Request for Proposals: Compound DAO Security Service Provider

Immunefi Magnus Security Proposal

Powered by Dedaub, Runtime Verification and Sigma Prime

1/2

---

0. Overview

This collaborative proposal was built to anticipate the unique security needs of the Compound DAO at this pivotal moment in its history. We believe Compound can accelerate its growth as a DeFi leader if it strikes the right balance between innovation and reliability, especially with its v4 upgrades and the upcoming community-driven ecosystem roadmap.

The consortium of security providers behind this proposal, powered by Magnus, Immunefi’s end-to-end onchain security platform, is assembled with the aim to comprehensively cover security in a time of significant evolution, acting as an innovation enabler while ensuring it does not sacrifice safety.

The consortium is coordinated by Immunefi and led by a renowned group of core security firms: Dedaub, Runtime Verification and Sigma Prime. This team is enhanced by supporting partners, also integrated in Immunefi’s Magnus platform: ChainPatrol, FailSafe, Fuzzland, OpSek and Shield3.

While the core partners ensure the scope of the RFP is fully met, the supporting firms provide additional optionality for wider threat coverage, in a coherent manner and without introducing excessive costs. The consortium is steered by a dedicated vCISO who will leverage this combined talent pool and the Immunefi Magnus platform to address Compound’s security needs in an all-inclusive and efficient manner.

Partners, Background and Relevant Clients

About the Core Partners

About Dedaub

Dedaub is a leader in web3 security, with top auditor expertise and tooling. It is best known for their on-chain decompiler for EVM smart contracts, continuously operating since 2018, with close to 10,000 registered users. Hundreds of security researchers, as well as other investigators of smart contracts without verified source code, use the decompiler daily. Derivative tools, under the Dedaub Security Suite, include a comprehensive monitoring and alerting infrastructure.

As an auditor, Dedaub has conducted numerous audits and impact studies for the Ethereum Foundation and has audited some of the top names in web3, including:

• Chainlink: Auditor for the majority of Chainlink projects, both on- and off-chain code. (All reports of the past 3 years are under NDA and not available on the public site.)
• EigenLayer: Multiple audits of middleware and core AVSes (e.g., EigenDA), many more audits of partners in the EigenLayer ecosystem (e.g., EOracle, third-party AVSes).
• Liquity: Multiple audits of the core Liquity protocol, including Liquity v2 (Liquity Bold), as well as official add-ons (ChickenBonds) and audits of derivative protocols in the Liquity ecosystem (e.g., Yeti, VaultEdge, Stable Jack, Felix, Gravita).
• 0x: Multiple audits of different decentralized functionality for the exchange.
• Others: Over 250 other audits of several prominent DeFi protocols, e.g. LayerZero, GMX, Pendle, Lido, Blur, Nexus Mutual, and more.

As whitehat hackers and security researchers, Dedaub has received several million in whitehat bounties for numerous vulnerabilities discovered in deployed protocols. This includes identifying the #1 largest vulnerability by exploitable dollar value in crypto, in a historically-major decentralized bridge. Dedaub is continually participating in war rooms for major hacks, is regularly consulted for widespread, ecosystem-level vulnerabilities (due to the value of Dedaub tooling for impact queries), participates in several protocol or L2 Security Councils, and is a founding member of the Security Alliance (SEAL).

About Immunefi

Immunefi is a leading onchain security platform, offering a comprehensive suite of services through its Magnus platform to more than 350 protocols and dapps. In just over four years, it has directly prevented hacks worth over $25 billion USD and its community of Security Researchers has been awarded over $121 million USD for responsibly disclosing more than 5,000 web2 and web3 vulnerabilities, including +1,150 criticals — nearly six critical bugs a week since Immunefi was founded in December 2020.

In addition to Compound, Immunefi works with renowned projects including Sky (formerly MakerDAO), Optimism, Polygon, GMX, Chainlink, TheGraph, Lido, LayerZero, Arbitrum, StarkNet, EigenLayer, Astar Network, ZKsync and more, all publicly available on the website.

