Request for Proposal (RFP): Compound DAO Security Service Provider (SSP)

Governance Process
3

[Post 1/2]

Proposal edited on July 24th, 2025. Summary of edits:

  1. Tenderly has been unbundled from this proposal with the understanding that their platform will be considered as part of ZeroShadow’s evaluation process.

  2. ChainSecurity and Certora are submitting a joint proposal with an annual fee of $1.75M. The fee is capped for two years at least.

  3. The following has been added to our scope:

  • We will become signers of Compound’s multisig
  • We will ensure a smooth, clearly-defined, and efficient collaboration with ZeroShadow. We will make ourselves available to support their efforts and offer direct communication channels with redundancies across different timezones.
  • While ZeroShadow owns the responsibility for monitoring, we will support them by offering monitoring recommendations when relevant risk areas are noticed during our reviews or advisory work.
  • While ZeroShadow owns the responsibility for incident response (IR) & for designing the IR protocols, we are responsible for ensuring an IR drill happens every quarter with the relevant actors (ZeroShadow, multisig signers, key developers, etc.), and that the IR protocols are understood by all actors involved.
  1. The following has been excluded from our scope:
  • Monitoring & Alerting (both the platform and the associated services)
  • Incident Response & Triage
  • Any of Tenderly’s tooling solutions (Tenderly’s virtual testnet, Tenderly monitoring stack, etc.)
  • The scope of ZeroShadow’s proposal

Proposal - ChainSecurity & Certora

Key Facts

  • ChainSecurity and Certora are leading Web3 security firms, operating since 2017 and 2018 respectively. Both have a long-standing and successful track record of collaboration with Compound.
  • To streamline DAO coordination, we unify the DeFi expertise of our two firms under a single vCISO: a senior security engineer from ChainSecurity fully dedicated to Compound.
  • Full-time security engineers dedicated to Compound ensure rapid response times and leverage custom tooling to enhance efficiency and reliability.
  • Under the vCISO’s leadership, the three teams will work in close coordination to comprehensively address all of Compound’s security needs:
    • Smart contract audits (with targeted formal verification & fuzzing)
    • Audits of off-chain components (including Web2 security such as penetration testing of dApps)
    • Governance reviews
    • Security Advisory & Security governance

Contact

ChainSecurity & Certora

Collectively represented by Emilie Raffo, ChainSecurity Founding Partner

Telegram: @EmilieRaffo_ChainSecurity

Email: emilie.raffo@chainsecurity.com

Proposal

This proposal is led by ChainSecurity and submitted jointly with Certora. Our 2 teams will collaborate closely to provide ongoing, high-assurance security services to the Compound protocol. The vCISO, a senior ChainSecurity engineer allocated full-time to Compound, will serve as the main point of contact, ensuring close coordination, clear communication, and a smooth collaboration across all stakeholders.

Certora and ChainSecurity together bring a uniquely comprehensive approach to smart contract security. Certora’s team of dedicated formal methods engineers specializes in writing precise, executable specifications and building custom verification pipelines that proactively eliminate entire classes of vulnerabilities before deployment. ChainSecurity complements this with unmatched experience in DeFi systems and complex protocol interactions, drawing on a broader security skill set including manual audits, threat modeling, and automated tooling. Together, we offer both depth and breadth: Certora ensures correctness by construction, while ChainSecurity identifies emergent risks through a holistic view of protocol behavior. This combined methodology delivers a higher level of assurance than either approach alone—giving clients a truly end-to-end security review that is proactive, rigorous, and battle-tested in production systems.

Collectively, we have a strong history with Compound, having previously contributed to securing its smart contracts as both auditors and formal verification partners. This proposal offers Compound the unique expertise and ability to provide the highest standards of security directly by combining two of the most established security providers’ offerings under one coordinated framework.

About ChainSecurity

(Represented by Emilie Raffo, founding partner)

ChainSecurity is one of the longest-standing Web3 audit firms, known for deep DeFi expertise, rigorous audits, and a stable team of formally trained experts.

ChainSecurity began in 2017 at ETH Zurich, 4th best university in the world for computer science, with the development of Securify: the first widely used static analyzer for Solidity.

As demand grew, the team of academic researchers formalized into ChainSecurity: auditing top-tier projects and releasing Securify as open source with the support of the Ethereum Foundation. In collaboration with ETH Zurich, we built formal verification tools like VerX.

ChainSecurity gained visibility during Ethereum’s Constantinople and Berlin hard forks by uncovering network-critical vulnerabilities. Our Ethereum client disclosures earned us top places on the global bug bounty leaderboard.

