supervised by our partners’ founding teams, for the context of our entire corps of auditors.
  • Quarterly performance reports on Compound’s governance forum.

Additional Services and Tools:

Beyond the core scope of audits, monitoring, vCISO services and incident response, we also provide the following services free of charge:

I. Initial Assessment Phase:

  • As explained in the rapid protocol familiarization strategy outlined in section 0.

II. Governance Participation:

  • Regular participation in Compound governance calls and community discussions.
  • Public security education content for the Compound community.
  • Advisory input on security-impacting governance proposals and security-council-level advising/consulting.

III. Training and Knowledge Transfer:

  • Security best practices workshops for Compound contributors
  • Developer security training for teams building on Compound.
  • Documentation of security guidelines for common integration patterns.
  • Building and maintaining a public Compound security knowledge base on Immunefi’s website focused on providing security researchers with updated education materials.

Additionally, we have negotiated preferential terms with the providers below, which offer additional services that we deem relevant to Compound’s DAO. The vCISO will have a budget to be able to implement some of these recommendations after the initial assessment phase. Other services will remain available to the DAO when necessary, and can be activated cohesively within the setup of SSP execution within the Immunefi Magnus platform.

IV. ChainPatrol’s Support Services:

  • 24/7 automated brand and reputation threat detection.
  • Blocking at wallet and browser with unlimited domain and social platform takedowns.
  • Team / stakeholder protection with dedicated brand protection staff.
  • Blocklist integrations and reporting brands.
  • Worked with Compound in the past and is ready to support re-activating Compound’s X account.

V. OpSek’s Support Services:

  • Operational security audits on Compound’s infrastructure.
  • Operational security audits and OSINT research on key members and stakeholders.
  • Security awareness training and physical security training and preparation ahead of travel.
  • Dedicated operational security point of contact with dedicated channel and office hours.

VI. Shield3’s Support Services:

  • Protocol threat modelling and risk assessment, including:
    • Proactive assessments prior to major upgrades or new deployments.
    • Control surface analysis and access control recommendations.
  • Incident response training via custom tabletop exercises, testnet simulations and live drills including development and maintenance of incident response playbooks.
  • Development of custom monitoring tooling for protocol deployment oversight.

VII. Complimentary Access to the Immunefi Magnus platform:

  • The Immunefi Magnus platform integrates automated tooling from Runtime Verification, Fuzzland, FailSafe and ChainPatrol within the unified SecOps setup and is used by the vCISO and by the core teams to manage the engagements and the various tooling offers.
  • The Compound team will be able to add as many members as required to its Compound account on the Magnus platform. In addition to enhancing the coordination between the security providers and the Compound team, users will also have access to:
    • Codexa: Intelligence from the most comprehensive dataset of blockchain vulnerabilities, powering a set of SecOps automations to accelerate response and improve monitoring.
    • Radar: Radar will continuously monitor eligible assets for new smart contracts and flag them instantly, enabling one-click program updates with zero manual set-up.
    • Guardian: An AI-powered security copilot backed by Codexa, which can be privately trained on Compound’s unique infrastructure if desired.
  • Lastly, Compound’s ongoing Bug Bounty Program with Immunefi will also be managed from within Magnus, benefiting from various automations which can be leveraged by the SSP team.

2. Technical Methodology and Audit Process

Audit Methodology and Workflow:

Our audit methodology combines components from our core audit partners. Each has a particular process for code reviews and this coordinated approach strengthens the audit methodology. The coordination by the vCISO and the internal Security Council has been designed to retain context in between assignments. Lastly, the possibility for independent, parallel audits reduces blind spots:

  • Together with technical requirements stemming from key stakeholders within the Compound DAO and from its main development team and contributors, the vCISO will allocate audits between Dedaub and Sigma Prime, in coordination with the Security Council, aiming for an even split while ensuring allocations are impartial and based on the best fit for each code review.
  • Whenever relevant, the vCISO will also recommend formal verification audits with Runtime Verification. In this proposal we’re not only including access to KaaS, Kontrol’s delivery platform, but also sufficient Runtime Verification engineering time to handle the formal verification engagement process throughout 12 months.
  • As mentioned in the previous section, to further ensure context is shared between audits, the core group will engage in monthly “Security Townhalls” to foster direct collaboration between the teams responsible for different engagements. Additional meetings may be held on demand.
  • Moreover, given that partners are integrated into the Immunefi Magnus platform, the vCISO and the auditors will be able to manage assignments through it and maintain an up-to-date security knowledge base through its Guardian AI to aid context preservation across engagements.

Now let’s expand on the methodologies of each audit partner:

I. Dedaub — Audits:

Dedaub’s Security Audit teams comprise at least two senior security researchers, as well as any support they may need (e.g., cryptography expertise, financial modeling, testing) from the rest of the team. It carefully matches the team’s expertise to the audit project’s specific nature and requirements. Dedaub auditors conduct a meticulous, line-by-line review of every contract within the audit scope, ensuring that each researcher examines 100% of the code. There is no substitute for deep understanding of the code and its context, forming a thorough mental model of its interactions and correctness assumptions. Reaching this level of understanding is the goal of any Dedaub audit.

To achieve this, Dedaub employ strategies such as:

  • Two-phase review: During phase A, auditors understand the code in terms of functionality, i.e., in terms of legitimate use. During phase B, auditors assume the role of attackers and attempt to subvert the system’s assumptions by abusing its flexibility.
  • Constant challenging between the two senior auditors: The two auditors will continuously challenge each other, trying to identify dark spots. An auditor who claims to have covered and to understand part of the code is often challenged to explain difficult elements to the other auditor.
  • Thinking at multiple levels: Beyond thinking of adversarial scenarios in self-contained parts of the protocol, the auditors explicitly attempt to devise complex combinations of different parts that may result in unexpected behavior.
  • Use of advanced tools: Every project is uploaded to the Dedaub Security Suite for analysis by over 70 static analysis algorithms, AI, and automated fuzzing. Dedaub maintains its own fork of the ItyFuzz tool, all other tools are custom, leveraging Dedaub’s extensive expertise in program analysis research. Auditors often also write and run manual tests on possible leads for issues.

Dedaub’s auditors also identify gas inefficiencies in smart contracts and offer cost optimization recommendations. We thoroughly audit integrations with external protocols and dependencies, such as oracle services, to ensure they align with intent and specifications.

The audit methodology and workflow can be consulted in detail at Dedaub’s documentation page.

