Request for Proposal (RFP): Compound DAO Security Service Provider (SSP)

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage and Disclosure

OpenZeppelin employs a robust protocol for handling vulnerabilities, adapting our response based on whether a vulnerability affects live code and whether the exploit is actively occurring or not.

Vulnerability Discovered in Audits (Not Actively Exploited)

This protocol applies when a vulnerability is identified during an audit or review, and there’s no indication of active exploitation.

1. Upon discovery of a potential vulnerability during an audit, OpenZeppelin’s security researchers immediately assess its severity and whether it affects live code or not.
2. High/Critical vulnerability affecting live code:
   1. Rapid Internal Triage & Escalation: If deemed Critical or High severity and affecting live code, the issue is immediately escalated internally to the Head of Security Research for rapid triage and validation.
   2. Immediate Confidential Disclosure: OpenZeppelin immediately shares confirmed Critical/High findings through private, secure channels with the stakeholders, prioritizing collaborative resolution.
   3. Emergency Mitigation Actions: emergency mitigations (e.g., pausing contracts) are discussed with stakeholders and those are either prepared or directly executed if the likelihood of exploitations and damage are not negligible.
   4. Prioritization of Severe Vulnerability: Where deemed necessary all other work might be re-prioritized, and resources reallocated to address the issue.
   5. Remediation Plan & Patch Audit: OpenZeppelin collaborates with stakeholders to design and develop a remediation plan. Once a fix is implemented, a dedicated patch audit and verification are conducted to ensure the vulnerability is fully addressed. This process iterates until the fix is deployed and verified.
   6. Coordinated Public Disclosure: After the fix is deployed and verified, a coordinated public disclosure is made, including a post-mortem analysis and security advisories to inform the broader community.
3. Vulnerabilities not affecting live code:
   7. Standard Reporting: For issues which are not live, the audit workflow continues, and the issue is tracked internally. High or critical issues might be early reported to the development team for quicker resolution while the audit continues according to its schedule.
   8. Report to Compound Team: The final findings are reported to the Compound team through standard communication channels.
   9. Scheduled Remediation: Remediation for these vulnerabilities is scheduled within the standard development cycle, allowing for planned implementation and review.

Vulnerability Detected (Actively Exploited)

This protocol is activated when continuous monitoring, other threat detection mechanisms or third party notifications identify an actively exploited vulnerability.

1. Live Exploit Detection & Notification: Continuous monitoring systems (e.g., OpenZeppelin Defender, Forta) detect on-chain activity or anomalies indicative of a live exploit. Alerts are immediately triggered and sent to OpenZeppelin’s internal teams and Compound’s designated contacts (Slack, Discord, PagerDuty, etc.).
2. Rapid Identification & Escalation: OpenZeppelin security researchers and incident response specialists rapidly identify the nature of the exploit and immediately escalate the incident.
3. Technical Investigation & Root Cause Analysis: A thorough technical investigation is launched to understand the exploit’s mechanics, identify the root cause, and assess the extent of its impact.
4. Security Council Coordination: OpenZeppelin coordinates closely with the Compound Foundation, key contributors, and potentially whitehat security researchers to form an ad-hoc security council.
5. Emergency Mitigation Actions: Immediate emergency mitigation actions are advised and, where applicable, directed (e.g., pausing affected contracts, freezing funds).
6. Recovery & Damage Control Advice: OpenZeppelin provides expert advice on recovery strategies and damage control to minimize further impact and secure affected assets.
7. Post-Incident Review & Lessons Learned: Following resolution, a comprehensive post-incident review is conducted to analyze the incident, identify lessons learned, and implement measures to prevent similar occurrences in the future.

Preventive Measures & Continuous Improvement (Applicable to Both Scenarios)

Preventive Measures

Our audit planning strategically focuses on critical integration points and historically risky components. Auditors are meticulously matched to engagements based on their domain expertise, and client test coverage and documentation are assessed upfront. Our knowledge base is continuously updated with insights from past incidents.

Continuous Improvement

Formal post-mortems are conducted for any high/critical issues that may have been missed, driving tooling updates (e.g., new static analysis rules, methodology changes). Cross-team knowledge sharing through regular meetings and documentation ensures collective learning, and client feedback is consistently integrated into our future security approaches.

Expected Timelines

Live critical or high severity vulnerabilities, whether discovered during audit or not, receive immediate triage with emergency mitigation measures initiated within hours. We collaboratively develop remediation plans, providing both immediate protective measures and permanent fix recommendations with subsequent patch audit verification.

Secure Communication

Private channels are established with the Compound Multisig and Foundation for sensitive disclosures, ensuring urgency and discretion throughout the vulnerability lifecycle, from discovery to public disclosure post-resolution.

3b) Incident Response Support

Our team of experienced professionals will work closely with stakeholders to provide timely and effective recommendations to help navigate through an incident and mitigate the impact on related systems and operations. OpenZeppelin will take the role of Incident Commander during an active incident and direct the operations and incident response process throughout the incident. We’ll also help Compound navigate the public communications process to ensure that your users are kept informed and public messaging is clear and effective.

