Motivation & Background
The Compound Foundation, in collaboration with the Compound Governance Working Group (CGWG), is issuing this Request for Proposals (RFP) to identify a qualified and cost-effective Security Service Provider (SSP) to deliver security services to the Compound protocol over a 12-month term.
Security remains a paramount concern for Compound as a leading decentralized lending protocol operating across multiple chains. Since December 2021, Compound has relied on OpenZeppelin as its primary security partner, who in the past year alone conducted over 40 audits and reviewed more than 180 governance proposals.
While OpenZeppelin has delivered strong coverage, the expiration of their current term presents an opportunity for the DAO to reevaluate the market and select a provider best suited to its evolving needs and financial constraints. A number of leading security vendors have expressed interest, and this RFP process is being run to ensure transparency, competition, and alignment with Compound’s long-term goals.
The Compound Foundation will lead the selection process, including managing vendor interviews, evaluating pricing, and issuing a final recommendation to the DAO. The CGWG will act as a neutral facilitator, ensuring the process remains transparent and aligned with DAO governance expectations. This collaborative approach allows the Foundation to apply its operational expertise while ensuring the broader community remains informed and empowered to make the final decision through onchain voting.
Shaping the Security Backbone of Compound’s Next Era
Compound is one of the most influential and historically significant protocols in decentralized finance. As the first DeFi platform to introduce on-chain algorithmic money markets, Compound laid the groundwork for permissionless lending, decentralized governance, and protocol autonomy. Its early innovations shaped the token voting models and governance contracts that are now industry standards. While its brand remains a pillar of credibility in crypto, Compound today finds itself at an inflection point—rich with reputation but ripe for renewed growth. With evolving regulation, improving sentiment, and an expanding appetite for DeFi infrastructure, this is a rare and timely opportunity to help Compound reassert itself as the leader in global decentralized lending.
The recent launch of the Compound Foundation marks the beginning of a new era—one focused on strategic execution, ecosystem expansion, and long-term resilience. As the Foundation takes on an active role in guiding protocol development and ecosystem coordination, the selection of a trusted security partner becomes mission-critical. This isn’t just about audits; it’s about embedding security at the core of Compound’s re-emergence. With over $2B in TVL, deep integrations, and a renewed growth mandate, Compound is uniquely positioned for a resurgence—and the partner ultimately chosen as its next Security Service Provider will be a visible and central force in safeguarding that trajectory.
Timeline & Order of Operations
-
RFP Submission Window (July 7 – July 18, 2025)
Vendors must submit proposals publicly to the Compound forum by replying to the RFP thread. Each response must follow the “Required Responses” format and be posted as a single, comprehensive reply. Pricing details must be submitted separately and privately to the Compound Foundation at this Form
The Foundation and CGWG will review each submission for completeness and relevance; proposals that meet all requirements will move forward to the evaluation phase. -
Evaluation & Interviews (July 15 – July 22, 2025)
The Compound Foundation will begin interviews on July 15 with vendors who submit early and continue reviewing all qualified proposals through July 22. This includes evaluating vendor qualifications, security capabilities, and service alignment. The Foundation will also provide constructive feedback on proposal structure, scope, and pricing. Following this feedback, vendors may submit final pricing and revised proposals by July 22. -
Final Proposal Summary & Recommendation (July 23 - July 27, 2025)
A final proposal summary will be posted to the Compound forum. This summary will consolidate each refined proposal, include publicly disclosed pricing, and highlight the Foundation’s recommendation. The goal is to ensure delegates and community members can easily compare options before the vote. Any final questions or clarifications will be resolved prior to opening Snapshot voting. -
Snapshot Vote (July 28 – August 4, 2025)
The CGWG will host a Snapshot vote with all eligible proposals included as voting options. The vote mechanics (e.g., single-choice or ranked-choice) and quorum requirements will be clearly communicated at the time of the vote. Delegates are encouraged to weigh the proposals alongside the Foundation’s review summary. The SSP receiving the most support will be considered the selected provider, subject to on-chain ratification. -
On-Chain Ratification & Payment Authorization (August 5 – August 12, 2025)
An on-chain proposal will be submitted to formally ratify the SSP selection and authorize the budget for a 12-month term. Payments will be streamed using the Compound Streamer developed by WOOF. The proposal will specify the total budget, stream rate, and service start date. This step ensures DAO-wide transparency and accountability for the selected vendor. -
Onboarding & Transition Period (August 18 – September 8, 2025)
The selected SSP will coordinate with the Compound Foundation and any outgoing vendor to assume full responsibilities by September 8. This onboarding period includes access to prior documentation, team introductions, and establishing communication protocols. The Foundation will support the transition to avoid any gap in service coverage. The SSP should be prepared to meet its first quarterly reporting milestone soon after.
