Request for Proposal (RFP): Compound DAO Security Service Provider (SSP)

Governance Process
22

Section 3: Risk Management and Incident Response

Cantina currently offers full incident command, 24/7 monitoring and response services with a fully staffed SOC team that is intimately trained in both web2 and web3 attack vectors and threats. Our program was created in collaboration with a former lead of threat intelligence at Coinbase and will cover Compound’s complete attack surface for both web2 and web3, both physical and digital threats. Cantina offers this as a stand alone service meaning it is handled by a dedicated full time team, separate of our security researchers so that our customers can count on dedicated attention for their incident command as opposed to a generalized offer facilitated by security researchers who have competing priorities. Cantina’s incident command offering is based on the firm, legally documented SLA response times standard in the web2 world with 24/7 coverage based on teams across globally distributed timezones giving you the benefit of web2’s battle tested incident command structure while also incorporating the threats that are unique to web3 and the mechanisms needed to account for them including web3 monitoring tooling and safeguards like multisig safe signer and guardian signer. Recent examples of customer’s who use our full incident command offering include Matter Labs and EigenLayer.

3a) Vulnerability Triage & Disclosure

Communication channels are set up and always available between the Compound and Cantina team. Our global team covers all timezones, allowing for quick reactions and responses.

  • During the course of an audit, the Compound developer team will have 24/7 access and visibility into our internal communication channels and discussions. If a critical bug were to be discovered during an audit, the exact lines of code and issue will be described, the responsible people at the Compound team involved in the audit will be made aware of it immediately, a remediation will be proposed and reviewed to make sure the vulnerability is patched and that the remediation does not introduce any other issues.
  • If the vulnerability is found in live code, it will be immediately triaged by our internal team and notified to the relevant people at Compound through our already created communication channels. While establishing contact, the team will be proposing a fix and monitoring the live code. If no response were to be had, we will contact the relevant points of contact via Telegram, Email, Slack, or through any other party that can reach out to the person(s) responsible to address the issue.
  • Our responses and coordination plans are measured in hours. In less than 8 hours a critical vulnerability can be discovered, communicated, a fix can be proposed and helped to be deployed into production.
  • We will always notify developers and provide advice on fixes.
  • Public disclosure is at the Compounds team and community’s discretion. We will never publish nor disclose anything unless explicitly allowed.

3b) Incident Response Support

In case of an exploit the following steps are taken:

  1. Compound’s responsible points of contact will be added to a specific war room Telegram channel together with our specialized team of security researchers assigned to the Compound engagement.
  2. Our Incident Response Commander will enter into a call with the Compound team to coordinate all parties and immediately start collecting evidence on a privately shared document.
  3. In the meantime, an OSINT and technical investigation by our security team will be conducted to identify the exact root cause of the issue and start developing a recovery plan.
  4. Thanks to our reputation and connections in the space, we can immediately reach out to any third party to aid in the investigation such as other whitehats, Centralized and Decentralized Exchanges, Private Investigators and Law Enforcement.
  5. Recovery plans are consolidated using the collected evidence.

A private example where Cantina helped in fund recovery was when one of our clients reached out for help when they suffered an exploit. This was not part of any engagement nor contract we worked on, but we still stepped in to assist. Following the steps outlined above, we identified the exact root cause and helped pause the protocol. We then conducted an exhaustive OSINT operation to link the address of the hacker to an abandoned CEX account thus revealing his identity. In less than 5 hours we had enough evidence and information on the hacker to initiate targeted negotiations. The hacker returned the funds when we contacted one of his family members - who we identified during our OSINT operation - to apply pressure or risk legal consequences. Funds were returned in full.

3c) Continuous Monitoring & Threat Detection

Blockaid and Cantina jointly deliver a comprehensive, multi-layered monitoring and threat detection system that operates 24/7 across all protocol assets, governance mechanisms, and user interactions. Blockaid’s approach combines multiple complementary security solutions in one platform to create an integrated defense framework that protects against the full spectrum of onchain threats while maintaining operational efficiency.

Unlike traditional monitoring solutions that focus solely on post-incident detection, Blockaid provides real-time threat prevention at multiple layers: stopping wallet drainers and malicious dApps at the transaction level to preserve user trust and prevent churn, enforcing security policies at the multisig level, and providing comprehensive threat detection and automated response across the entire protocol infrastructure.