3c) Continuous Monitoring and Threat Detection

OpenZeppelin provides comprehensive 24/7 monitoring across Compound’s multi-chain deployment, with automated alerting and response capabilities designed to detect and mitigate threats before they materialize.

Monitoring Infrastructure

Our monitoring stack currently leverages OpenZeppelin Defender to continuously track smart contract activity across an expanding number of markets and networks. Alerts route through multiple channels including Discord for community awareness and Slack, webhooks, and PagerDuty integration for internal notifications. Internal Datadog dashboards provide real-time visibility on the health of the monitoring and automation system.

Detection Capabilities

Market Activity Monitoring: Transaction-level tracking of borrows, withdrawals, supplies, and liquidations across all Compound deployments. Positions involved in transactions are analyzed and net impact is summarized in alerts including notation of relatively large position changes or whale activity. Liquidatable position detection identifies accounts approaching insolvency before liquidation occurs.

Governance Surveillance: New proposal detection with automated decoding of calldata and simulation of execution outcomes. Voting power tracking identifies sudden delegation changes or voting power accumulation approaching proposal/quorum thresholds. Status alerts for pending proposals share vote tallies regularly. Cross-chain proposal monitoring ensures synchronized tracking of bridged governance actions.

Oracle and Price Feed Monitoring: Anomaly detection for price deviations are available for price feeds with fallback mechanisms.

Multisig Operations: Community Multisig transaction monitoring for owner changes, Pause Guardian assignments, and parameter modifications increase transparency and accountability for privileged actions by trusted delegates.

Security-Critical Events: Signature-based detection of leading threat indicators identify potential transactions that upgrade or pause market assets, consolidate voting power to meet thresholds for proposing and quorum, and execute privileged actions on protocol contracts.

Automated Response Systems

Governance Automation: Mainnet proposal queuing and execution when timelock period expires. L2 proposal execution of queued proposals on L2 networks. Failed simulation and execution retry logic with escalation to manual intervention.

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

This section was submitted privately to the Compound Foundation.

4b) Milestones and Performance Metrics

This section was submitted privately to the Compound Foundation.

4c) Conflict of Interest Resolution

OpenZeppelin confirms that the company currently works with other clients in the same or adjacent domains as Compound, including some who may be considered protocol forks or direct competitors. Although this is a common aspect of the blockchain space due to its permissionless ethos and open source structure, we approach each client engagement with strict adherence to confidentiality, integrity, and professional responsibility.

To mitigate any conflicts of interest and ensure the protection of client confidential information, we implement the following safeguards:

• Contractual Agreements: OpenZeppelin enters into contractual agreements with all clients containing terms tailored to the nature of the services, which include confidentiality obligations.

• Confidentiality Agreements: All OpenZeppelin team members are bound by confidentiality agreements, which are bolstered by a strong internal compliance function that ensures all staff members understand their obligations and how to meet them.

• Policies Addressing Conflicts of Interest: OpenZeppelin’s Code of Conduct and Market Integrity Policy address conflicts of interest and provide rules and guidance on how to identify, prevent, and manage conflicts of interest appropriately.

• Internal Security Program: OpenZeppelin has established its organizational security program aligned with SOC 2 to protect sensitive data and information. OpenZeppelin’s security program is audited by an independent firm on an annual basis. For more information regarding our security program and particular data protection controls, please see our Trust Center.

• Insurance: OpenZeppelin maintains comprehensive insurance coverage, including cyber insurance and E&O insurance.

Given the critical nature of OpenZeppelin’s security services, we take our obligations seriously and are committed to handling any actual or perceived conflicts with transparency and diligence.

4d) Transition and Offboarding Plan

OpenZeppelin acknowledges the DAO’s current right to terminate with 60-day notice and commits to ensuring continuity during any such 60-day transition period following notice of termination.

Existing Public Record: Our Compound security work is already publicly documented through audit reports, quarterly forum updates, published security advisories, and governance proposal reviews. This comprehensive public record minimizes the knowledge transfer necessary for any successor to accept responsibility and complete their earliest accepted scopes.

Transition Coordination: Upon identification of a successor, we will schedule coordination meetings to establish clear handover dates for: new scheduled scopes with their estimates, governance proposal review responsibilities, short-notice security requests, monitoring, incident response, and any remaining queued scopes. We will work directly with the incoming provider to agree on specific transition dates for each service area. Any accounts currently managed will be transitioned to the Foundation or successor as needed, including the transfer of all associated financial responsibilities and updating of billing information to reflect the new account holder.

Transition Commitments: During the 60-day period, we will complete any in-progress scopes to avoid security gaps, maintain full security services until the final day, and remain available upon request to answer questions. We will publish a brief final update summarizing the status of all transferred responsibilities and provide direct contact information for any post-transition clarifications.

Section 5: Service Level Expectations (SLA)

This section was submitted privately to the Foundation.

Section 6: Final Considerations

We appreciate the Compound community’s time and consideration of this proposal, and we remain committed to supporting the protocol’s continued growth and security.