It’s also a proven security partner to other large ecosystems:

• Whitelisted for Arbitrum’s Security Subsidy Fund and current Arbitrum Security Council Member.
• Ran the Ethereum’s Foundation first large-scale audit competition, with a $1.5M rewards pool.
• Selected by Plume as the end-to-end security partner to support its L1 and its ecosystem.
• Optimism Growth Cycle and Retro Public Good Funding Grant Recipient.
• Created the Immunefi Security Core Unit (IS-001) to provide security to the Maker (now Sky) ecosystem, including operational security audits, disaster recovery and on-call security advisory.

Magnus, Immunefi’s new unified security platform, helps CISOs and security teams deal with tool overload and blindspots across an ever evolving threat spectrum. Projects can manage engagements through a single command center combining solutions from best-in-class partners with Immunefi’s native, purpose-built tooling. All while leveraging intelligence Immunefi’s proprietary vulnerabilities dataset, the industry’s largest.

About Runtime Verification

Founded in 2010 and active in the blockchain space since 2017, Runtime Verification is a recognized leader in web3 security, specializing in formal verification, symbolic execution, and deep protocol audits. It is best known for developing Kontrol, an open-source formal verification engine that integrates directly with Foundry and is used by security researchers and core protocol teams to write and prove smart contract invariants.

Its approach to auditing is also grounded in formal methods: every engagement begins with a detailed design review, analyzing the protocol’s mechanisms and producing clear, structured specifications. These guide the code review process and often surface critical issues before a single line is audited.

Runtime Verification has audited high-impact systems like Ethereum 2.0, Gnosis Safe, Lido, Optimism, and Stellar’s Soroban Smart Contract Platform. A complete list of previous engagements can be found here. Its team also brings expertise in Rust, Go, cross-chain messaging mechanisms, and infrastructure audits, allowing us to support a wide range of blockchain projects beyond Solidity smart contracts.

About Sigma Prime

Sigma Prime is a leading blockchain security and research firm with almost 10 years of experience in decentralized technology. Founded in 2016, Sigma Prime has performed hundreds of security reviews for leading protocols and applications while building and maintaining Lighthouse, a prominent Ethereum consensus client written in Rust. Their areas of specialization include:

• Smart contract security audits (Solidity, Rust, Go, MOVE).
• Blockchain core infrastructure security (L1s, consensus, networking, cryptography).
• Cross-chain and Layer 2 protocol security.
• DeFi protocol security with particular expertise in lending protocols.
• Traditional infrastructure and application-layer penetration testing.

Sigma Prime has a team of 50+ security researchers, engineers, and academics, across both security practice and R&D, including:

• Extensive background in both blockchain security and traditional cybersecurity.
• Active members on various prominent protocol security councils (e.g. EigenLayer, Polygon, Lido).
• Several team members with advanced academic credentials and published research.
• Senior staff with red team and enterprise penetration testing backgrounds.
• Experience spanning complex governance systems (e.g. Aave), lending protocols (Aave, Term Finance, Burrow Finance, Interest Protocol, Gearbox), and cross-chain deployments across major L1s and L2s.

Sigma Prime’s public audits repository demonstrates work with the Ethereum Foundation and protocols such as, Lido, Omni, Mantle, Optimism, Kelp, Swell, Term Finance, RocketPool and more:

• Chainlink: Ongoing engagement for variety of projects and cross-chain integrations.
• EigenLayer: Multiple audits of restaking infrastructure and AVS ecosystem.
• Polygon: Continuous security services across ZK-rollup and sidechain deployments.
• Aave: Historical security partnership with comprehensive lending protocol expertise.
• Synthetix: Historical security reviews for synthetic asset protocols.

It is also a founding member of the Security Alliance (SEAL).

About the Supporting Partners

About ChainPatrol

ChainPatrol offers real-time security for web3 brands, communities and teams, including brand monitoring, wallet blocking, phishing, impersonation, fake domains, unlimited takedowns and support triaging with 24/7 automated thread detection and personalized support.

ChainPatrol has previously worked with Compound and currently works with Optimism, Arbitrum, zkSync, Curve, Metamask, The Graph, Polymarket, Consensys, among others.

About FailSafe

FailSafe offers real-time threat detection and automated incident response. Its monitoring solution covers production deployments, detects anomalies, and mitigates risk before it becomes loss, going beyond alerts with programmable, on-chain responses such as pause, block, and unwind.