Infrastructure Monitoring Stack

The Blockaid Platform serves as the foundational monitoring layer for Compound’s entire ecosystem, providing real-time visibility and threat detection across all critical assets and operations.

Asset Coverage:

  • Smart Contracts: All Compound V3 deployments across Ethereum, Base, Arbitrum, Optimism, Polygon, Mantle, Scroll, Ronin, Linea, and Unichain

  • Governance Infrastructure: Delegate consolidation, Proposal payload mismatches, quorum risk

  • Treasury & Reserve Assets: Protocol reserves, community multisigs, and treasury wallets across all chains

  • Cross-Chain Infrastructure: Bridge contracts, L2 deployment mechanisms, and chain-specific governance receivers

  • External Dependencies: Oracle feeds, yield-bearing assets, and integrated protocol interfaces

Real-Time Monitoring Capabilities: Blockaid’s monitoring infrastructure continually covers threat vectors across multiple dimensions:

  1. Smart Contract Activity

  • Unauthorized proxy upgrades or implementation changes

  • Suspicious function calls to sensitive protocol methods

  • Unusual permission changes or access control modifications

  • Detection of exploit contract deployments

  • Detection of reentrancy, arbitrary delegatecalls, oracle manipulations, and logical vulnerabilities

  1. Financial Anomalies

  • Large or unusual asset movements from protocol reserves

  • Abnormal liquidation patterns or market manipulation attempts

  • Cross-chain fund movements that deviate from expected patterns

  • Treasury withdrawal anomalies

  1. Governance Security

  • Sudden accumulation of voting power approaching proposal thresholds

  • Malicious proposal monitoring

Threat Detection Engine

Machine Learning-Enhanced Analysis: Blockaid’s detection system leverages ML models trained on billions of onchain transactions to identify suspicious patterns while minimizing false positives. The system automatically learns from the protocol’s normal operational patterns to establish behavioral baselines.

Threat Intelligence Integration: Blockaid’s detection capabilities extend beyond Compound’s directly controlled assets through internet-wide threat intelligence:

  • Emerging Threat Identification: Detection of new drainer-as-a-service kits or exploit techniques that could target Compound

  • Impersonation Monitoring: Continuous scanning for malicious dApps or phishing sites targeting Compound users

  • Supply Chain Threats: Monitoring for compromised frontend deployments or malicious dependencies (both onchain and offchain)

Security Enforcement for Compound Multisig

Blockaid Cosigner is a unique enforcement layer that actively prevents malicious transactions in Compound’s governance and treasury operations. It acts as an additional layer of security specifically designed for Compound’s multisig operations, acting as an automated security reviewer for every transaction before it can be executed.

Policy Enforcement Framework: Cosigner operates as a 1-of-2 Safe wallet that serves as a signer on Compound’s main multisig wallets. Every proposed transaction is automatically:

  1. Simulated in on a dedicated node to understand its complete effects - state changes, fund movements, and side effects

  2. Analyzed against Blockaid’s threat detection engine and evaluated against Compound-specific security policies. This includes:

  • Known Threat Detection: Comparing against known attack vectors and exploit patterns

  • Behavioral Analysis: Detecting deviations from normal multisig usage patterns

  • Destination Validation: Verifying interaction with known-safe contracts and addresses

  1. Either approved automatically or flagged for manual review

Compound-Specific Security Policies:

  • Governance Proposal Validation: Ensuring proposal calldata matches expected governance patterns

  • Treasury Protection: Validating that fund movements align with approved governance decisions

  • Upgrade Path Security: Verifying that proxy upgrades point to audited implementations

Override Capabilities: For urgent situations where automated approval is inappropriate. The Compound team retains full control through dedicated override signer keys.