1 Like
Request for Proposals: Compound DAO Security Service Provider

Immunefi Magnus Security Proposal

Powered by Dedaub, Runtime Verification and Sigma Prime

2/2


(…)

Dedaub’s Track Record:

Dedaub’s public audits reports demonstrate several critical vulnerabilities uncovered. Dedaub’s work on vulnerabilities that it discovered in the wild or helped mitigate (with calculation of impact/blast radius and participation in war rooms) also received extensive coverage. Notable examples include:

Many more instances can be found in Dedaub’s online articles. Overall, Dedaub has received at least 11 large bug bounties, totalling over $3M in direct bounties, as well as several million in indirect rewards in the form of work commissions, for vulnerabilities in deployed code.

Dedaub is a regular participant in war rooms and maintains excellent connections to the overall security researchers community — a community that heavily relies on the Dedaub tools.

In terms of a client impacted post-audit, the foremost (and, effectively, the only) example is Liquity v2. A highly-involved, numerical-stability-based vulnerability was discovered post-audit (the code was audited by Dedaub and Chainsecurity). Dedaub assisted the Liquity team throughout the process of determining the root cause and updating the codebase, with extensive communication for months.

Tellingly, as to the complexity of the issue, it took about two weeks after discovery of the broken invariant for the Liquity development team and its auditors to reach a decision on which part of the code is faulty and how it should be updated. Additionally, Dedaub put in place monitoring machinery to receive alerts on the threat to the deployed version of the contracts. Finally, Dedaub subsequently audited the updated code and monitored the redeployment. It remains a close and committed partner of Liquity, with ongoing, continuous communication.

II. Runtime Verification — Formal Verification Audits:

Runtime Verification offers Kontrol, an open-source formal verification engine purpose-built for Ethereum smart contracts. Kontrol integrates directly with Foundry and allows protocol invariants to be written as Solidity-style proofs that look and feel like standard tests, making them easy to review, maintain, and extend by developers inside or outside Runtime Verification.

Once key invariants are established, they can be reused and automatically re-run on each DAO proposal that modifies smart contracts. Kontrol proofs can be run in CI using the KaaS dedicated compute infrastructure, requiring minimal engineering effort from the DAO to gain high assurance that governance changes preserve critical properties.

This turns formal verification into a living security layer, reinforcing DAO upgrade safety over time without bottlenecking developer velocity. Here’s a more thorough overview of the engagement process

  1. Pre-Audit Readiness Check: Confirm audit readiness and gather all the needed access
  2. Kickoff Call: Align on the audit methodology, plan, scope, and deliverables
  3. Engagement Execution: Design review, code and invariant analysis, tooling setup, and optional formal verification
  4. Ongoing Communication: Async using Slack, Discord or Telegram + weekly updates to track progress
  5. Final Report Delivery: Full report with findings, insights, and guidance
  6. Fix Review Window: 2 weeks of focused fix validation support

Lastly, note the vCISO will allocate formal verification audits to Runtime Verification as deemed appropriate throughout the 12 months. The proposal includes a separate budget to accommodate this.

III. Sigma Prime — Audits:

Sigma Prime’s audit methodology is specifically adapted to address complex DeFi protocols such as Compound, sharing Dedaub’s core philosophy of deep protocol understanding.

  • 70% of the effort is allocated to manual review, which includes thorough architecture analysis, threat modeling, and critical path analysis for supply/borrow/liquidation flows. This manual component also covers access control validation, interest rate model verification, and risk parameter validation logic specific to Compound’s governance and economic mechanisms.
  • 5% of the effort is allocated to automated analysis using industry-standard tools including Slither, Mythril, and Aderyn, along with dependency vulnerability scanning to identify potential security issues efficiently. This automated process allows Sigma Prime’s security engineers to focus on the complex protocol-specific logic that requires human expertise.
  • 25% of the effort is focused on Foundry and fork testing, developing comprehensive test suites using Foundry and conducting fork testing against mainnet state to validate real-world behavior. This includes integration testing of market interactions, stress testing liquidation mechanisms under extreme market conditions, fuzzing (where applicable), property-based testing for interest rate calculations, and simulation of edge cases and attack vectors specific to Compound’s architecture.

This methodology is particularly well-suited for Compound because Foundry unit testing helps cover niche edge cases that are common in complex lending protocols, while fork testing ensures proper integration with third-party protocols and governance contracts. Manual review remains the largest component as it’s essential for covering economic risk parameters, configuration options, access control including granular permissions, and DAO interactions that are critical to Compound’s security posture.

Automated analysis tools accelerate Sigma Prime’s ability to identify low-hanging fruit and Solidity-specific bugs, allowing its engineers to focus on the most critical aspects of the protocol — economic mechanisms, governance systems, and complex state transitions that define Compound’s core functionality.

Let’s dive deeper into these areas. To start, Sigma Prime’s manual review process focuses on:

  • Protocol Logic Analysis: Deep dive into the economic and governance mechanisms to understand intended behavior and identify edge cases where the protocol might behave unexpectedly.
  • Attack Vector Identification: Systematic analysis of potential attack surfaces including:
    • Governance manipulation vectors.
    • Economic incentive misalignments.
    • State transition vulnerabilities.
    • Cross-contract interaction risks.
    • Timing and ordering dependencies.
  • Vulnerability Chaining: Connecting seemingly minor issues to demonstrate critical impact through multi-step attack scenarios.
  • Code Flow Tracing: Manual tracing of execution paths to identify logic flaws that automated tools typically miss.

While human expertise drives Sigma Prime’s process, it also leverages automated tools strategically:

  • Static Analysis Tools: Used to identify common vulnerability patterns and code quality issues, serving as a foundation for deeper manual investigation.
  • Custom Fuzzers: Developed specifically for each engagement to test protocol-specific invariants and edge cases.
  • Linters and Code Quality Tools: Employed to catch low-hanging fruit and ensure code follows best practices, including readability and maintainability.
  • Automated Testing Frameworks: Used to verify findings and create regression tests.

Furthermore, its team specializes in identifying complex governance and economic vulnerabilities through:

  • Incentive Mechanism Analysis: Evaluation of tokenomics, reward structures, and penalty systems for exploitable imbalances.
  • Governance Process Review: Assessment of voting mechanisms, proposal systems, and administrative functions for manipulation vectors.
  • Economic Model Stress Testing: Analysis of protocol behavior under extreme market conditions and adversarial scenarios.

Lastly, to optimise coverage and mitigate blind spots, Sigma Prime focuses on:

  • Comprehensive Scope Mapping: Detailed analysis of all in-scope components and their interactions.
  • Test Coverage Analysis: Review of existing test suites to identify gaps and untested edge cases.
  • Cross-Contract Interaction Testing: Focus on complex interactions between different protocol components.
  • Integration Testing: Assessment of how the protocol integrates with external systems and dependencies.

