Sherlock & Guardrail - Proposal for Compound Security Partnership - Part 1

Executive Summary

Sherlock, in partnership with Guardrail, proposes an industry-leading, highly responsive, cost-efficient, and holistic security solution to empower Compound’s growth. With over 350 audits completed and a 94% success rate in identifying Medium+ vulnerabilities, Sherlock leverages an in-house team of elite Security Researchers (SRs), a dedicated scoping team for rapid turnarounds, and an unmatched pool of over 10,000 independent Security Researchers to deliver scalable, high-performance security services for high-stakes blockchain infrastructure like Ethereum, Aave, Cosmos, Sky/MakerDAO and hundreds of others.

Extending security past audits and advisory, Guardrail provides the most advanced continuous monitoring, detection, and incident response system in Web3 for teams like Eigenlayer and Euler. Guardrail’s system covers AI-based anomaly detection, custom-invariant monitoring, financial risk, operational risk, and multi-chain threats. A highly modular approach allows for complete security coverage of every on-chain use case (bridges, stablecoins, AMMs etc).

Sherlock has been deeply involved in the Compound community, posting DAO proposals and hosting calls with stakeholders, core members, and delegates to gather feedback. The takeaway: speed, quality, and scalability are key to removing the current bottlenecks to Compound’s growth. We spent time manually scoping every publicly available audit scope available on the forums to better inform our team of how we can be most helpful to Compound. Sherlock’s solution dedicates a team of top-caliber researchers to Compound, augmented by on-demand talent from our platform of 10,000 researchers. This approach is perfectly suited to Compound’s current position. The speed and scalability we can provide will enable Compound to vastly accelerate its pace of development, reduce security costs by at least 75%, and bolster Compound’s position as a beacon of growth and innovation.

About Sherlock

Sherlock is the leading blockchain security platform, founded in 2021, dedicated to safeguarding Web3 by providing audit contests, traditional audits, bug bounties, exploit coverage, security advisory, and more. We have exclusive agreements with the world’s quantifiably top security researchers through our elite Blackthorn security group, where they work exclusively with us on audit contests, traditional audits, advisory engagements, and more. We also have a broader network of over 10,000 independent researchers on our platform who compete to identify vulnerabilities in users’ codebases. Our unique approach combines the meticulous focus and collaboration of traditional audits with the extensive participation of security experts from our audit contests, creating a scalable “best of both worlds” solution.

Sherlock is trusted by leading teams in the blockchain industry such as Ethereum, Optimism, Aave, Cosmos, Babylon, Sky and many more. Sherlock recently served as the last line of defense for high-stakes updates to Ethereum and Aave. Please see the following case studies, illustrating how we identify more critical vulnerabilities than competitors, more quickly.

• Tokemak Case Study
• Index Coop Case Study
• Ajna Finance Case Study
• Perennial Case Study

Unmatched Speed and Scalability

Speed is a core strength at Sherlock. In addition to our assigned “bench” of SRs dedicated specifically to Compound, we can also tap into our talent pool of 40+ Lead Senior Watsons and over 10,000 independent researchers to scale resources instantly, allocating multiple auditors for parallel reviews or surging capacity for critical incidents. If needed, we can conduct 5 audits simultaneously without sacrificing quality, ensuring no delays in protocol upgrades or expansions.

This depth and flexibility enable Sherlock to deliver more responsive, scalable services than any other firm, minimizing bottlenecks and aligning with Compound’s dynamic DeFi environment.

About Guardrail

Guardrail is the fastest-growing, customer-loved on-chain monitoring, detection & incident response platform for blockchain security. Founded in 2022, our mission is simple: make DeFi safer for all. Our core principles are quality first, transparent partnership over product, 24/7 customer service, and custom over generic security. We recognize security doesn’t stop at audits. Teams need continuous attacker research, 24x7 contract visibility, and context-aware workflows in-house to respond to threats in real time.