Scope of Work
The selected Security Service Provider (SSP) will be responsible for executing three core workstreams critical to the security and operational integrity of the Compound protocol: (1) Security Audits and Reviews, (2) Security Advisory and vCISO Services, and (3) Monitoring and Incident Response. These workstreams are designed to ensure full lifecycle coverage of governance proposals, ongoing protocol development, and real-time defense capabilities.
1. Security Audits and Proposal Reviews
The SSP will lead technical assessments of protocol upgrades, governance proposals, and token onboarding efforts. They will provide actionable feedback, verify execution paths, and ensure proposed changes meet Compound’s security standards before being enacted. The review process will be tightly integrated with the governance lifecycle and include formal reporting.
-
Audit new protocol code and infrastructure developed by the Foundation, WOOF, external contributors, or grantees.
-
Validate calldata and execution logic for all governance proposals prior to submission or execution.
-
Assess the risk of onboarding new collateral assets, token integrations, or deploying to new chains.
-
Produce and publish Security Reports outlining findings, risks, recommended remediations, and issue severity classifications.
-
Coordinate audit scheduling and delivery timelines in alignment with governance proposal windows and DAO expectations. The Foundation will define prioritization when needed.
2. Security Advisory and vCISO Services
The SSP will provide high-touch security advisory services, including a dedicated technical lead to act as Compound’s virtual CISO (vCISO). This CISO will help bridge audits with governance, align protocol improvements with security best practices, and ensure DAO contributors understand and can act on security findings.
-
Offer on-demand guidance to the Foundation and contributors regarding governance proposals, upgrades, or architecture changes.
-
Participate in protocol design discussions, threat modeling exercises, and security reviews of new initiatives.
-
Maintain clear documentation of evolving security requirements, including checklists and best practices tailored to different proposal types.
-
Serve as a central point of contact for the DAO to interpret audit findings and discuss remediations
-
Help scope and prioritize security reviews and audits, working closely with authors to define timelines and security expectations.
3. Monitoring and Incident Response
The SSP will be responsible for continuous monitoring of protocol operations, governance proposal execution, and security-sensitive functions. They will maintain on-call availability for triaging incidents and may also contribute to shared governance responsibilities by participating in Compound’s emergency response mechanisms.
-
Monitor live protocol deployments, governance execution, and market activity for anomalies or malicious behavior.
-
Maintain on-call availability for real-time response to protocol incidents, unexpected outcomes, or critical threats.
-
Collaborate with the Foundation, Core Contributors and Community Multisig to triage and mitigate emerging threats, including postmortems and lessons learned.
-
Optionally nominate a qualified team member to join the Compound Community multisig as a signer for urgent interventions.
-
Propose and implement off-chain monitoring infrastructure (e.g. dashboards, alerting systems) that remain transparent and do not impact on-chain performance.
Payment Terms
-
The engagement will span a 12-month commitment starting August 18th, 2025, with payments streamed in COMP based on USD value via the Compound Streamer contract.
-
The DAO seeks to avoid large upfront payments. Vendors must agree to a 60-day termination clause, allowing the DAO to stop the stream and disengage with reasonable notice based on a governance vote. This will be prompted in cases where vendors fail to meet KPIs or stated SLAs
Evaluation Criteria
Proposals will be evaluated based on:
1. Technical Expertise
-
Solidity auditing proficiency; additional Rust/Go/MOVE capabilities are a plus
-
Cross-chain experience on Ethereum L1 and L2s (Arbitrum, Optimism, Base, Scroll, etc.)
