[Post 2/2: for a summary of the July 24th edits, see post 1/2]

Proposal - ChainSecurity & Certora

Section 1: Scope of Security Work

This section includes:

• Scope of Services Overview
• Multi-Chain Support & Upgrade Expertise
• Resource Allocation and Availability
• Additional Services and Tools

A top-tier audit team, with a history of successful Compound audits and prior knowledge of the codebase, will be dedicated to the Compound ecosystem year-round. This joint proposal encompasses the following services:

• Manual audit and targeted formal verification for new contract deployments.
• Governance reviews and simulated execution as needed throughout the year.
• Front-end and off-chain audits for mobile applications, web services, and other off-chain components.
• Collaborative partnership with dedicated vCISO to deliver consistent and on-going support and advisory services in all aspects of the Compound platform.

Our auditing services include black box penetration and white box protocol testing for Dapps. Black box penetration testing services will include manually exercising common exploit patterns for web and mobile applications based on an external review of the functionality of the application. White box protocol testing services include reviewing the communication between the UX (web/mobile) and any backend services, and attempting to craft exploits by inferring the intended vs. unintended behaviors of the interaction. Automated tools may be applied in these services when feasible and appropriate to the particular application. Finally, we will seek language-appropriate static analysis and code scanning tools as part of our Dapp auditing to identify code-level mistakes that lead to known vulnerability categories. These findings may not always be exploitable, but they will identify opportunities to improve the code in order to avoid vulnerabilities.

Leveraging our combined auditing team, we are able to deliver on-demand availability for the deployment of new capabilities and major upgrades across a complex network of L1s and L2s with a team of 3 FTEs dedicated to Compound. To ensure availability, knowledge continuity, and a diversity of thought in approaching each audit, both Certora and ChainSecurity will internally maintain teams who will in rotation serve as primary and backup auditors for each engagement.

We will ensure team consistency throughout the year by maintaining continuity across engagements. Audits will follow our battle-tested methodology with a focus on preserving context to easily onboard new auditors and avoid vendor lock-in. Leveraging a larger team of audit professionals also injects a broader perspective and “fresh eyes” into each audit, which will yield superior coverage in our work. This same level of redundancy will apply to all vCISO discussions and governance reviews.

Across the ChainSecurity and Certora teams, we have expertise with a wide variety of L2s, and we have audited major cross-chain deployments with Aave, Uniswap, and others. As new L2s are introduced to the market, our teams will work in collaboration to establish an internal “center of excellence” for identifying new risks introduced by each new L2. We will then leverage this accumulated knowledge in future deployments to those L2s.

In addition to the expertise of our security engineers, ChainSecurity & Certora will contribute advanced tools to this engagement including:

• The Certora Prover, which enables formal verification of complex smart contract properties.
• A fuzzing suite built on top of Foundry & Echidna. This suite will enable on-going testing of each change introduced by the Compound team.
• Participation in governance, if desired, as we have with Ether.fi, Spark, and other leading protocols.
• An internal dashboard showing all projects, schedules, and delivery health using the Monday platform.

Finally, the vCISO service offered as part of this proposal is envisioned as a security advisory service to the Compound foundation and the DAO for the purposes of end-to-end security review of all aspects of operational security, code security, and governance. The vCISO is a senior blockchain security engineer from ChainSecurity allocated full-time on Compound. To ensure continuous support through the year, another engineer with deep Compound expertise will work closely with the vCISO and act as the vCISO’s official backup in case of absence. We will be available for consultation to the Foundation or the DAO on an as-needed basis.

In addition to on-demand guidance, Compound’s dedicated vCISO will take a proactive and holistic approach to securing Compound. Rather than simply reacting to individual audit requests, we will maintain an informed, high-level view of the protocol’s overall risk landscape—including internal architectural decisions as well as relevant external developments in the broader ecosystem. This includes participating in protocol design discussions, reviewing governance proposals, and supporting contributors in identifying and mitigating risk across the stack.

We also see the vCISO as a public-facing and coordination-oriented role. Responsibilities will include representing Compound in relevant security contexts, liaising with other vendors and ecosystem partners, and helping ensure that contributors and stakeholders have clarity around evolving security needs. This may also involve helping scope and prioritize reviews, maintaining lightweight documentation of expectations and best practices, and advising on the implications of new initiatives or integrations.

---

Section 2: Technical Methodology and Audit Process

This section includes:

• Audit Methodology
• Audit Workflow & Deliverables
• Quality Assurance and Track Record

Audit Methodology

Leveraging our combined team of 3 full-time equivalent auditors, the Certora and ChainSecurity teams will audit the governance proposals and protocol changes. Our audit methodology includes the following key attributes:

1. Each audit is assigned a team of two, and we will ensure continuity from audit to audit such that one member of this team of two participated in the previous audit.
2. Prior to conducting an audit, all protocol changes will be validated using to identify functional and security regressions prior to audit review.
3. Each audit consists of the following stages:

• 1. Identification of a threat model and initial run of the Certora tool suite
• 2. Manual inspection of protocol or governance code and review of all tool results
• 3. Identification of potential code issues and attack vectors and collaborative review with the Compound team
• 4. Collaborative discussion to specify required fixes and methodology for each fix
• 5. Thorough review of each fix and final run of the Certora tool suite to ensure that fixes were applied properly and that no regressions were introduced
• 6. After deployment, we will offer deployment audit services to certify the smart contracts are deployed with the expected bytecode and configuration (See Compound Deployment Validation)

Our audits are:

• Comprehensive, leveraging tools to identify all suspicious areas of the code that require thorough, systematic review.
• Multi-level, starting from a comprehensive threat model for the protocol and including a review of architecture, business logic, pricing logic, critical calculations, and implementation. This review includes both on-chain and off-chain components.
• End-to-end in multiple dimensions. First, by including a collaborative effort to identify appropriate fixes to any issues that are uncovered, and a final review of actual fixes. Second, by including off-chain components.
• Technology driven to ensure that human error and omission is minimized wherever possible.
• Deep, including sophisticated verification of protocol properties using the Certora Prover and our team of dedicated formal verification experts.

Both Certora and ChainSecurity already possess extensive Compound knowledge and have a positive history with the Compound team. In collaboration, we are uniquely suited to protect your protocols from costly exploits, ensure compliance with industry standards, and build trust with users and stakeholders.

Audit Workflow & Deliverables

Each audit concludes with a comprehensive report delivered to the Compound team. These reports include:

• Threat model used to conduct the audit
• Architecture diagrams, if relevant, illustrating our understanding of the protocol and its associated threats
• A comprehensive list of findings, including an explanation of the severity and impact of each finding
• A list of fixes applied, including our evaluation of the effectiveness of the fix
• A list of invariants, pre-, and post-conditions verified with the Certora Prover, and a description of the implications of these verification conditions on the overall security of the protocol
• The output from the Certora tool suite, which illustrates the comprehensive nature of our audits and how we leverage advanced technology to complement human review
• Required checks for Deployment Validation (See Compound Deployment Validation)

Reports will be made public at the discretion and on the timeline agreed to with the Compound team, and with a particular care devoted to ensuring that any live vulnerabilities identified are mitigated prior to publishing.

Governance proposals will promptly be reviewed by our vCISO team. Beyond general review against security threats, they will simulate proposal execution against mainnet state. This verifies that proposals execute as expected, checks system invariants, and flags gas regressions, avoiding incidents like Compound’s Proposal 117 and Proposal 226. This reduces the duration of review cycles while significantly increasing security.

Quality Assurance and Track Record

ChainSecurity & Certora are all committed to supporting our clients and the ecosystem at large. Here are some examples where our work prevented harm:

• ChainSecurity identified an Ethereum-wide vulnerability ahead of the Constantinople upgrade. They disclosed it responsibly to Ethereum Foundation, who delayed the upgrade and was able to fix the issue (see blog article).
• ChainSecurity responsibly disclosed a live critical vulnerability in Compound and supported the mitigation efforts (See blog article)
• ChainSecurity discovered the read-only reentrancy, a novel type of vulnerability putting more than $100M at risk. Before making the vulnerability public, they spent months researching the affected protocols, responsibly disclosing the vulnerabilities, and supporting them as they patched the vulnerabilities. (See Devcon talk)
• ChainSecurity has been part of multiple undisclosed war-rooms securing hundreds of millions at risk in collaboration with SEAL911 and others.

---

Section 3: Risk Management and Incident Response

• While ZeroShadow owns the responsibility for monitoring, we will support them by offering monitoring recommendations when relevant risk areas are noticed during our reviews or advisory work.
• While ZeroShadow owns the responsibility for incident response (IR) and for designing the IR protocols, we are responsible for ensuring an IR drill happens every quarter with the relevant actors (ZeroShadow, multisig signers, key developers, etc.), and that the IR protocols are understood by all actors involved. We will support ZeroShadow to promptly design custom emergency response protocols emcompassing all potential emergency scenarios and all Compound actors.
• We will ensure a smooth, clearly-defined, and efficient collaboration with ZeroShadow. We will make ourselves available to support their efforts and offer direct communication channels with redundancies across different timezones.

If ChainSecurity & Certora are the ones discovering a live vulnerability, we will follow a strict and coordinated responsible disclosure process that prioritizes the security of Compound above all else. Whether the issue arises during an audit, a formal verification engagement, a governance review, or any security advisory work, our teams are aligned in treating these findings with urgency, discretion, and technical rigor.

Our approach goes beyond merely reporting bugs—we act as partners in remediation. Together, our teams will collaborate closely with Compound’s developers to design secure and effective patches. We will help evaluate possible solutions, and use both manual methods and automated tools, including formal verification, to validate that fixes resolve the vulnerability without introducing new risks. If needed, we will dedicate additional engineering resources to conduct emergency reviews of the patched code under tight timelines.

We classify vulnerabilities according to industry-standard severity frameworks, and respond accordingly. Critical issues—those that could lead to loss of funds, insolvency, or governance failure—are treated as top priority and take precedence over all other audit activities. Medium and high severity issues are triaged and handled with urgency, while lower severity findings are reported in due course and included in regular deliverables unless Compound requests otherwise.