As for the workflow, here’s an overview of the key steps:

  1. High-Level Scoping: Initial assessment of the engagement scope, timeline, and complexity to determine resource allocation.
  2. Engineer Assignment: Strategic assignment of relevant engineers based on their experience, skills, and the specific requirements of the components being audited.
  3. Engagement Kickoff: Formal commencement of the audit with internal team briefing and initial setup.
  4. Walkthrough Meeting: Collaborative session with the client’s developers to understand the system architecture, intended behavior, and specific areas of concern. This is particularly crucial for larger engagements.
  5. Documentation Review: Comprehensive review of all available documentation, specifications, and architectural diagrams.
  6. Automated Testing Phase: Deployment of static analysis tools, linters, and automated testing frameworks to identify common issues and establish baseline security posture.
  7. Manual Testing and Analysis: Deep manual review leveraging internal playbooks, work programs, and team expertise. This includes:
    1. Protocol logic analysis.
    2. Attack vector identification.
    3. Vulnerability chaining.
    4. Proof of concept development.
  8. Collaborative Review: Continuous communication within the audit team and with Compound, utilizing private GitHub repositories and internal issue tracking for progress management.
  9. Reporting Phase: Comprehensive documentation of findings with detailed explanations, impact assessments, and remediation recommendations.
  10. Quality Assurance: Multi-phase internal review process to ensure accuracy and completeness.
  11. Retesting: Verification of implemented fixes to ensure they mitigate the underlying root causes and don’t introduce new vulnerabilities.

Sigma Prime’s technical writing can be found on their blog, and the public audit repository on GitHub.

Deliverables and Communication:

These items have been harmonized across the Magnus consortium as follows:

I. Report Format and Deliverables

Our auditors will deliver a comprehensive final report for each engagement, with detailed documentation of all findings and the following sections:

  • Executive summary.
  • Protocol-level considerations (i.e., design comments that can be argued to be intentional).
  • Detailed vulnerability descriptions.
  • Risk severity classifications.
  • Remediation recommendations.
  • Centralization concerns (if applicable).
  • Appendices with technical details (if applicable).

Whenever applicable, we’ll also provide Compound with additional outputs:

  • Supplementary Test Suite: Working proof-of-concept exploits and additional test cases that can be integrated into the Compound’s existing test infrastructure to extend coverage and prevent regression.
  • Custom Fuzzers: Where relevant, Sigma Prime will also deliver specialized fuzzing tools developed during the engagement at no additional cost.
  • Specialized Kontrol Proof Suite: Where appropriate, Foundry-compatible Kontrol proofs will be provided for optional integration with Compound’s CI infrastructure to prevent regression of critical protocol properties**.**

II. Severity Classification System

Our severity classification follows industry standards while accounting for protocol-specific risk factors:

  • Critical: Issues that can lead to significant financial loss, protocol failure, or complete system compromise.
  • High: Vulnerabilities that can cause substantial impact but may require specific conditions or user actions.
  • Medium: Issues that pose moderate risk or could be combined with other vulnerabilities for higher impact.
  • Low: Minor issues that should be addressed but pose limited immediate risk.
  • Informational: Best practice recommendations and code quality improvements.

III. Communication and Transparency

To ensure smooth coordination among all involved parties, the Magnus consortium will provide:

  • Continuous Progress Updates: During the course of an audit (including fix review and up to several weeks later), we establish an open instant-communication channel with developers, for regular clarifications and communication of preliminary findings. With this in mind, for mature development groups, such as Compound, communication may be less frequent, given the high level of unspoken understanding and overall high quality of documentation and process.
  • Informal Fix Guidance: Fix guidance is not included in the audit report but in the informal communication channel, so that the auditors can recommend solutions spontaneously and iteratively with the developers.
  • Ad-hoc High-Risk Notifications: Immediate communication of critical and high-severity vulnerabilities as soon as they are discovered, regardless of the weekly update schedule.
  • Draft Report Sharing: Ability to share draft reports early in the process if needed for urgent decision making.
  • Public Reporting Policy: All reports can be made public upon client request. We always seek explicit permission and follow the client’s preferences regarding public disclosure.

Quality Assurance:

The Magnus consortium maintains rigorous internal QA processes with a three-phase process:

  • Phase 1 - Manager Review: Initial review by the lead auditor focusing on:
    • Technical accuracy of findings.
    • Completeness of vulnerability descriptions.
    • Appropriateness of severity ratings.
    • Quality of remediation recommendations.
  • Phase 2 - Director Review: Intermediate review by the respective security firm director ensuring:
    • Strategic alignment with Compound’s needs.
    • Consistency with auditing standards.
    • Final approval of risk classifications.
    • Overall report quality and professionalism.
  • Phase 3 - vCISO Review: Final review by the vCISO to ensure:
    • Contextual relevance of the findings in the context of the overall SSP work.
    • Continuity and alignment in between engagements.

The vCISO will also foster a collaborative approach between partners and stakeholders, focused on:

  • Internal Team Collaboration: Continuous knowledge sharing and peer review within audit teams throughout the engagement.
  • Collaboration with Compound: Regular interaction with Compound’s development teams (currently Woof) to ensure thorough understanding of protocol intentions and constraints.
  • Progress Tracking: Systematic capture of progress and review status using private GitHub repositories and internal issue management systems.

And to ensure the Magnus consortium’s work evolves, hopefully along the years, the vCISO will promote the following continuous improvement activities within the various partners:

  • Post-Engagement Review: Internal assessment of each audit to identify process improvements and team learning opportunities.
  • Methodology Evolution: Regular updates to each of the core partners’ playbooks and work programs based on emerging threats and industry developments.
  • Team Development: Ongoing training and skill development to maintain each firm’s position at the forefront of protocol security.

3: Risk Management and Incident Response

Vulnerability Triage & Disclosure:

The Magnus consortium’s process for handling discovered vulnerabilities follows the best practices and standard policies that have been battle-tested by the core partners in multiple scenarios while working with some of the most demanding protocols in the industry. It is predicated on ongoing communication with relevant stakeholders through proper, secure channels that will be defined in the initial assessment phase.

The process includes immediate escalation after discovery and confirmation if a high risk vulnerability is discovered in the context of a code review. And escalation as per the SLAs described in the proposal, if a vulnerability is discovered in other contexts. These secure channels will be handled by the vCISO and by Immunefi’s incident response support team, which works on a 24/7 basis.

Public disclosure is coordinated by all partners and only happens after successful remediation and with Compound’s approval, something that will also happen in close cooperation with the relevant teams and the vCISO, who will assist in the mitigation review and in the post-mortem, if applicable. These fixes may also be subject to additional audits and, if an abnormal number of vulnerabilities is detected, the vCISO may recommend another code review with the security firm that wasn’t involved in the original audit.

Due to the diverse composition of the partners and the ability to tap into the expanded talent pools of the security firms engaged in this process, it’s unlikely that work would have to be halted to focus on a critical vulnerability, but that remains a possibility that will be handled on a case-by-case basis.