Using Guardrail, teams gain access to the most advanced monitoring capabilities, rigorous threat analysis, and a well-connected incident response system in crypto:

• Comprehensive analysis across AI-powered anomaly detection, custom invariant monitoring, financial risk assessment, operational risk management, and multi-chain threat detection.
• Universal monitoring with a modular design: build once, use anywhere.
• White-glove implementation for the highest precision and fastest time-to-deployment.

What sets us apart: Our combination of proprietary infrastructure + proven enterprise delivery + unique technical capabilities makes Guardrail the only monitoring solution capable of matching Compound’s scale and security requirements:

• Technical innovations in real-time monitoring: Only monitoring team with dedicated data infrastructure team creating:
  • SOTA price engine for token prices, pool metrics, and onchain fund flows analysis.
  • Unique technical solution for multi-chain monitoring not offered by competing monitoring tools.
  • Only real-time solution creating per-contract trained models for anomaly detection, with at least 2x (higher in most cases) relative performance to competing AI applications.
• Designed and deployed 50+ guards to secure protocol components (including previously not possible detectors elsewhere) for Eigenlayer.
• 45 custom monitors and new chain support delivered with 48h for Story Protocol.
• Consolidated 3 monitoring tools and delivered dynamic oracle monitoring for Euler’s modular vault system.
• Contextual AI powered guards & auto-monitor configurator built for Magic Labs.
• 2x more accurate AI anomaly detection model developed and shipped for Scroll, within 14-days trained on over 100 past incidents.

Our team is over 90% engineers with security experience, trained at the University of Waterloo and previously at companies such as LinkedIn, Palantir, and Messari. We’re an RSA Security Launch Pad Winner and are backed by Haun Ventures, Coinbase, AllianceDAO, DeFi builders, and CISOs from Chainlink.

Contacts

Primary Contact: Gabriel Jaldon (vCISO) / gjaldon85@gmail.com / TG: @gjaldon

Secondary Contact: Chris Stevenson (Sherlock) / chris@sherlock.xyz / TG: @glory_eth

Secondary Contact: Samridh Saluja (Guardrail) / samridh@guardrail.ai / TG: @sam_saluja

Existing Relationship with Compound

We have multiple top Sherlock and Blackthorn researchers who have made deep contributions to Compound’s protocol evolution and security enhancements, particularly since the launch of Compound V3 (Comet).

Gabriel Jaldon (vCISO)

Gabriel Jaldon is a Founding Security Researcher at Blackthorn and Lead Senior Watson with over 10 years of experience, having transitioned into Web3 auditing with a focus on Solidity, EVM, and DeFi protocols. Proficient in languages including Solidity, Rust, and Go, he brings a multidisciplinary approach to security research and development. Gabriel has significant DAO security experience, holding one of only two positions on Optimism’s Developer Advisory Board Audit Request Team.

• CometWrapper Development: Authored the initial version of the CometWrapper - an ERC20 token wrapper for Compound V3 that replicates cToken-like exchange-rate behavior to enhance compatibility and ease of integration. This initiative was executed under a Compound grant, streamlining user interactions with Compound III assets.
• Reserve Collateral Plugins: Engineered Reserve’s collateral plugins for Compound V3, enabling secure collateral management and seamless incorporation into the Reserve Protocol ecosystem.
• Expertise and Validation: With more than 10 years of software development experience and specialized expertise in Web3 auditing (focusing on Solidity, EVM, and DeFi), Gabriel’s proficiency in languages like Solidity, Rust, and Go has facilitated thorough validation of protocol upgrades. His impressive track record of several audits in the last years further solidifies his expertise.

Eric Shi (aka pkqs90)

Eric is a Founding Security Researcher at Blackthorn and Lead Senior Watson at Sherlock, specializing in smart contract audits with a proven track record in public audit contests. He has 11 first-place finishes and 17 top-3 placements, including dominating Uniswap V4 hook audits, Fraxlend forks, and liquid restaking systems. His prior work in complex system design (self-driving cars) complements his ability to analyze intricate DeFi logic.