FailSafe works with Hyperliquid, YieldGuildGames, ByBit, Base, Haven1, BNB Chain and Kelp.

About Fuzzland

Fuzzland offers 24/7 onchain pentesting powered by advanced fuzzers, AI and formal verification with customizable alerts and optional proactive and reactive attack intervention via MEV techniques to front and back run hacks before they are executed. It has successfully rescued $33M in assets so far.

Fuzzland works with Mantle, Curve, Chainlink, Resonance, Nubit, Treehouse, IoTeX, among others.

About OpSek

OpSek offers operational security audits and training to web3 organizations and high net worth individuals, working with teams from Optimism, Aligned Layer, Contango and more to mitigate operational failures.

It’s founded by Security Alliance members with signers on Optimism and Polygon’s security councils.

About Shield3

Shield3 offers wargames and incident response preparedness and has worked with Compound, Aave, Yearn, Optimism, Base, Uniswap, Lido and the Ethereum Foundation.

It’s a founding member of the Security Alliance.

Existing relationship with Compound

Some Magnus consortium partners have or have had a direct relationship with Compound:

• Immunefi designed and currently runs Compound’s Bug Bounty Program, which includes 24/7 managed triage as well as a Safe Harbor module.
• ChainPatrol has previously protected Compound from brand impersonation threats and Shield3 ran an incident response tabletop exercise with Compound in 2023.
• Dedaub, Sigma Prima and Runtime Verification haven’t directly worked with Compound, but have audited protocols derived and forked from Compound, protocols that expose Compound integrations (e.g., DeFi Saver, Yearn, Vesper), as well as competing lending protocols (e.g., Liquity, Term Finance, Yeti, Aave, and Alchemix).

Our collective experience with similar complex DeFi protocols positions us to rapidly gain deep protocol familiarity without impacting Compound’s timeline or budget.

For that, we propose a self-funded rapid protocol familiarization strategy to ensure we can deliver immediate value, leveraging our core team’s deep experience with analogous systems.

I. Leveraging Existing Expertise:

• Historical Lending Protocol Partnerships: Comprehensive understanding of lending pool mechanics, collateralization, liquidation processes, and governance structures, including Aave, Liquidity, Euler, Maker (now Sky), Morpho, Maple, Yearn and more.
• Chainlink Integration Experience: Public experience with complex oracle systems and multi-chain architecture similar to Compound’s cross-chain deployments.
• DeFi Protocol Expertise: Experience with numerous other DeFi protocols including lending, governance, and cross-chain systems
• Multi-Chain Experience: Established work across all major L1s and L2s where Compound operates.
• Bridge and Cross-Chain Security: Deep experience with cross-chain deployment security considerations.
• Complex System Analysis: Proven track record rapidly onboarding sophisticated protocols including multiple Chainlink protocols, EigenLayer’s restaking mechanisms and Polygon’s multi-chain infrastructure.

II. Self-Funded Preparation Phase and Initial Assessment:

• Dedicated R&D Time: Each core partner will dedicate internal time (at no cost to Compound) to comprehensive Compound protocol analysis. Any supporting partner ultimately enlisted to secure Compound will do the same.
• Architecture Deep Dive: Systematic study of Compound V3 implementations across all deployment networks.
• Historical Context Analysis: Review of Compound’s evolution, past security considerations, and governance decisions.
• Comparative Protocol Analysis: Detailed comparison with other lending protocols to identify Compound-specific security considerations.
• Coordination with Relevant Stakeholders: The core group will hold interview meetings with relevant stakeholders for additional discussions and knowledge sharing.

III. Operational Readiness Timeline:

• Pre-Engagement Phase: Complete protocol familiarization using internal R&D resources before the engagement begins in September.
• Team Cross-Training: Ensure multiple engineers achieve Compound expertise before engagement commencement.
• Immediate Readiness: Full operational capability from day one of the paid engagement period, with no learning curve impacting Compound’s timeline or budget.

This approach ensures Compound receives immediate expert-level service while benefiting from our investment in protocol expertise, rather than paying for our learning curve.

We will also coordinate a transition plan with OpenZeppelin if our proposal is approved.