Incident Response Support:

Dedaub will provide incident response support for the proposed engagement, assisted — in terms of initial warning and first escalation — by the vCISO and Immunefi’s incident response support team, which operates on a 24/7 capacity and includes triagers that are already working with Compound’s Bug Bounty Program since it launched in December 2024.

Dedaub is often involved in high-value incident response, with excellent connections to the entire security community, participating in multiple war rooms, and having assisted in very large rescues. Even this week Dedaub published a deep dive into a major attack that was mitigated with well-coordinated war room efforts, in collaboration with SEAL, the Security Alliance.

Given Compound’s positioning, we recommend that most incident response cases should involve SEAL 911, the emergency response unit of the Security Alliance. This is the highest-skilled set of people worldwide, with the best connections to exchanges, stablecoin issuers, and law enforcement. The collective talent of SEAL 911 surpasses that of any individual security organization, since it integrates the very best of the community.

At the same time, having dedicated support personnel for incident response is important. First, not all incident response cases can or should involve SEAL 911: there may be very protocol-specific considerations, unusual privacy concerns, or simply insufficient clarity about the nature and severity of an evolving threat. Additionally, SEAL 911 has finite resources, being staffed by volunteers.

Having dedicated Dedaub personnel that can closely integrate with SEAL 911, as effectively done several times in the past, is therefore our recommended incident response plan under present conditions.

Continuous Monitoring & Threat Detection:

Post-deployment, monitoring and real-time alerting are important tools for mitigating live incidents. An attack (or inadvertent anomalous execution) that can result in monetary loss is often not atomic, therefore its impact can be minimized by early detection.

To address this need, Dedaub provides a powerful and flexible monitoring infrastructure based on DedaubQL, a domain-specific query language modeled after SQL. DedaubQL allows for expressive, declarative monitoring rules written directly against a condensed blockchain database — a high-performance, semantically enriched data layer that integrates historical transaction data, live blockchain node access, and Dedaub’s own static analyses and machine learning-based vulnerability classifiers.

This approach enables the monitoring and incident response team to define critical monitoring targets as precise queries over execution traces, state changes, or user-defined invariants. These targets are developed iteratively: key monitors can be identified during audits and extended over time as protocols evolve, ensuring that monitoring keeps pace with contract upgrades and newly surfaced risks.

I. Example Monitoring Capabilities with DedaubQL

DedaubQL supports advanced monitoring constructs that make complex security and behavior checks straightforward to express:

  • Detecting whether a liquidation would fail due to insufficient liquidity or stale price feeds.
  • Watching for cross-chain message inconsistencies or suspicious bridging patterns.
  • Triggering alerts when contract state changes violate expected invariants (e.g., TVL drops, pool misconfigurations).
  • Alert when a suspicious party (as defined by any of a number of classifiers, also including human tags and fund provenance) interacts with the protocol.
  • Identifying when new pools or vaults are deployed and automatically verifying their asset compatibility using Dedaub’s static analyzers and token behavior classifiers.
  • Monitoring interactions across forks or during reorg scenarios by querying both live and simulated block states.

The above capabilities, adapted to be better applicable to the specific needs of Compound, should help paint the picture of how monitoring is an important asset for a protocol’s security.

Because Dedaub’s monitoring operates at the query layer, integrating all layers of insight — on-chain data, contract semantics, and execution context — it supports arbitrarily complex monitoring logic while remaining transparent and auditable.

II. Integration and Alerting

Monitoring rules written in DedaubQL can route alerts to any desired destination, including Slack, Telegram, Webhooks, or custom dashboards. Moreover, Dedaub supports integrations with incident response systems such as PagerDuty, enabling escalation workflows when critical conditions are met.

This creates a seamless bridge between the development, audit, and operational security teams.

III. Monitoring Augmentation with the Supporting Partners

To complement DedaubQL’s monitoring capabilities, after the initial assessment phase the monitoring and incident response team has the budget to select an additional monitoring provider from the two alternatives already integrated in the Immunefi Magnus:

  • Fuzzland’s Blaz+ Suite: Provides continuous, 24/7 on-chain penetration testing using advanced fuzzing, AI, and formal verification techniques to identify vulnerabilities in smart contracts. It also delivers real-time alerts for any abnormal activities or potential threats detected in smart contracts, enabling swift responses to mitigate risks and can optionally act proactively by analyzing the mempool to identify and intercept potential threats, employing strategies like front-running and back-running to neutralize malicious transactions before they can cause harm.
  • FailSafe: The FailSafe Risk Platform tracks every transaction in real-time, offering complete visibility into internal transactions, external calls, and events emitted; and does not require to make any code adjustments or upgrades to contracts. FailSafe’s monitoring system will relay real-time alerts sent directly to our team’s preferred messaging channels. When a rule is violated or a risk is detected, it can trigger an immediate response such as pausing the contracts, moving funds to a secure location and unwinding positions.

4: Commercial Terms and Commitment

Budget Request and Pricing Model:

Contacts and the private pricing proposal is being submitted to the Foundation via the RFP form as a flat annual fee with additional options as detailed here.

The Magnus consortium agrees to a continuous streamed payment setup and acknowledges DAO rights to terminate with 60-day notice.

Milestones and Performance Metrics:

We propose the following performance metrics:

I. Quantitative KPIs:

  • Audit Delivery: All standard audits commence within 5 days of request, delivered on average within 3 to 4 weeks of code readiness (scope size and complexity dependent).
  • Governance Reviews: All proposal reviews completed within 48 hours of request.
  • Critical Issue Response: Critical vulnerabilities triaged within 8 hours.
  • Engagement SLA: Begin hands-on work within 5 business days of request.

II. Quality and Engagement KPIs:

  • Security Outcomes: No known exploitation of code that has been reviewed.
  • Community Engagement: Participate in all governance calls with security-related segments.
  • Internal Reporting: Monthly security check-ins with key stakeholders summarising engagements carried out for the month. Written weekly progress updates on all ongoing engagements provided to development teams.
  • Knowledge Transfer: Quarterly security workshops for relevant Compound contributors.
  • Public Reporting: We commit to quarterly public progress reports and security insights relevant to the Compound community, while maintaining appropriate confidentiality for sensitive findings.

Conflict of Interest Declaration:

The Magnus consortium maintains the highest standards of confidentiality, independence, and operational security. All partners have established protocols for handling multi-client relationships and confidentiality commitments, which include:

  • Strict information barriers between client engagements.
  • Willingness to sign additional NDAs as required.
  • No discussion of competitive intelligence or business strategies.
  • Secure communication channels and data handling policies.