• Placed 2nd in the Deepr audit contest (a Compound V2 fork), identifying 4 medium-severity findings related to interest rate and collateral flows, thereby improving the security of lending and staking mechanisms in Compound-like systems.
• Contributed to the security of related lending protocols through audits of Fraxlend forks (e.g., 1st place in Peapods, a volatility farming system based on Fraxlend), addressing global interest rate calculations and liquidity flows that align with Compound’s lending models.

Vijay Reddy (aka jokr)

Vijay is a Lead Senior Watson and specialized Compound auditor specializing in interest rates, collateral, and liquidity management, with a focus on Solidity and DeFi risks such as reentrancy, oracle manipulation, slippage, and MEV-aware lending.

• Placed 1st in the Numa audit contest (a Compound fork), identifying high- and medium-severity findings on token accounting, thereby strengthening liquidity and collateral handling in Compound-like systems.
• Placed 1st in the Deepr audit contest (a Compound fork), uncovering 1 high-severity and 3 medium-severity findings on interest model drift, improving the robustness of interest rate calculations and lending flows.

Linus Lepschies (aka oot2k)

Linus Lepschies was an auditor for Compound V2, bringing expert-level knowledge of Compound-based lending protocols and in-depth familiarity with its architecture and security risks.

• Audited MetaLend (a Compound V2 fork), contributing to the security validation of its lending architecture.
• Audited other Compound-related lending markets, such as Predict.fun, where he uncovered 2 medium-severity issues including collateral seizure and repayment denial vectors.
• Audited Venus Isolated Pools, identifying vulnerabilities like frontrunning, staking dilution, and exchange rate manipulation, which align with Compound’s pooling and lending models.

Team-Wide Security Enhancements

Complementing the above work, our security research team has extensively audited Compound V2 forks and analogous lending protocols, uncovering critical vulnerabilities to bolster overall ecosystem security. Notable achievements include:

• Deepr Audit (Compound V2 Fork): Top placements identifying medium-severity issues in interest rates and collateral flows, as well as high-severity findings on interest model drift.
• Numa Audit (Compound Fork): Exposing high- and medium-severity flaws in token accounting to strengthen liquidity and collateral handling.
• Metalend Audit (Compound V2 Fork): Validating lending architecture against exploits like collateral seizure, repayment denial, frontrunning, and exchange rate manipulation.
• Lend Audit (Compound-Based Contest): Top performances in Lend and other Compound-based contests, validating lending flows and cross-chain integrations.

Additional Forks and Related Systems: Expertise in forks like Mach (focusing on interest and flows), Fraxlend (addressing global interest rate calculations), and Venus Isolated Pools (identifying vulnerabilities such as oracle drift and liquidation mechanics), preventing risks that could mirror those in Compound’s models.

Relevant Security Partnerships or Clients

Sherlock has supported numerous DAOs and DeFi protocols, particularly those involving governance, lending, and cross-chain functionalities. Notable examples include:

• Sky/MakerDAO: Sherlock hosted a $1.35M audit contest for Sky/MakerDAO’s codebase, focusing on governance and lending aspects.

"It only makes sense that our team would work with the market leader, Sherlock.” - Rune Christiansen, Founder of Sky/MakerDAO

• Optimism Ecosystem Projects: Sherlock audited Kyo Finance, a DEX and liquidity hub on Soneium (an Optimism grantee), emphasizing cross-chain liquidity. They also serve as a governance delegate for Morpho Labs on Optimism.