-
Use of fuzzing, formal verification, and static/dynamic analysis
-
Infrastructure and application-layer pentesting capabilities
-
Documented incident response processes and tooling
2. Reputation and Track Record
-
History of working with DAOs and DeFi protocols
-
Public reports, references, or postmortems that demonstrate transparency and reliability
3. Compound Protocol Familiarity
-
Prior work with Compound is preferred
-
Vendors new to Compound must demonstrate a clear onboarding plan and ramp-up readiness
4. Capacity and Communication
-
Capacity to support parallel audits and urgent reviews without delays
-
Clarity and regularity in reporting to the DAO and Foundation
-
Willingness to publish updates and participate in governance discussions
Required Responses
General Overview
In your private pricing proposal to the Foundation, include the full name, telegram and email for your representative in the RFP process. All pricing must also be included in a private proposal to the Foundation during initial submission using this Form
Company/Team Name and Background:
Provide the name of your company or team and a brief background. Include the founding year, areas of specialization, and notable clients. Highlight the core team’s blockchain and security credentials.
Existing Relationship with Compound (if any):
State any prior engagements, audits, or contributions to Compound’s codebase or forums. If no relationship exists, describe your plan to quickly gain protocol familiarity.
Relevant Security Partnerships or Clients:
List DAOs or DeFi protocols you’ve supported, ideally those with governance, lending, or cross-chain complexity. Case studies or published audits are encouraged.
Section 1: Scope of Security Work
1a) Scope of Services Overview:
List all audit and review activities you will cover, including new deployments, governance reviews, and monitoring following the Scope of Work section. Specify if you support front-end or off-chain systems. Clarify any notable exclusions or limitations.
1b) Multi-Chain Support & Upgrade Expertise:
Compound V3 is deployed across numerous networks (including Ethereum mainnet, Base, Arbitrum, Unichain, Optimism, Polygon, Mantle, Scroll, Ronin, and Linea) and is expected to continue expanding. Additionally, protocol upgrades and new market deployments are a regular occurrence.
State your experience across Compound’s supported networks. Note if you’ve audited cross-chain deployments or major upgrades. Describe how your team stays current on emerging L2s or brings in specialists if needed. Define how the vCISO will be engaged and how they’ll be involved in operational security of the smart contracts integration and deployment.
1c) Resource Allocation and Availability:
Indicate how many FTEs will be assigned to Compound and if they are dedicated or shared. Explain how you will avoid audit bottlenecks and ensure coverage during staff absences. Describe how you preserve context and continuity over time.
1d) Additional Services or Tools (if any):
Share any value-added offerings like governance participation, training, or internal tools (e.g., dashboards, scanners). This is optional but encouraged. Keep descriptions high-level and relevant to DAO security.
Section 2: Technical Methodology and Audit Process
2a) Audit Methodology:
Summarize your process including manual review techniques and tool usage (fuzzers, linters, etc.). Mention how you identify non-code risks like governance or economic attacks. Note how you ensure full code coverage and reduce reviewer blind spots.
2b) Audit Workflow & Deliverables:
Outline your audit process from scoping to final report. Describe your report format (e.g., severity levels, fix guidance) and whether results are public. Provide turnaround time ranges based on audit scope.
2c) Quality Assurance and Track Record:
Cite past audits or incidents where your work mitigated or prevented harm. If a client was impacted post-audit, share how you helped and what was learned. Provide public links or references where possible.
Section 3: Risk Management and Incident Response
3a) Vulnerability Triage & Disclosure:
Describe your process for handling discovered vulnerabilities, particularly critical ones. If during the course of an audit (or via any monitoring you do), you uncover a serious bug or exploit possibility in Compound, what are the immediate next steps? Outline how you would inform Compound’s leadership or relevant parties.