Given these strict practices, Magnus consortium partners may still:

  • Work with multiple DeFi protocols simultaneously.
  • Provide expertise with similar protocols benefitting security outcomes without compromising confidentiality.
  • Engage in knowledge transfer solely focused on security patterns and vulnerability prevention.

As for particular disclosures, the security partners disclose that:

  • Immunefi runs BBPs for Compound competitors such as AAVE and Morpho.
  • Sigma Prime maintains ongoing relationships with prominent protocols such as Chainlink, Polygon and EigenLayer.
  • Dedaub has an ongoing relationship with Chainlink (formalized in retainer agreement), Liquity, and EigenLayer.

In all cases, we believe these relationships don’t pose material conflicts and enhance our security expertise, as our focus remains exclusively on technical security matters.

Transition and Offboarding Plan:

The Magnus consortium partners have been building their reputations for years and are incentivised to honor and promote the continuity of any work that they may come to develop with Compound, be it at the end of any 12-month period or if the DAO exercises its right to terminate after a 60-day notice.

As a standard practice, all relevant knowledge is documented to ensure a smooth transition at any time:

I. Continuity Assurance:

  • Comprehensive knowledge documentation repository maintained throughout engagements in the Immunefi Magnus platform, including a complete record of security findings and resolutions.
  • Structured handoff procedures for incoming security providers are also facilitated by the tooling embedded in this proposal, with maintainable fuzzing and formal verification tests written in Solidity for seamless updates and extensions by future security providers or developers.

II. Transition plan:

  • Immediate availability of all relevant documentation, including complete findings reports.
  • Knowledge transfer sessions with incoming providers.
  • Continued advisory support during transition period if requested.

5: Service Level Expectations (SLA)

Incident Response and vCISO support:

  • 24/7 coverage: Immediate triage and escalation through the defined channels, including PagerDuty.
  • vCISO support: On-demand support from the vCISO within one business day and 2 hours for any urgent support needed during the week.
  • vCISO backup: Members of the internal Security Council will step-up in case of absence of the vCISO, benefitting from the broad geographical coverage of the consortium partners.

Governance Proposal Reviews:

  • Standard Turnaround: 48 business hours maximum from proposal submissions.
  • Urgent Proposals: Same-day (24 hours) review capability for critical proposals.
  • Communication: Findings delivered via secure channels with clear severity classification.
  • Community Updates: Public security assessment summaries when appropriate.

Audits:

- Scheduling Lead Time:

  • We commit to readiness of commencing all standard audits within 5 days of receiving the request.
  • However, to ensure optimal resource allocation and planning, we kindly request, where possible, 2 to 4 weeks notice for scheduling standard audit engagements.

- Turnaround Times:

  • Small audits (1-2 person-weeks): 1-2 weeks delivery.
  • Medium audits (3-5 person-weeks): 2-3 weeks delivery.
  • Large audits (6+ person-weeks): 3-6 weeks delivery.
  • Emergency reviews: 24-48 hours for critical security issues.

- Report Standards:

  • Comprehensive security assessment with severity classifications.
  • Detailed remediation guidance and fix verification.
  • Public or private delivery as requested by Compound.
  • Follow-up review support for identified findings.

Final Considerations

The Immunefi Magnus consortium is more than the sum of its parts.

It is composed by creators and maintainers of critical Ethereum infrastructure and security tooling. It includes long-term contributors to the DeFi security ecosystem across multiple chains, with a proven track record and the elastic capacity to scale engagements. And it is led by individuals who care about the future of innovative, open projects that aim to reshape and improve the way our financial world works.

Our overarching goal is to deliver security that compounds. For that, we’ve carefully crafted a proposal around the concept that robustness is a foundation for growth. We’re ready to be your security companion and are happy to answer any questions. The time to accelerate is now.

4 Likes

Request for Proposal - Cantina + Blockaid

Contact

Overview

Cantina secures the world’s most important code by combining a handpicked network of elite researchers, purpose-built infrastructure, and scalable tooling that delivers institutional-grade security for complex decentralized systems. Trusted by leading organizations, Cantina delivers high-signal reviews, advanced assessments, crowdsourced competitions, bug bounties, and incident response - providing end-to-end security coverage throughout the entire development lifecycle.

Founding Year

2022

Cantina Leadership

  • Harikrishnan Mulackal - Co-founder and CEO: Harikrishnan Mulackal is the CEO and co-founder of Cantina and Spearbit, and is well-known as one of the best code optimizers in the world of Solidity. Coming from the Ethereum Foundation (joined in 2020), he is a leading expert in the Ethereum compiler and Ethereum Virtual Machine. With a background in mathematics, Hari formerly worked for the Ethereum Foundation building the Solidity language. His work at Ethereum gave him firsthand insight into the security challenges facing smart contract platforms, ultimately inspiring the creation of Spearbit and Cantina to improve access to elite security talent.
  • Alex Beregszaszi - Co-Founder and CTO: Alex Beregszaszi is the CTO and co-founder of Cantina and Spearbit. He possesses a deep level of expertise in the Solidity programming language, the Ethereum Virtual Machine and Ethereum. Since 2015, he was an early contributor to and co-lead of the Solidity team at the Ethereum Foundation, as well as being lead of Ipsilon and Ethereum WebAssembly research teams. At Cantina, he focuses on developing scalable systems that support deep security reviews and empower the next generation of researchers.
  • Jake Lynch - Co-Founder: Jake Lynch is a co-founder of Cantina and Spearbit. With a background in economics and investment research, Jake brings a strategic lens to Web3 security.
  • Mike Leffer - President: Mike Leffer is the President of Cantina and Spearbit. He’s spent the last 10 years successfully founding, building, and investing in companies across web2 cybersecurity and other regulated industries. He was previously on the founding team of a $200M AUM cybersecurity VC and in the US Army.