"Optimism’s codebase was audited by the best in the industry before coming to Sherlock, and the Sherlock audit contest still surfaced unique issues that we were grateful to learn about before deploying. If possible, I’d recommend any protocol team try a Sherlock audit before going to mainnet.” - Optimism

• Ethereum Foundation: EF chose to pay Blackthorn over 40+ other firms that offered free services due to the fact that each Blackthorn auditor is quantifiably one of the best in the world. 1 Medium and 16 Low bugs were found - significantly more than the EF team expected.

“We chose Blackthorn because we were intrigued by the value of having multiple independent security researchers collaborating together. The findings increased the security and overall confidence in the bytecode system contracts of Ethereum. Our favorite part was the collaborative environment and effective feedback cycle between our team and Blackthorn, making it a very productive experience.” - Ethereum Foundation

• Aave: Sherlock contributed to the security review of Aave v3.3 and Aave v3.4 upgrades, which include governance and liquidation mechanisms.
• Lending Protocols: Audited Extra Finance (smart-account multi-chain lending strategies), LEND Finance (omnichain lending and borrowing), and Notional Finance (lending with external integrations), Sentiment V1/V2 and Zerolend One.

“Notional has gotten 14 audits from 6 different firms, and ever since we first used Sherlock in October of 2022 they have been, and will continue to be for the foreseeable future, our exclusive audit provider. Sherlock is the best audit experience we’ve ever had, hands down.” - Notional Finance

• Cross-chain Protocols: Audited Zeta Blockchain (cross-chain infrastructure), BreederDodo (ZetaChain-powered cross-chain DEX) , and Tapioca DAO (omnichain money market).
• Other DeFi/DAO Examples: Audited Tally (ARB governance staking) , Symm.io (derivatives with staking/vesting), Telcoin (updates with cross-chain elements), and PinLinkAi (AI-related DeFi).

Sherlock also has an extensive track record as a key security partner for a range of ecosystem security and audit grant programs, including Arbitrum, Optimism, Uniswap, Soneium, Scroll, and more.

Guardrail monitors protocols across every vertical of crypto, delivering real-time visibility, threat detection, and automated responses to safeguard $1.3B in assets across 24+ chains.

Over the last 6 months, Guardrail has onboarded one protocol weekly - many migrating from incumbents - and no team has ever deactivated Guardrail once live, underscoring its indispensable value in preventing exploits.

Trusted by leading DeFi innovators, relevant clients include:

• EigenLayer: Full-stack monitoring covering Beacon chain, AVS, and internal/external threats for comprehensive restaking security.
• Euler Finance: Vault and price feed monitoring, consolidating three tools into one for oracle deviation tracking and multi-chain scalability.

“Getting from three tools to one… is a huge win.” – Erik Arfvidson, Head of Cybersecurity

• Avantis Finance: Invariants and price flow monitoring, automating suspicious activity alerts via Slack/PagerDuty.
• BadgerDAO: Governance and post-hack monitoring.
• Concero: Bridge aggregator multi-chain monitoring, ensuring transaction integrity with custom guards and instant anomaly detection.

“No one can tell me anything that will convince me not to use Guardrail.” – Andy Bohutsky, Founder

• Solo Labs: 17-chain deployment monitoring.

In every engagement, we’ve augmented customers’ teams with our SRs for seamless onboarding and resolutions. Guardrail delivers a consolidated, reliable, and intelligent platform, addressing gaps in tools like Tenderly, Hypernative, and OpenZeppelin Defender.

Section 1: Scope of Security Work

1a) Scope of Services Overview:

Sherlock offers comprehensive on-chain security reviews at every stage. A dedicated team, with deep Compound experience, will be assigned to the Compound ecosystem for the full duration of our partnership. During periods of heightened demand, we will also leverage our flexible pool of talent on the platform to provision additional resources, allowing us to perform up to 5 audits simultaneously when needed, and reducing any potential bottlenecks to progress without sacrificing quality.