Do you follow an established responsible disclosure protocol or have a standard policy (e.g. “notify core developers immediately, advise on fix, disclose publicly only after patch”) for these scenarios? The Compound community needs to know that any vulnerabilities will be handled with urgency and discretion. Include details like:
- How you prioritize issues (e.g., stop all other work to focus on a critical vs. continue with audits for a low-severity finding)
- Expected timelines for developing a remediation plan, and how/who you involve in remediation (do you merely report issues or also help design patches?)
- If you have a secure communication channel for sensitive disclosures, note that as well
In short, tell us how you will manage the lifecycle of a critical vulnerability from discovery to fix to public disclosure in a way that minimizes risk to the protocol.
3b) Incident Response Support:
Detail how you assist during exploits—technical investigation, coordination, and recovery. Share prior examples where you helped mitigate live attacks. Clarify who you work with (e.g., Foundation, whitehats).
Provide any detailed examples of how you were able to triage and resolve a specific incident.
3c) Continuous Monitoring & Threat Detection:
Describe your monitoring stack, anomaly detection, and alert workflows. Note what gets flagged (e.g., whale voting, oracle anomalies), and who is notified. If no tooling is included, explain how you remain vigilant between audits.
Section 4: Commercial Terms and Commitment
4a) Budget Request and Pricing Model:
Pricing proposals must be submitted privately to the Compound Foundation via email as part of a private proposal attachment.
What is the total budget that you are requesting for the 12-month security partnership with the DAO? Break down the components of this cost if applicable. For example, is this a flat annual fee for a security retainer covering all services, or do you price per audit with an estimated number of audits included? Indicate if you are agreeable to a continuous streamed payment setup.
4b) Milestones and Performance Metrics:
List success metrics such as audit timeliness, report quality, or DAO engagement. Include sample KPIs. If you report publicly or quarterly, say so. These could include quantitative metrics such as:
- audit report delivery times (e.g., “all standard audits delivered within X weeks of code readiness”)
- responsiveness targets (e.g., “critical issues triaged within Y hours”)
- any outcome-based goals (e.g., “zero critical vulnerabilities in production”).
You may also include community-centric metrics, like “monthly security update delivered on time 12/12 months” or engagement metrics like “participate in all governance calls with a security segment.”
4c) Conflict of Interest Declaration:
Disclose if you work with Compound competitors or protocol forks. Assure confidentiality safeguards are in place. If no conflicts exist, state that clearly. Working with multiple clients is normal, but we expect professional handling of any conflicts and confidentiality.
4d) Transition and Offboarding Plan:
Explain how you’ll ensure continuity if not renewed. How will you ensure that any new incoming security provider can pick up where you left off? Acknowledge DAO rights to terminate with 60-day notice.
Section 5: Service Level Expectations (SLA)
5a) Incident Response:
Describe your target response time for critical protocol incidents (e.g., 15 minutes). Include whether 24/7 monitoring coverage is available and through what channels. Outline your escalation, triage, and mitigation processes for urgent situations.
5b) vCISO Support:
State your availability for on-demand advisory support (e.g., within one business day). Note the expected cadence of recurring briefings, design reviews, or check-ins. Indicate who the DAO’s primary and backup contacts will be.
5c) Governance Proposal Reviews:
Specify your standard review turnaround time after a proposal request (e.g., within 48 hours). Mention your availability to support urgent or last-minute proposals. Describe how findings will be delivered and communicated to the community.
5d) Code Audits:
Indicate the average lead time required for scheduling audit engagements (e.g., 2–4 weeks). Provide expected turnaround times based on audit size and team allocation. Share your standards for report formatting, revision handling, and final delivery.
Final Considerations
If there are aspects of your approach, tooling, or philosophy that haven’t been addressed in prior sections, you may highlight them here. This could include specialized expertise (e.g., lending protocols, governance or economic security), proprietary tools or dashboards, operational scale, or mission alignment with decentralized finance.
You may also use this space to share supporting content and technical examples such as public audit repositories, technical write ups, incident postmortems, or training materials you’ve produced. These examples can help demonstrate your team’s track record, culture of transparency, or commitment to long-term partnerships. Bonus points for any examples relevant for Compound or similar lending protocols.
Please keep this section focused and additive. All essential information should still be included in the required responses above, as they form the basis for evaluation.