In 2020, we joined PwC Switzerland, gaining exposure to the best practices of regulated financial auditing. While staying focused on Ethereum, we collaborated with public institutions, banks and central banks, and supported large organizations in their tokenization efforts. Our experience with large, traditional corporations makes us the top choice for a new age of increased regulation and legal clarity in DeFi.

We spun off from PwC in 2021 to double down on DeFi and to be able to work with crypto native teams. Since then, we’ve led hundreds of audits, hired from top universities, won the Ethereum Foundation’s underhanded Solidity contest, and discovered several live vulnerabilities - including the novel “Read-Only Reentrancy”.

ChainSecurity is employee-owned and built for longevity. Our core team is committed, and subsequent hires are growing into ownership of the company. We retain expertise in-house and continuously refine our methodology since 2017. This consistency is why clients continue to place their trust in us.

About Certora

(Represented by Mooly Sagiv, founder)

Certora is the security assurance partner trusted by the most advanced teams in Web3. Founded in 2018 by pioneers in programming languages and formal methods, Certora helps leading protocols like Lido, Aave, Euler, and Ether.fi secure billions in TVL with confidence.

Certora is not just another auditor. Certora is a full-stack security assurance platform, combining best-in-class formal verification tools with expert advisory services, delivered on time and with zero compromise. Certora doesn’t just look for vulnerabilities, we help you prove correctness, accelerate your development speed, and embed safety into your design from day one.

With Certora, you get:

  • Proven, scalable tooling for checking real deployed code
  • A deep partnership model with on-demand support
  • Fast, responsive execution that helps you go-to-market faster

For Certora, security isn’t a checklist, it’s a continuous process.

Certora was founded by Dr. Mooly Sagiv, a pioneer in software analysis who has authored over 200 peer-reviewed publications, and Dr. Shelly Grossman, who holds a PhD in program verification and led the development of the Certora Prover—a powerful engine for detecting and preventing vulnerabilities in smart contracts before they reach production.

Our team of security auditors includes 20 PhD-level verification experts who collectively have authored over 650 academic publications, and 25 Web3 security experts with collectively over 80 years of auditing experience. Certora has completed 286 audits to date, and has found over 350 critical and high severity findings through our audits and verification work.

In collaboration with our R&D efforts, our audit team leverages advanced software analysis tools to deliver the industry’s most thorough security audit, and we translate the semantics of a protocol into verifiable specifications that are checked with our Prover technology. The result for our clients is the highest standard of security assurance for smart contracts in the industry, and a continued effort to leverage new, innovative technology to raise the bar even higher.

Existing Relationship with Compound:

We have longstanding ties with Compound, dating back to its early days as one of the most innovative and respected protocols in decentralized finance. Some of us were present during Compound’s formative years, when it helped define the lending market in DeFi and set standards for governance and protocol design. We are proud to have witnessed and supported those foundational moments.

ChainSecurity & Compound

ChainSecurity has been a close security partner to Compound since 2022, with deep insight into their protocol and architecture. To date, we’ve published several of our audit reports (Compound Quark (2024), Compound SUPTB (2023), Compound III (2023), Compound cToken (2022)) and continue to support the ecosystem through our work with Legend Labs—the spun-off Compound Labs team (Legend Labs - Quark V2), with more reports to be published.

In 2022, our team also identified and responsibly disclosed a live vulnerability in Compound that put millions at risk (TrueUSD ↔ Compound Vulnerability).

The Compound Labs team has shown high satisfaction with ChainSecurity’s work, as evidenced by the following testimonials:

“ChainSecurity has been an outstanding security partner who has earned our admiration and respect based purely on their technical competence and skill. They always go above and beyond to ensure their auditing is of the highest quality, and they are consistently excellent over the many projects we have done together.”

Jared Flatow, Compound VP of engineering 2019 to 2023

“We’ve worked with several auditing firms over the years, and ChainSecurity stands out as the most thorough and technically rigorous. Their team consistently delivers deep, high-quality audits. That is why they’re our go-to auditor.”

Kevin Cheng, Compound Labs Head of Protocol 2023 to 2024, Compound Labs Senior Engineer 2021 to 2023

Certora & Compound

Certora has worked closely with Compound since 2018 to strengthen the security of its smart contracts through formal verification. Our collaboration has focused on proactively identifying vulnerabilities that are difficult to catch through traditional audits alone. We have helped uncover subtle, high-impact issues before they could be exploited in the wild. These efforts have significantly contributed to improving the safety and reliability of the protocol across multiple major upgrades.

In our first engagement with Compound, we formally verified the first Price Oracle implementation. Using the Certora Prover, we identified 7 issues and proved 5 global properties of the contract, including a subtle bug after the code has already undergone a third-party audit—demonstrating how formal methods can complement traditional review processes.