• Ongoing Smart Contract Audits & Code Reviews: Sherlock performs full-codebase audits for new deployments, protocol upgrades, new markets, new assets, new external oracles, and ongoing maintenance. Each audit includes one of our dedicated Compound auditors as well as specifically selected independent researchers from our platform as needed.
• Governance/Proposal Reviews: Our team, with the vCISO acting as a dedicated security partner, will review any governance proposals or contract changes for Compound. We identify risk conditions in proposals and advise the community on security implications.
• vCISO: Sherlock will include a dedicated vCISO who will provide ongoing security advisory, guide governance and protocol enhancements, ensure alignment with best practices, and serve as the DAO’s point of contact for audit findings, security reviews, and on-demand guidance, while maintaining tailored security documentation.
• Monitoring: Guardrail monitors all assets, contracts, and wallets across Compound’s ecosystem with 24x7 protection and is tightly integrated with Sherlock.
  • Guardrail is the only team across monitoring platforms focused exclusively on monitoring (not offering fraud prevention, testnet as a service, wallet MPC etc). Due to this extreme focus on monitoring, we have faster iteration, deeper coverage and better outcomes.
• Pentesting: Infrastructure and application-layer penetration testing to identify and mitigate vulnerabilities.

1b) Multi-Chain Support & Upgrade Expertise:

Sherlock’s model is uniquely suited to meet Compound’s needs, offering demonstrated experience across various chains. Our audit capabilities are chain-agnostic and have been battle-tested on complex cross-chain deployments.

Sherlock conducted a comprehensive audit contest for ZetaChain, a foundational protocol with a novel cross-chain messaging architecture. The audit scope was extensive, covering the Cross-Chain Transaction (CCTX) logic, token wrapping and unwrapping mechanisms across multiple chains, and the security of the off-chain Threshold Signature Scheme (TSS) relayer. This engagement demonstrates our ability to analyze and secure new and complex cross-chain primitives at their deepest level.

Our audit of DODO’s cross-chain decentralized exchange required a deep analysis of its integration with ZetaChain’s infrastructure. This included assessing the critical onRevert and onAbort logic, which handles failed cross-chain transactions - a common source of vulnerabilities in cross-chain applications.

Beyond these specific audits, our history is replete with protocols planning deployments across multiple EVM-compatible chains. In each engagement, our auditors conduct a detailed analysis of the specific requirements and nuances of the target chains. This meticulous, chain-aware approach is critical for ensuring security across the diverse landscape of L2s. Our auditors look at all of the specificities of different rollup types, from EVM-equivalent (Type 1) to EVM-compatible (Type 2) environments. They pay special attention to potential issues that can arise in Type 2 rollups, where subtle differences in precompiled contracts, gas costs, or opcode behavior can introduce unique risks. By thoroughly analyzing these chain-specific details, we ensure the protocol’s logic remains sound and works perfectly on every intended chain. (eg. Titles , Real Wagmi, Allo V2)

The vCISO will be deeply engaged in Compound’s multi-chain expansion. For any new chain Compound targets for deployment, the vCISO’s primary responsibility is to become an expert on that specific environment to preempt any potential issues.

This process begins with the vCISO taking a close, manual look at the code, performing a detailed analysis of the smart contracts and their interactions. They will then thoroughly review all relevant documentation and the technical specifics of the target EVM chain. This deep dive allows the vCISO to build a comprehensive understanding of potential architectural, economic, or composability risks that could arise from the new deployment. By understanding the unique properties of each chain, the vCISO can identify and help mitigate problems before they occur, ensuring that each new deployment is as secure as the last.

Guardrail is live across 45 chains, with Compound’s target chains all included in that list.

Guardrail also supports select non-EVM chains & high throughput chains, and has a unique technical solution for multi-chain monitoring not offered by competing monitoring tools.