---

1. Scope of Security Work

Scope Overview:

The scope of this proposal spans the full security lifecycle, with a core offering augmented by supporting partners that can be engaged ad hoc. We propose adopting a more flexible approach than usual to provide the most effective security posture, with optionality to cover any security gaps that may surface.

Whereas in the past the Compound DAO has favoured a single-vendor approach, it’s clear the security community is now capable of combining the convenience and efficiency of a single provider with the scalability and breadth of coverage that only a broad base of best-in-class firms can guarantee.

Such a structure is crucial because, to succeed, Compound should go beyond addressing just smart contract and governance risk through code and proposal reviews and monitoring. After all, to boost technical innovation, developing a robust and lasting security culture across the DAO is of the essence.

This unique approach is possible because Immunefi’s vCISO and all partners can coordinate and orchestrate its execution in a frictionless, unified manner. The providers are being integrated in the Magnus platform and share ongoing, formal partnerships which predate and transcend this proposal.

Now let’s analyse the scope in further detail:

I. Core Audit and Review Activities:

• Smart contract audits for new deployments and protocol upgrades, including formal verification when appropriate.
• Governance proposal technical reviews and payload/calldata validation.
• Emergency governance proposal rapid reviews.
• Token integration and collateral onboarding security assessments.
• Cross-chain deployment and bridge integration reviews.
• Protocol upgrade security analysis.

II. Front-End and Off-Chain Systems:

• Selective front-end security reviews focused on security sensitive and core functionality following a clear definition of scope and functionality
• Infrastructure penetration testing capabilities including evaluation of deployment and operational security
• Comprehensive evaluation of REST APIs, GraphQL endpoints, and WebSocket connections
• Assessment of systems that interact with or support blockchain operations and their interactions with smart contracts
• Deep Rust and GoLang expertise in reviewing complex off-chain L1 and L2 systems, encompassing the entire protocol ecosystem beyond smart contracts

III. Security Advisory and vCISO Services:

• Dedicated vCISO appointed by the core partners and coordinated by Immunefi with clear ownership of the three workstreams to effectively coordinate the consortium with the DAO.
• vCISO chairs an internal Security Council, comprising Immunefi, Dedaub, Sigma Prime, and Runtime Verification, which can be potentially upgraded to a standard Compound Security Council.
• vCISO steers and supervises monthly “Security Townhalls”, bringing together the auditors and key stakeholders to surface issues, align priorities, and discuss potential incidents.
• Maintains an up-to-date security knowledge base, helping preserve context and insights gained across audit and monitoring cycles through Immunefi’s Magnus on-platform Guardian AI.

IV. Monitoring and Incident Response:

• 24/7 incident response powered by dedicated Immunefi and Dedaub’s resources and by the core team’s diverse geographical coverage, with escalation to SEAL 911 if required.
• Ongoing monitoring with a selection of tools to be decided by the vCISO and the security council after the initial assessment, including Dedaub’s Security Suite, Fuzzland’s Blaz+ and FailSafe.

V. Notable Exclusions and Limitations:

• Comprehensive front-end UI/UX reviews (security-critical components only).
• Economic modeling and market simulation (technical security focus).

Multi-Chain Support & Upgrade Expertise:

The Magnus consortium has notable experience across all networks where Compound’s v3 is deployed and anticipates the same for Compound v4. We highlight the following points:

I. Network Experience:

• Ethereum Mainnet: Deep expertise from Sigma Prime’s Lighthouse consensus client development, Dedaub’s EVM tooling and Immunefi’s EVM BBP and audit competition experience.
• Layer 2 Networks: Comprehensive experience across Arbitrum, Optimism, Base, Scroll, Polygon, and Mantle.
• Emerging Networks: Active work with emerging protocols and novel blockchain primitives and architectures through various client engagements.
• Cross-Chain Architecture: Proven track record with bridge protocols and multi-chain deployments.

II. Protocol Upgrade Expertise:

• Experience with complex upgrade mechanisms for major DeFi protocols.
• Comprehensive review of migration logic and state transition safety.
• Cross-chain consistency verification for synchronized upgrades.
• Backward compatibility assessment for existing user positions.

III. Staying Current with Emerging L2s:

• Active participation in L2 security working groups and security councils as described in the general overview section.
• Strategic partnerships with L2 infrastructure providers.
• Regular internal training on new virtual machine implementations and research on new developments.