​​Areas of Specialization

  • Smart contract + infrastructure and logic development advisory including but not not limited to Solidity, Rust, Move, JS/TS, Golang, Python, FunC, and more
  • Smart contract + infrastructure and logic audits across Solidity, Rust, Move, JS/TS, Golang, Python, FunC, and more
  • Penetration testing for web2 components
  • Security competitions and CTFs across Solidity, Rust, Move, JS/TS, Golang, Python, FunC, and more
  • Bug bounties across Solidity, Rust, Move, JS/TS, Golang, Python, FunC, and more
  • Operational security: A deep dive into an entire organization’s attack surface both physical and digital across web2 and web3 to model threats, implement mitigations, and document playbooks
  • Table top simulations: Simulate attacks to test team response times and implementation of threat playbooks
  • Multisig guardian signer: Spearbit’s security team sits as a last line of defense for transaction signatures, ensuring that no malicious, buggy, or broken transactions are signed
  • 24/7 staffed monitoring and incident response: Use of 24/7 monitoring by a fully staffed security analyst team to monitor alerting systems and action on any malicious behaviour, coordinating client resources and war room team resources for mitigations

Notable Clients

DeFi Lending and Borrowing Protocols

  • Aave
    • Engagements including the Aave x Aptos advisory review, smart contract audit, security competition, CTF, and bug bounty
  • Euler
    • Engagements span 12 projects including smart contract advisory, smart contract audits, security competition, multisig support, and bug bounty
    • Erik Arfvidson, Head of Security at Euler: “They integrated seamlessly with our team, approaching each issue with care and thoroughness. This strong partnership, focused on finding the best solution, exemplified their dedication to addressing complex security risks.”
  • Liquity
    • Engagements including security competition
  • Morpho
    • Engagements span 25 projects including smart contract audits, security competition, and bug bounty
    • Merlin Egalite, Co-Founder of Morpho: “We highly recommend Cantina Competitions for any protocol needing comprehensive bug coverage. The Cantina Code platform has made collaboration and triaging a breeze with the security researchers.”
  • Maple Finance
    • Engagements including smart contract audits
  • Sky
    • Engagements span 26 projects including smart contract audits and bug bounty

Centralized and Decentralized Exchanges and Trading Platforms

  • Coinbase
    • Engagements span 40 projects including smart contract audits, security competition, and bug bounty
    • Anmol, Head of Product and Blockchain Security at Coinbase: “They have complemented our internal audits well – everything goes through one or more internal audits before it goes external. Their researchers and ours have found interesting bugs together.”
  • PancakeSwap
    • Engagements include bug bounty
  • Uniswap
    • Engagements span 20 projects including smart contract audits, security competition and bug bounty
    • Alice Henshaw, Senior Protocol Engineer at Uniswap Labs: “Working with Cantina, especially in the lead up to v4 launch, has been invaluable. The team has been extremely responsive to all of our needs and their end to end approach to security has given us an increased sense of assurance: from the depth of the reviews, to the competition process, and the bounty facilitation.”

Layer 1 and Layer 2s

  • Berachain
    • Engagements span 27 projects including smart contract development, fuzzing, auditing, and security competition
  • Optimism
    • Engagements span 23 projects including smart contract advisory, smart contract audits and security competition
  • Polygon
    • Engagements span 13 projects including smart contract advisory, smart contract audits, and bug bounty
  • Matter Labs
    • Engagements span 10 projects including smart contract audits, multisig support, and incident response
  • Monad
    • Engagements including smart contract advisory, smart contract audits, and operational security
  • The Ethereum Foundation
    • Engagements including smart contract audits and security competition

Cross-Chain and Infrastructure

  • Layer Zero
    • Engagements including smart contract audits
  • EigenLayer
    • Engagements including smart contract advisory, smart contract audits, security competition, multisig support, and incident response
  • Symbiotic
    • Engagements include security competition

Yield and Derivatives Trading

  • Pendle
    • Engagements span 9 projects including smart contract audits and bug bounty
  • Velodrome
    • Engagements include smart contract audits

Real-World Assets

  • Centrifuge
    • Engagements span 11 projects including smart contract audits, security competition, and bug bounty
  • Ondo
    • Engagements including smart contract audits, infrastructure audits, pen testing, and operational security
  • Lombard Finance
    • Engagements including smart contract audits

Gaming and Entertainment

  • Sky Mavis (Ronin)
    • Engagements include security competition
  • pump.fun
    • Engagements include security competition and bug bounty

Staking and Liquid Staking

  • Rocket Pool
    • Engagements include smart contract audit
  • Babylon
    • Engagement for security competition

Foundations

  • The Ethereum Foundation
    • Engagements including smart contract audits and security competition

Emerging Protocols

  • Pre-Launch Protocol (Private)
    • Engagements including smart contract advisory, smart contract audits, operational security, multisig support, incident response, and bug bounty

See more: GitHub - spearbit/portfolio and https://cantina.xyz/security-reviews

Existing Relationship with Compound

Our team is already familiar with Compound’s integrations because of our previous work with Morpho, Kiln, Karpatkey, and Balmy, which emphasizes that we understand how other protocols depend on its guarantees and where those guarantees may be challenged in edge cases. However, we’re not limited by internal familiarity or legacy context, which means we can approach the requests with critical thinking and a threat model grounded in real-world attacker behavior.

We will also work with OpenZeppelin during the transition period to conduct knowledge transfer, based on their internal pre-existing Compound information library.

Relevant Security Partnerships or Clients

  • Optimism / OP Stack - multiple infrastructure audits tied to L2 upgrades, the latest report is here, with several others in the portfolio repo as well.
  • Polygon (zkEVM) for all their components, including their prover and bridge etc. Please see here for an example.
  • Other examples include Euler, Morpho, Usual, Eigenlayer, MakerDAO(Sky), Pendle, Balancer, SushiSwap, Uniswap, POAP and many more.

Section 1: Scope of security work

1a) Scope of Services Overview

We will support the following for both on-chain and off-chain deployments:

  • Code Reviews: Performing reviews on any type of code (including but not limited to Solidity, Rust, Move, JS/TS, Golang, Python, etc) developed by Compound or Compound’s trusted partners until it is deployed into production, including Pull Request reviews, migrations and final audits.
  • Governance Proposal Reviews: Scrutinizing proposed changes to the Compound protocol including asset listings, parameter changes, community initiatives and protocol upgrades before they are put to vote to ensure no harm is done to the protocol.
  • Risk Assessments and Threat Modeling: Assessing the economic and technical risk of Compound’s initiatives, and proposing clear paths for risk mitigation.
  • Calldata validation: Validating that execution behavior is as intended and expected by the community.
  • Web2 Reviews: Conducting code reviews and penetration tests on the front end, infrastructure (e.g., Cloud, CI/CD, processes, Discord, Twitter, and website hacks) and back end to ensure the protocol maintains a high security posture on all fronts.
  • Off-Chain system support: Analyzing or reviewing any off-chain system component such as L1 and L2 clients, off-chain bridge components and sequencers
  • Web3SOC Continuous Assessment: Performed quarterly, custom web3soc assessments would be conducted for identifying and remediating gaps in operations, protocol financial stability, infrastructure, application and smart contract security to maintain a high level of public institutional trust.