1c) Resource Allocation and Availability:

Allocation and Availability

• Gabriel Jaldon, Compound’s dedicated vCISO will provide ongoing security advisory, guide governance and protocol enhancements, ensure alignment with best practices, and serve as the DAO’s point of contact for audit findings, security reviews, and on-demand guidance, while maintaining tailored security documentation.
• Four Full-Time Security Researchers (named above) dedicated to Compound (who have audited Compound V3 in the past), available to begin working on new audits and other security work immediately.
• Eight On-Call Security Researchers who have already audited Compound V3 and can be flexibly called in to handle periods of large workloads.
• One Full Time Project Manager to coordinate and communicate between the various stakeholders.
• If needed, Sherlock will select additional backup capacity from our 40+ Lead Senior Watsons and 10,000 independent researchers anytime simultaneous audits are needed. Each audit will be led by one of the Four dedicated Compound SRs.
• 1 FTE selected from Guardrail’s team of dedicated DeFi Security researchers and incident responders.

Historical Context

Sherlock has been active in Compound’s governance for over a year, participating in discussions, speaking with delegates and other stakeholders, and learning about the needs of the DAO and the community. What we heard was loud and clear - the existing $4mm engagement with OpenZeppelin was inadequate for the needs of a dynamic and fast-moving organization like Compound, leading us to author a proposal as far back as June 2024. There were two significant issues with the OpenZeppelin relationship that we repeatedly heard from stakeholders:

• Lack of Speed - Compound’s development and competitiveness as a lending protocol was consistently held back by months due to OpenZeppelin’s delayed scheduling, lengthy backlog, and lack of ability to run multiple concurrent audits
• Exorbitant Cost - OpenZeppelin’s $4mm annual contract, when amortized over the work completed, was the largest cost by far for all chain, market, and asset additions, as seen in AlphaGrowth’s analysis.

Our Solution

Sherlock is singularly suited to solve this problem. We have a unique combination of exclusive, high-caliber dedicated talent along with a community of 10,000 independent researchers. This combination cannot be replicated by any other company, and allows Sherlock to produce quantitatively better results, perform more audits simultaneously than any other company, and execute the entire audit process with speed that can’t be matched.

Sherlock has handpicked a “Seal Team 6” of researchers who have experience with Compound V3 and will be specifically dedicated to working on Compound audits and other security work in the scope of this proposal.

Monitoring & Incident Response

• Joint Dedicated Security Operations Team:
  • Incident responders with over 200 incident handling experience
  • 24x7x365 coverage across timezones and escalating triage policies
  • Specialized in-house DeFi security researchers bringing exploit investigation analysis expertise
• Guardrail’s Proven On-Demand Scaling:
  • 40 custom monitors created, tested, and deployed in one day for critical deployments
  • New chain implementation within 24 hours past experience
  • Custom monitoring use cases development with a 24-48 hour turnaround
  • <1 second detection across 24+ chains
• Guardrail’s Compound-Specific Resource Commitment:
  • Dedicated technical point-of-contact for Compound’s unique monitoring needs
  • Direct access to Guardrail’s security analysts for threat intelligence & incident response
  • Weekly platform optimization & internal check-in’s specifically tuned for Compound’s smart contracts
  • Network intelligence & product insights from monitoring Euler, Avantis, BadgerDAO, BlueFin, Pendle, Li.Fi

1d) Additional Services or Tools (if any):

$500,000 Bug Bounty & Exploit Coverage: Every Compound audit through Sherlock is automatically enrolled in a 1-month, $500,000 bug bounty & exploit coverage program. This ensures that Compound users are protected not just after the audit process but also throughout daily operations, providing extended security assurance.

Complimentary Bug Bounty Hosting and Triaging: Sherlock offers complimentary bug bounty hosting for Compound. This service encourages ongoing security vigilance by incentivizing the wider community to identify and report vulnerabilities, thereby enhancing the protocol’s overall security posture. The same team of researchers who audit Compound will also triage vulnerabilities submitted through this program, ensuring fully-integrated, lightning-fast responses to any potential threats to Compound by the security researchers who know Compound best.