Resource Allocation and Availability:

Resource allocation and availability reflects tried and tested engagements that our core audit partners have already performed. This includes priority audits, continuity protocols, and engaging extra personnel on a per-need basis, to prevent bottlenecks and maximise eyes on the code.

I. Dedicated Team Structure:

• 2-3 Core Engineers each from Dedaub and Sigma Prime: Dedicated pool of senior security engineers for Compound work available every week as per scoping requirements.
• Up to 2x 12 Weeks of Engineers for Formal Verification Audits: With 12-months access to Runtime Verifications’s Cloud-Based Formal Verification Platform for its Kontrol engine, KaaS.
• 1 Lead: Security manager or firm director with authority to prioritize Compound engagements.
• Full Team Access: Ability to scale to our partners’ entire security teams for complex reviews.
• Dedicated vCISO and Internal Security Council: With proven experience and with a role further detailed in this proposal.

II. Bottleneck Prevention:

• Our structure provides parallel audit capacity for at least 2 simultaneous engagements:
  • Sigma Prime will cross-train team members ensuring coverage during absences.
  • Dedaub is a naturally-elastic audit team, with security engineers typically focused on developing technology and investigating security incidents and so available to join audits as needed to eliminate temporary bottlenecks.
• Pre-defined rapid scaling procedures for urgent reviews.
• Flexible internal scheduling with explicit Compound prioritization authority.

III. Context and Continuity Preservation:

• Dedicated senior security engineers with the vCISO managing a custom Compound knowledge base and documentation system on Guardian AI on the Immunefi Magnus platform.
• Structured team rotation maintaining multiple experts, with at least one engineer with prior experience with Compound protocol.
• Ensurance that at least one dedicated Compound auditor can be available for any short-deadline engagement.
• Comprehensive handoff procedures, historical tracking and regular internal training.
• Communication and oversight with monthly all-hands meetings with the core partners, supervised by our partners’ founding teams, for the context of our entire corps of auditors.
• Quarterly performance reports on Compound’s governance forum.

Additional Services and Tools:

Beyond the core scope of audits, monitoring, vCISO services and incident response, we also provide the following services free of charge:

I. Initial Assessment Phase:

• As explained in the rapid protocol familiarization strategy outlined in section 0.

II. Governance Participation:

• Regular participation in Compound governance calls and community discussions.
• Public security education content for the Compound community.
• Advisory input on security-impacting governance proposals and security-council-level advising/consulting.

III. Training and Knowledge Transfer:

• Security best practices workshops for Compound contributors
• Developer security training for teams building on Compound.
• Documentation of security guidelines for common integration patterns.
• Building and maintaining a public Compound security knowledge base on Immunefi’s website focused on providing security researchers with updated education materials.

Additionally, we have negotiated preferential terms with the providers below, which offer additional services that we deem relevant to Compound’s DAO. The vCISO will have a budget to be able to implement some of these recommendations after the initial assessment phase. Other services will remain available to the DAO when necessary, and can be activated cohesively within the setup of SSP execution within the Immunefi Magnus platform.

IV. ChainPatrol’s Support Services:

• 24/7 automated brand and reputation threat detection.
• Blocking at wallet and browser with unlimited domain and social platform takedowns.
• Team / stakeholder protection with dedicated brand protection staff.
• Blocklist integrations and reporting brands.
• Worked with Compound in the past and is ready to support re-activating Compound’s X account.

V. OpSek’s Support Services:

• Operational security audits on Compound’s infrastructure.
• Operational security audits and OSINT research on key members and stakeholders.
• Security awareness training and physical security training and preparation ahead of travel.
• Dedicated operational security point of contact with dedicated channel and office hours.

VI. Shield3’s Support Services:

• Protocol threat modelling and risk assessment, including:
  • Proactive assessments prior to major upgrades or new deployments.
  • Control surface analysis and access control recommendations.
• Incident response training via custom tabletop exercises, testnet simulations and live drills including development and maintenance of incident response playbooks.
• Development of custom monitoring tooling for protocol deployment oversight.