1b) Multi-Chain Support & Upgrade Expertise

Experience across chains:

  • Ethereum - Major upgrade, Pectra
  • Base - Regular auditing and reviewed the Base chain directly
  • Arbitrum - Major contributor to the Arbitrum Security Subsidy Fund
  • Unichain - Regular auditing + core review for Unichain
  • Optimism - Regular auditing + frequent upgrade testing for each iteration
  • Polygon - Major upgrade
  • Ronin - Major upgrade + code competition on the chain itself

How we stay relevant on L2s:

Due to Spearbit/Cantina’s hybrid centralized/decentralized model we are able to pull security researchers from a diversity of relevant backgrounds, many of whom are past or current part time contributors to L2’s. This means that our researcher base is consistently upskilling themselves through their relevant work that they then bring to their auditing expertise. How we strike the balance between core team and additional team support begins by designing a team of full time team members, solely dedicated to Compound’s security needs for the duration of the partnership and based on their intimate lending knowledge. From that core group, we’ll complement the main team with hand selected researchers per audit request that are chosen based on their expertise with the niche complexity of the scope. This way, Compound has a consistent team that services all security requests and benefits from that consistency, but at the same time are able to work with a number of other researchers who have the most up to date experience with a diversity of other projects that ensure Compound continues to benefit from the knowledge of security leaders all over the space.

How the vCISO will be engaged and contribute to operational security:

  • Along with our hybrid model, we also have best in class security leaders who work internally as part of Spearbit/Cantina’s core team to deliver operational security alongside the auditing teams. We will deploy a two pronged approach to ensure the highest level of expertise between on-chain and off-chain security, utilizing one vCISO for operational security and one vCISO for on-chain review security. These vCISOs will stand as part of your continuous security team and will identify how audit additions contribute to holistic attack surface and draft updates to operational security documentation and practices to ensure that as your codebase grows, your playbooks for threat mitigation grow with it.

  • The vCISO role will be split into two roles with overlapping communication to ensure full coverage but will represent different core competencies. One vCISO will be opsec and infrastructure security focused, the other vCISO will be on-chain development and auditing focused. Please note, the opsec vCISO will also stand as the main POC for all security needs at Compound and will appropriately delegate to the on-chain vCISO and security teams. Please see below for their breakdown

  • The On-Chain vCISO will be Rikard Hjort, please note the following bio and list of items he will provide/advise on:

    • Rikard Hjort
      • Rikard’s experience is deep and varied, not only across protocols and languages, but also across methods, teams, ecosystems and theoretical fields. This makes him suited to explore possible designs and attack vectors and serve as a central hub for audits and security work of all flavors. He led the Ethereum audit team for Runtime Verification, a team of 8 people which had 1-4 parallel audits running for 3 years and is well versed in managing audit teams to account for audit readiness, team coordination and resource allocation, as well as forecasting potential blockers and alleviating those for his teams. Rikard’s expertise is in understanding how to make audit teams as effective and efficient as possible while also effectively communicating audit value and efficacy to non-security groups like leadership, DAOs, product owners, and user communities
    • Communication Responsibilities
      • First point of contact for the DAO, e.g. in Discord, Telegram and at comp.xyz
      • Attending conferences and networking events for sourcing new knowledge, contacts, and technology.
      • In appropriate chats with core contributors, foundation team and developers at all times.
    • Operational Responsibilities
      • Maintaining context throughout audits, competitions, and other security efforts. Handles most day-to-day decisions.
      • Compound’s “boots on the ground” who can answer or field questions, quickly redirect efforts, and evaluate results – whether it’s audit findings, new tooling, or incidents.
      • Scoping and prioritizing audits
      • Present for preliminary security work, such as design discussions, to avoid costly decisions down the road.
      • Responsible for continuity and transparency by documenting decisions, assumptions, methodology, and best practices. Constructing artifacts for easy lookup, onboarding, handovers.
      • Flexibility, being the person who can redirect the ship as needed and prioritize on the fly, give good answers fast, and iterate quickly.
    • Strategic Responsibilities
      • Explore tooling
      • Formal verification
      • LLM assistance
      • Fuzzing
      • Live monitoring
      • Drawing up checklists for various proposal types and continuing to evolve them
      • Organizing the campaign towards long-term security visions. “You should keep your retirement, savings, and deeds on-chain, starting with Compound.” Drawing up the 5-year strategy to achieve that.
      • Defining roles and responsibilities for a lean security approach. Security is everyone’s job, especially as the pace of coding accelerates. Will help ensure it’s something developers are expected to do well, and are motivated to do well.
    • Cadence of meetings
      • Daily synchronous audit check-ins during audits
      • Weekly or bi-weekly DAO calls, security town hall
      • Audit reports: open Q&A sessions about audit findings
      • Stakeholder meetings as necessary
      • Available to hop on a call with core contributors during work hours
      • Reachable for incidents 24/7 (on-call number)
  • The OpSec vCISO will will be m4rio, please note the following bio and list of items he will provide/advise on:

    • m4rio
      • M4rio brings over a decade of experience as a vCISO, with a strong foundation in operational security, DAO governance, and stakeholder engagement. He currently serves as a Security Researcher at Cantina, where he has contributed to numerous high impact audits, including leading several Multisig and Incident Response engagements across top tier ecosystems on behalf of Cantina. With more than six years in the crypto space, m4rio has earned a reputation as both a technical leader and an ecosystem contributor. Before his time in web3, m4rio was a web2 CISO providing security leadership across a range of organizational structures and maturity levels and thus has intimate knowledge of all attack vectors and infrastructure needs facing an organization of Compound’s size that sits between web2 and web3. What sets m4rio apart is not just his technical expertise, but his rare combination of operational leadership, DAO native governance experience, and clear, effective communication. Drawing on his vCISO background, he understands how to design and align security strategies with broader organizational goals, and how to articulate risks, tradeoffs, and technical concepts clearly to both technical and non technical stakeholders.
    • Personnel security
      • Training on security practices, safe usage, sharing relevant updates based on emerging security threats and targeting information, and best practices for physical security
    • Identity and access management
      • How the organization manages access and ensuring timely access granting and revocation
    • Security tooling and infrastructure
      • Identify needed security tooling, cost benefit matrixes, proposal negotiation and implementation
    • Vendor management
      • Security vetting and due diligence on vendor security practices as well as vendor relations and management
    • Threat modeling
      • Regular deep dives into company attack surface to document all threat vectors and how they change overtime to continually update and documentation and personnel training
    • Playbook creation
      • Creation of holistic company security playbooks as well as continual updating and iteration based on emerging threats
    • Attack simulations
      • Twice annual attack simulations to test personnel adherence to playbook mitigation, pausing and recovery plans as well as confirm playbook efficacy
    • Incident response implementation and management
      • From the above activities, create incident response plan, manage analyst team, and continually update practices as codebases and attack surface evolve
    • Overall security direction and implementation
      • Stand as main source of truth for all security questions, requests, and representation. Based on needs, m4rio will appropriately pull in the needed teams and additional vCISO help to accomplish all security related needs. All Compound security inquires should be directed to m4rio.
  • Cadence of meetings