End-User Protection: Transaction-Level Security

Comprehensive Transaction Monitoring

Blockaid’s End-User Protection extends monitoring to every individual transaction across Compound-integrated wallets and interfaces, providing real-time protection at the point of user interaction. Through integrations with leading wallets (MetaMask, Ledger, Coinbase Wallet, Rainbow, and more), Blockaid enables:

  • Real-Time Scanning: Continuous monitoring of Compound-related websites and interfaces

  • Impersonation Detection: Identifying fake Compound interfaces designed to steal user funds

  • Supply Chain Monitoring: Detecting compromised or malicious deployments of Compound frontends

Integrated Alert and Response System

Unified Incident Management

Cross-System Correlation: Threats detected by any component of the Blockaid system are correlated across all monitoring layers:

  • Platform detecting unusual protocol activity can trigger enhanced Cosigner scrutiny

  • End-User Protection identifying widespread phishing attempts can inform Platform monitoring priorities

  • Cosigner detecting governance anomalies can trigger broader Platform investigation

Automated Response Workflows: Critical threats trigger immediate automated responses:

  1. Contract Pausing: Automatic pausing of affected Compound contracts when exploits are detected

  2. Transaction Blocking: Preventing user interactions with compromised contracts or malicious dApps

  3. Governance Protection: Blocking or delaying suspicious governance proposals

Alerting, Escalation & SLAs

Blockaid’s detection engine is tightly integrated with Cantina’s 24/7 staffed Virtual Security Operations Center (vSOC), providing rapid triage and escalation.

Severity Description Escalation Path Example
Sev 0 Critical threat to funds or governance PagerDuty → Cantina on-call → Foundation security leads Protocol pause, treasury drain, rogue upgrade
Sev 1 High-risk but non-immediate threats Slack + Telegram + analyst review Oracle deviation, governance concentration
Sev 2 Monitor-only anomalies Logged + batched summaries Delegation shifts, minor frontend mismatch

Response time SLA:

  • Critical: <5 minutes

  • High: <15 minutes

  • Informational: Batched hourly

Real-Time Alerts:

  • Discord Integration: Immediate alerts to Compound community channels for transparency

  • Email/Slack/Telegram Notifications: Critical alerts sent to Compound Foundation and key stakeholders

  • Platform Access: Real-time visibility into security status through dedicated monitoring dashboards and tools

All alerts are deduplicated, labeled, and triaged by Cantina analysts in real time.

Continuous Vigilance Between Audits

Proactive Threat Hunting

Emerging Threat Research: Blockaid’s security team continuously researches and develops protection against new attack vectors:

  • Novel Exploit Patterns: Studying new attack methodologies to update detection rules

  • Governance Attack Research: Investigating emerging DAO attack vectors and implementing preventive measures

  • Cross-Chain Risk Analysis: Understanding evolving multi-chain attack patterns

Threat Intelligence Feeds:

  • Blockaid Data Network: By analyzing data from both its security integrations and global internet scanning, Blockaid discovers emerging threats as they develop

  • Industry Collaboration: Sharing and receiving threat intelligence with other security providers

  • Community Reporting: Integrating reports from whitehats and security researchers

Adaptive Security Posture

Dynamic Policy Updates: Security policies and detection rules are continuously updated based on:

  • Protocol Evolution: Adapting to new Compound features and deployment patterns

  • Threat Landscape Changes: Responding to emerging attack vectors and exploitation techniques

  • Operational Feedback: Incorporating lessons learned from security incidents and near-misses

Performance Optimization:

  • False Positive Reduction: Continuously tuning detection algorithms to minimize alert noise

  • Response Time Improvement: Optimizing automated response speeds while maintaining accuracy

  • Coverage Expansion: Extending monitoring to new assets and interaction patterns as Compound grows

Cantina integrates with Blockaid to provide the monitoring and alerting portion of our offering, along with this comes a multi-stage approach to incident command attack surface mapping, mitigation, and response as outlined below

Threat Modeling

Cantina will work closely with Compound’s core contributors to define and document the foundational threat landscape for the protocol. This includes:

  • Identifying the top 3 threats, top 3 crown jewels, and top 3 threat actors

  • Mapping risks across key domains:

    • On-chain assets including:
      • Smart contracts
      • Multisigs - Multisig practices: recommendations on expansion and improvements in structure, implementation, tools
      • Treasuries
      • Grant systems
    • Front-end interfaces and user interaction points
    • Ecosystem integrations (bridged assets, DeFi dependencies)
    • Infrastructure components (RPC endpoints, load balancers, validators)
    • Social and communication channels, including brand integrity risks
    • Personnel and endpoint vulnerabilities
    • Physical and nation-state threat scenarios