VII. Complimentary Access to the Immunefi Magnus platform:

• The Immunefi Magnus platform integrates automated tooling from Runtime Verification, Fuzzland, FailSafe and ChainPatrol within the unified SecOps setup and is used by the vCISO and by the core teams to manage the engagements and the various tooling offers.
• The Compound team will be able to add as many members as required to its Compound account on the Magnus platform. In addition to enhancing the coordination between the security providers and the Compound team, users will also have access to:
  • Codexa: Intelligence from the most comprehensive dataset of blockchain vulnerabilities, powering a set of SecOps automations to accelerate response and improve monitoring.
  • Radar: Radar will continuously monitor eligible assets for new smart contracts and flag them instantly, enabling one-click program updates with zero manual set-up.
  • Guardian: An AI-powered security copilot backed by Codexa, which can be privately trained on Compound’s unique infrastructure if desired.
• Lastly, Compound’s ongoing Bug Bounty Program with Immunefi will also be managed from within Magnus, benefiting from various automations which can be leveraged by the SSP team.

---

2. Technical Methodology and Audit Process

Audit Methodology and Workflow:

Our audit methodology combines components from our core audit partners. Each has a particular process for code reviews and this coordinated approach strengthens the audit methodology. The coordination by the vCISO and the internal Security Council has been designed to retain context in between assignments. Lastly, the possibility for independent, parallel audits reduces blind spots:

• Together with technical requirements stemming from key stakeholders within the Compound DAO and from its main development team and contributors, the vCISO will allocate audits between Dedaub and Sigma Prime, in coordination with the Security Council, aiming for an even split while ensuring allocations are impartial and based on the best fit for each code review.
• Whenever relevant, the vCISO will also recommend formal verification audits with Runtime Verification. In this proposal we’re not only including access to KaaS, Kontrol’s delivery platform, but also sufficient Runtime Verification engineering time to handle the formal verification engagement process throughout 12 months.
• As mentioned in the previous section, to further ensure context is shared between audits, the core group will engage in monthly “Security Townhalls” to foster direct collaboration between the teams responsible for different engagements. Additional meetings may be held on demand.
• Moreover, given that partners are integrated into the Immunefi Magnus platform, the vCISO and the auditors will be able to manage assignments through it and maintain an up-to-date security knowledge base through its Guardian AI to aid context preservation across engagements.

Now let’s expand on the methodologies of each audit partner:

I. Dedaub — Audits:

Dedaub’s Security Audit teams comprise at least two senior security researchers, as well as any support they may need (e.g., cryptography expertise, financial modeling, testing) from the rest of the team. It carefully matches the team’s expertise to the audit project’s specific nature and requirements. Dedaub auditors conduct a meticulous, line-by-line review of every contract within the audit scope, ensuring that each researcher examines 100% of the code. There is no substitute for deep understanding of the code and its context, forming a thorough mental model of its interactions and correctness assumptions. Reaching this level of understanding is the goal of any Dedaub audit.

To achieve this, Dedaub employ strategies such as:

• Two-phase review: During phase A, auditors understand the code in terms of functionality, i.e., in terms of legitimate use. During phase B, auditors assume the role of attackers and attempt to subvert the system’s assumptions by abusing its flexibility.
• Constant challenging between the two senior auditors: The two auditors will continuously challenge each other, trying to identify dark spots. An auditor who claims to have covered and to understand part of the code is often challenged to explain difficult elements to the other auditor.
• Thinking at multiple levels: Beyond thinking of adversarial scenarios in self-contained parts of the protocol, the auditors explicitly attempt to devise complex combinations of different parts that may result in unexpected behavior.
• Use of advanced tools: Every project is uploaded to the Dedaub Security Suite for analysis by over 70 static analysis algorithms, AI, and automated fuzzing. Dedaub maintains its own fork of the ItyFuzz tool, all other tools are custom, leveraging Dedaub’s extensive expertise in program analysis research. Auditors often also write and run manual tests on possible leads for issues.

Dedaub’s auditors also identify gas inefficiencies in smart contracts and offer cost optimization recommendations. We thoroughly audit integrations with external protocols and dependencies, such as oracle services, to ensure they align with intent and specifications.

The audit methodology and workflow can be consulted in detail at Dedaub’s documentation page.