In contrast, the MoneyMarket contract, which was not formally verified, was later found to contain a serious vulnerability in the liquidation function, one that could have threatened the protocol’s solvency. Following this discovery, Compound asked Certora to formally verify a sophisticated bug fix designed to prevent such exploits. Using Certora’s expressive language for smart contract specifications, CVL, we were able to collaborate with the Compound team to verify that no execution path could trigger the exploit, providing the Compound team with strong assurance of the fix’s soundness.

Certora was also the first auditor of Compound V3. The audit is available here. Seven bugs were prevented, and fifty CVL rules were written and integrated into Compound Labs’ build system to continuously leverage the Certora Prover to proactively find regressions in the protocol.

Over the course of Certora’s work, ten engineers wrote a total of 80 CVL rules for Compound contracts spanning CompoundV2, CompoundV2 Open Oracle and CompoundV3. These rules are publicly available and continue to serve as regression checks as the protocol evolves.

“Certora has given us the ability to practically apply formal verification methods to anything we do on-chain. They have an excellent team who we’ve partnered with closely over the years, and the process of writing invariants with them has proven to be invaluable in writing better smart contracts.”

Jared Flatow, Compound VP of engineering 2019 to 2023

Relevant Security Partnerships or Clients

ChainSecurity

ChainSecurity is the go-to audit partner for some of the most widely used projects in DeFi. In lending alone, we’ve helped secure the core systems behind Sky (formerly MakerDAO), Spark, Morpho, Euler, Frax, Gearbox, TrueFi and others. Our work extends across DeFi and beyond, with audits for Circle, Lido, Curve, Tether, Yearn, Enzyme, WBTC, and more. We also work with major ecosystem and infrastructure players like the Ethereum Foundation, Polygon, Optimism, Uniswap Foundation, TRON, Starknet, Fuel, etc.

Our clients trust us not just for technical depth, but for our reliability and long-term support. Here are some testimonials to illustrate this:

“ChainSecurity has been an invaluable partner throughout almost two years of high-stakes product launches. We prize them for their proactivity, consistency, and flexibility.”

Deniz Yilmaz, Tech Lead @ Sky (formerly MakerDAO)

“We’ve worked with many Smart Contract auditors in the last five years and ChainSecurity quickly differentiated themselves as a leader in the space. They have relevant DeFi expertise, professional work ethic and have always been a reliable partner.”

Mona El Isa, CEO @ Enzyme Finance

“Their team pays close attention to every detail, prioritizing quality over quantity. This ongoing collaboration has made them true partners in our journey.”

0xMikko, Inventor @ Gearbox

“ChainSecurity delivered an exceptional audit for our project. Their meticulous approach and quick responsiveness enhanced our security and provided crucial insights. We greatly appreciate their dedication and excellent communication throughout the process.”

Erik Arfvidson, Head of Cybersecurity @ Euler Finance

ChainSecurity was a pleasure to work with—exceptionally easy to coordinate with and delivering an audit of the highest quality. Their meticulous attention to detail truly set them apart, making the entire process smooth and efficient.

Long Vuong Hoang, Head of Engineering @ Pendle

Through long-term collaborations highlighted by our clients and a proven track record of identifying critical vulnerabilities, ChainSecurity is a trusted and strategic partner in building secure and resilient decentralized systems.

Certora

Certora is the trusted security partner of many of the most impactful protocols in Web3. In the lending vertical alone, Certora has secured critical components for Aave (V2 and V3), Compound (V2 and V3), Silo, Euler, EtherFi, Seamless, Astaria, Kamino, Glow, Blend, and Slender. Our work extends beyond lending to a broad range of DeFi primitives — including MakerDAO, Balancer, Lido, Uniswap, Gnosis Safe, and others. Certora’s role in the ecosystem goes beyond auditing and formal verification. We are embedded in the security processes of leading protocols and infrastructure, serving as technical co-signers on multisigs and participating in security councils such as Arbitrum, AAVE, EigenLayer, GMX, Lido and Kinto. This level of trust demonstrates our operational reliability, technical depth, and ability to respond quickly to emerging threats. Our long-term relationships and active engagements across protocols and chains position Certora as not just a service provider, but a strategic partner in building safer and more resilient decentralized systems.

[Proposal continues in post 2/2]

4 Likes
Compound Foundation's Security Service Provider Recommendation
Compound Foundation's Security Service Provider Recommendation
Compound DAO’s New SSP Team: ChainSecurity, Certora, and zeroShadow
Compound Foundation's Security Service Provider Recommendation