Expected Outcomes

  • Detailed threat modeling profiles for each key domain
    Initial risk mitigation recommendations mapped to critical assets
  • Foundation for integrating detection, monitoring, and IR escalation into Client’s workflow

Program Design and Training

Cantina will guide the creation and refinement of a customized Incident Command (IC) playbook tailored to Compound’s operational environment. This includes:

  • Designing and validating the full IC process from detection to containment
  • Clearly defining roles and escalation paths across technical, legal, governance, and comms teams
  • Outlining internal and external communications procedures, including:
    • Law enforcement coordination
    • Social media response strategy
    • Protocol shutdown decision-making
  • Delivering legal and operational checklists and decision trees for high-severity scenarios
  • Assigning ownership of emergency contact trees and escalation responsibilities

Expected Outcomes

  • Delivery of Incident Response Playbook v1
  • Visual escalation and communication protocol map
  • Complete emergency contact coordination table

Attack Simulations

Cantina will design and execute a customized, live tabletop simulation to test Compound’s incident readiness. This scenario will be tailored to include realistic technical, legal, and communications challenges, and will engage both internal and external stakeholders.

Simulations may include:

  • Social team takedown scenarios (e.g., impersonation, coordinated disinfo)
  • DeFi protocol exploits with live triage walkthroughs
  • Treasury multisig phishing or compromise under time pressure

The exercise will evaluate response workflows, communication coordination, and decision-making under stress.

Expected Outcomes

  • Comprehensive Tabletop Exercise Report
  • Detailed Gaps & Friction Analysis
  • Actionable Recommendations to improve:
    • Response speed
    • Access control
    • Decision thresholds
    • Updated Incident Response Plan incorporating drill learnings

Security Development Plan

  • Synthesize findings from all previous exercises
  • Develop a prioritized plan covering security controls, processes, and monitoring enhancements

Expected Outcome:

  • Security development plan with actionable steps for continuous security improvement

Integration into Compound’s Multisig

Cantina will serve as either a trusted signer on Compound’s multisig or will serve as a guardian signer to ensure that the incident command team has eyes on all transaction to ensure no faulty, bugged, or malicious transactions

Incident Command Continuous Monitoring and Response SLA

Cantina will deliver Incident Command service to Compound, enabling rapid detection, escalation, and response to critical security incidents

This includes:

  • Full integration with Blockaid on Compound’s behalf
  • 24/7/365 availability of Cantina’s Security Analyst team with active multisig signing authority for emergency protocol pausing. Compound will be fully onboarded into Cantina’s globally distributed incident response infrastructure, with escalation channels, war room coordination processes, and protocol-level mitigation paths configured. Cantina will respond to critical incidents within 15 minutes, executing predefined actions aligned with Compound’s incident response playbook
  • SLA on all events: 15 minutes

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

Commercials submitted via private form as per request

4b) Milestones and Performance Metrics

Milestones:

  • Audit scopes acknowledged within 1 hour from receipt, and final quote delivered within 5 hours

  • Audit team booked and ready to kick-off within 24-48 hours of contract confirmation

  • Audit reports delivered within 1 business day of fix review completion (draft) and fix review confirmation (final)

  • Outreach about any critical issues delivered within 1 hour

  • Critical issues triaged within 24 hours

  • 1 Cantina representative to participate in governance calls and inform the community of security initiatives/updates during this time

4c) Conflict of Interest Declaration

Cantina works with multiple DeFi protocols, some of which are Compound competitors, however we have no known conflicts. Should a conflict arise we will notify the Compound team immediately. Note that Cantina has multiple types of confidentiality safeguards and protections in place to ensure.

4d) Transition and Offboarding Plan

Due to the use of Cantina Code, Cantina can easily export and share all audit reports with the incoming provider and will facilitate one month of transitionary services to ensure a smooth transition to the new team. We will be fully offboarded with the new team onboarded within 30 days and available to help with any remaining questions for another 30 days (60 days in total).