    • Up front daily meetings as necessary to model threat vectors and implement operational security infrastructure
    • Updates to all security documentation as needed with monthly update calls to all relevant personnel on security updates
    • Immediate ad-hoc meetings to update personnel on urgent security changes with relevant trainings
    • Weekly or bi-weekly DAO calls, security town hall
    • Stakeholder meetings as necessary
    • Available to hop on a call with core contributors during work hours
    • Reachable for incidents 24/7 (on-call number)

1c) Resource Allocation and Availability

FTEs dedicated to Compound:

Compound will have 2 dedicated FTE vCISOs + a 24/7 fully staffed FTE incident response team + 4 FTE auditors continuously dedicated to Compound’s security needs. The 4 FTE auditors will be solely dedicated to Compound for the entirety of the relationship with the core researcher team being supplemented with additional auditors per specific engagements based on the needed expertise. With our hybrid model, we ensure that for Compound we will keep a core team centralized to maintain continuity and full time availability while continuing to pull from our decentralized network to ensure that each project has the highest level of expertise in the varying subject matter. Additionally, due to the nature of our model and how resources are tapped-in based on expertise, we have a robust documentation platform called Cantina Code that allows you to monitor the audit progress in real time with comments on the thought process of findings from each auditor as they work through the project. This is also used to quickly get new resources up to speed on any needed legacy knowledge. In addition to this, the on-chain vCISO will be a continuous resource that will either serve on every audit as a lead auditor, or an advisory lead, responsible for getting the new resources up to speed and serving as their source of truth and Q&A throughout the course of the audit so that the burden of knowledge transfer is taken off of your team.

With the hybrid model + the vCISO, we’re able to turn around audit kick-offs within 24-48 hours while maintaining high researcher confidence and readiness per audit as well as the ability to run parallel audits with multiple audit teams should the need arise.

For the full time audit team, they have expertise on the complexities and items in the audit reports below:

1d) Additional Services or Tools

Value added offerings:

  • Member of Matter Labs security council
  • Optimism Developer to Advisory Board participation
  • Collaboration with Secureum to lead security based trainings
  • Team participation in Rektoff Bootcamp
  • Cantina Code
    • Our proprietary platform that allows you to track audit progress and researcher thought process in real time to organize findings and streamline the process for dev teams to efficiently categorize and implement fixes with a direct line of communication to the auditors themselves
  • Integrations with Huntress, Crowdstrike, Blockaid, ChainPatrol and Doppel
  • Cantina AI Analyzer
    • Allows devs to identify bugs in the build phase
  • Free Bug Bounty
    • Cantina will host Compounds bug bounty at no hosting cost and with provide managed triaging by the Cantina team for free for the entire lifetime of Compound’s bug bounty

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology

Audits are performed by elite Security Researchers specialized in the underlying codebase logic, familiar with Compound’s past vulnerabilities and have a publicly verifiable skill set and track record. Security Researchers are meticulously hand-picked and a team is assigned to a specific operation (in this case a year long engagement with Compound) to retain knowledge across all engagements so to build informational capacity, reduce blind spots and ensuring full understanding and coverage of all security areas of the protocol at all times, including non-code scenarios who for such cases, members are selected for their particular experience in economic security audits and prevention in governance attacks.

Smart contract audits use a mix of methodologies depending on the target scope, where Security Researchers start by reading any documentation, verifying the coverage and correctness of tests, then follow a checklist to ensure coverage against basic security issues, continue with code pentesting (breaking the code) to find novel vulnerabilities and critical edge cases proven with coded proof of concepts, and lastly execute fuzz testing to reassure that critical protocol invariants are never broken, therefore achieving full coverage.

All engagements are carefully managed by a project manager to ensure high quality deliverables, quickly coordinated (can be set up in a few hours) and the code in scope is audited in a repository inside the cantina platform which allows for streamlined communication with relevant stakeholders, speeds up remediations and generates reports in a seamless way. This process can also be performed on Github, allowing flexibility for user preferences.

2b) Audit Workflow & Deliverables

Audit process:

  • When the team’s codebase is 80% complete, share access to codebases with 0xmorph, Spearbit/Cantina’s scoping engineer
  • Within 5 hours the Spearbit/Cantina team will produce a full quote inclusive of duration, team size and composition, proposed audits, and start date
  • Once the start date is confirmed the Spearbit/Cantina account management team will book in a kickoff call between the auditors and the Compound team which will cover any code questions and audit logistics
  • From there the account management team will handle all Compound team needs and the Compound team will be able to see audit progress and leave comments in Cantina Code as needed
  • Once the audit is completed, the Compound team will implement fixes and drip those fixes back to the audit team so that the audit team confirm that they were implemented correctly and introduce no new findings
  • Once the fix review completed, the draft report will be delivered to client within 1 business day for all scopes
  • Once the Compound team and Spearbit/Cantina team have agreed that all fixes have been implemented correctly, Spearbit/Cantina will deliver the final report with 1 business day for all scopes
  • The engagement will conclude with a marketing collaboration to announce the audit completion per Compound’s desire, if Compound would rather keep it private then report will remain private and no marketing collab will take place

Report format:

  • Reports include all findings delineated by severity (critical, high, medium, low, and informational) as well as all implemented fixes

Publication:

Once the final report is delivered to the client, the client then gives Spearbit/Cantina permission to make it publicly available in the Cantina Portfolio. If the client declines then the report will be kept private

2c) Quality Assurance and Track Record

Due to the critical nature of our work during audits and vulnerability research, there are many instances where we have prevented critical harm to protocols, either by spotting critical edge cases during an audit, by finding deep issues in dependencies a protocol relies on for critical business logic, or by helping clients in war rooms for fund recovery even if it was out of our scope of work. Often however, due to the nature of our critical work we have NDA’s and client secrecy policies that disallow us from sharing certain information. Nevertheless, some public mentions can be seen below:

  • In many audits, we have provided significant value not only from a findings perspective but also in terms of continuing support after audits, for example when audit findings led to the re-architecture of a codebase and supporting the team through that process. Some public examples include Astaria Security Review and ConnextNxtp Security Review.
  • Confidential client disclosures. We have a long relationship with a well known lending protocol that through many engagements we have built high informational capacity and understanding of their protocol. One of our Lead Security Researchers, was specifically trained for this, and not only discovered critical issues during audits but also found live bugs during another audit of a protocol using this client’s integration. For more details please reach out to Cantina directly.
  • During one of our engagements with Sablier Finance, we found an out of scope issue in PRB math affecting Sablier integrations. Please see the references here and here.
  • When Euler suffered from a hack, they wanted to re-engineer their protocol, so we embedded a vCISO into their development cycle. This helped them make design choices with security as their core focus, making it now one of the most resilient products in the space.

3 Likes