Section 5: Service Level Expectations (SLA)

5a) Incident Response

Reaction times are below 15 minutes since we are using Cantina’s Incident Command System and have a team of tier 1 security analysts. Coverage is 24/7 across all timezones. In an urgent situation, our automation tools will alert of an incident and create a slack channel to which the Compound team will also have access. Security analysts will triage the issue in less than 15 minutes and execute the playbook.

5b) vCISO Support

  • On-demand advisory: Same day

  • vCISO check-ins: Weekly

  • Threat modeling refresh: Monthly

  • Attack simulations: Twice annually

  • Primary contact: vCISOs

  • Secondary contact: Account manager

5c) Governance Proposal Reviews

From proposal request to kick-off: 24-48 hours

Team is available for all last minute requests and will maintain a 48-72 hour turn around

Findings will be delivered via report to the DAO for delivery to the community

5d) Code Audits

24-48 hours lead time is feasible for all projects, however as much time as possible is always appreciated

Audit to kick off within 24-48 hours from booking request for all team sizes

  • Once the audit completes, the Compound team will then implement fixes and drip those fixes back to the audit team so that the audit team can confirm that they were implemented correctly and introduce no new findings

  • The draft report will then be delivered to client within 1 business day for all scopes

  • Once the Compound team and Cantina team has agreed that all fixes have been implemented correctly, Cantina will deliver the final report with 1 business day for all scopes.

  • After the final report has been delivered, clients will be able to onboard into Cantina’s Bug Bounty Program free of charge.

Final Considerations

Cantina is pleased to submit this proposal in response to Compound’s Security Partnership RFP. With our founding in 2022 and specialized focus on on-chain and off-chain security, we understand the critical security challenges facing DeFi protocols like Compound, and we are confident in our ability to provide comprehensive security coverage.

Our proposed solution leverages a proven hybrid security model and cutting-edge monitoring technologies to ensure continuous protection across all of Compound’s multi-chain deployments and holistic attack surface. We’ve included a flexible engagement structure designed to align with your operational and commercial needs while providing maximum security coverage.

Key Benefits of Our Proposal Include:

Comprehensive Security Leadership: Dual vCISO model providing both on-chain protocol expertise and operational security oversight, ensuring strategic security planning, threat modeling, and executive-level communication with the DAO while maintaining continuous context across all security initiatives

Enterprise-Grade Incident Response: Professional 24/7 security operations center with trained tier-1 analysts across all timezones, delivering sub-15 minute response times, coordinated war room capabilities, and proven fund recovery expertise through established relationships with exchanges, law enforcement, and white hat communities

Proven DeFi Expertise: Deep specialization in lending protocols and governance security with extensive track record across Aave, Morpho, Euler, Sky and other major DeFi platforms, including experience with multi-chain deployments, protocol upgrades, and complex governance attack vectors specific to Compound’s ecosystem

Institutional-Quality Infrastructure: Proprietary Cantina Code platform for real-time audit tracking, established partnerships with leading security tools and mature incident response systems that integrate seamlessly with your existing operational workflows to streamline your security infrastructure

Our Track Record

Our clients, including Aave, Coinbase, Uniswap, Optimism, and Sky, have seen measurable security improvements through our multi-layered approach and we are proud to deliver them continuous security support.

Additional Offerings - Institutional Support

Along with our security services, Cantina is also deeply entrenched in the web2 and web3 community at large with meaningful relationships across a wide range of institutions. As the web2 world begins to pursue web3 partnerships at an increasing rate, Compound is well positioned to be a preferred partner in web2 adoption of blockchain. To help facilitate this, Cantina will commit to making formal introductions between the Compound team and all institutions Cantina currently works with as well as performing 5 hours of dedicated business development work for institutional connections on Compound’s behalf each week. Due to our extensive security community who come from a diverse set of web2 backgrounds and our Web3SOC due diligence efforts on the behalf of institutions looking to participate in web3, we have extensive connections to top institutions and will utilize these connections on Compound’s behalf. Outside of these efforts, Cantina will also represent Compound alongside Cantina at all institutional events and invitationals.

We’re excited about the opportunity to bring our proven security expertise to Compound and are committed to delivering exceptional service that protects Compound and its community while also contributing to Compound’s growth. We welcome the opportunity to discuss this proposal in detail and look forward to partnering with you on this critical security initiative.

2 Likes