With respect to disclosure, our unified policy is to ensure no public exposure of the issue occurs until a fix has been deployed and user funds are no longer at risk. Once Compound confirms the vulnerability has been safely mitigated, we are happy to support a coordinated public disclosure, which may include a detailed post-mortem or report for community transparency and learning. We can also assist in communicating this clearly and responsibly to the broader community if needed.

---

Section 4: Commercial Terms and Commitment

This section includes:

• Pricing Model
• Milestones and Performance Metrics
• Conflict of Interest Declaration
• Transition and Offboarding Plan

Pricing Model

We are requesting a flat annual fee of $1.75M for the 12-month security partnership with Compound DAO. This fee, capped for two years at least, covers the full scope of services outlined in our proposal, including audits, formal verification, vCISO services, advisory support, ChainSecurity & Certora tooling, and governance proposal reviews. We are also fully supportive of a continuous streamed payment setup, which offers transparency and aligns with DAO-native funding practices.

Milestones and Performance Metrics

We propose the following KPIs:

• Governance Proposal Reviews completed within 24 business hours of request (Mon–Fri).
• Audit Lead Time: New audit engagements scheduled within 2 weeks of request and the re-review of fixes will start within 3 business-days of code submission.
• The vCISO owns the relationship with Compound and provides clear security leadership and guidance for the community. He is available full-time Monday to Friday. In case of absences, continuous service is provided by the dedicated backup vCISO.
• Governance Participation: vCISO is active in the governance forums and ensures Compound maintains a proactive stance on security
• Quarterly Security Updates: Summary posted to the forum every quarter
• Ensuring that IR drills (led by ZeroShadow) happen every quarter and encouraging all relevant actors to participate in the drills and know their roles.

These metrics reflect our commitment to reliability, speed, and clarity—ensuring Compound receives proactive and responsive support, while maintaining rigorous standards across all engagements.

Conflict of Interest Declaration

ChainSecurity & Certora are not exclusive to Compound and do work with other protocols in the ecosystem that may be considered competitors or forks. However, we are fully committed to maintaining the highest standards of professionalism, confidentiality, and conflict management. We ensure that strict internal processes and access controls are in place to prevent any sharing of sensitive information across engagements. Both firms have longstanding reputations for handling such matters with discretion and integrity, and we take our responsibility to protect Compound’s information and interests extremely seriously.

Transition and Offboarding Plan

Our proposal is deliberately designed to avoid vendor lock-in and ensure smooth transitions. All deliverables will be documented, reproducible, and fully accessible to the DAO and any future service provider. We are committed to maintaining transparency and portability in all our work.

In the event the DAO chooses not to renew our engagement, we will fully support the onboarding of a new security provider. Our team will collaborate closely during the offboarding period, sharing documentation, context, and institutional knowledge to ensure continuity and prevent any loss in coverage or understanding. As security firms with strong reputations in the ecosystem, we understand the importance of professionalism and integrity in these transitions, and we will uphold that standard without exception.

We fully acknowledge and respect the DAO’s right to terminate the agreement with 60 days’ notice and will treat such a scenario with the same level of commitment, diligence, and cooperation as any other part of the engagement.

---

Section 5: Service Level Expectations (SLA)

This section includes SLAs for:

vCISO Support & Governance proposal reviews

Our vCISO - a senior ChainSecurity engineer allocated full-time on Compound - will be available constantly from Monday to Friday, with a handoff protocol for absences. He will provide:

• security advisory (e.g. flagging risks and requesting additional layers of security such as formal verification or re-audits),
• architecture recommendations,
• audit-readiness support for developers,
• coordination between the different security providers for smooth collaboration and best security practices,
• governance proposals reviews.

The vCISO will offer complete availability, deep Compound expertise, and constant visibility on the current state of Compound and its governance. In addition, our tooling and the vCISO’s deep knowledge of the system will considerably reduce the duration of each review.

For urgent or concurrent proposals, we can pause active audits and allocate additional engineers to scale reviews without delay. The vCISO will work closely with the audit team. In case of sickness of holidays, the backup vCISO, a senior engineer with Compound expertise, ensures seamless coverage with the same level of service.

Following governance proposal reviews, our findings and recommendations will be delivered in the form preferred by the community, for example via the Compound forum, via Github, or any other preferred method.

Audits

For Audits our average lead time for scheduling audit engagements is approximately 2 weeks, depending on project scope and availability. Once the engagement begins, turnaround times typically range from 2 to 6 weeks, depending on the codebase size, complexity. Our reporting process follows a clear, transparent structure:

• Initial Report: Delivered upon completion of the audit, detailing findings with severity levels, impacted components, and remediation recommendations.
• Revision Handling: We conduct one or more follow-up reviews to validate fixes and provide updates on resolved issues.
• Final Report: Includes a summary of the full engagement, status of all findings, and is published in our standard format.

---

Final Considerations

Today, our shared goal is to help Compound regain and strengthen its position as a leading force in Web3. We bring both historical context and forward-looking capabilities, combining deep technical expertise and protocol familiarity. Our team is committed to ensuring security, reliability, and resilience in this next chapter building on the legacy of Compound’s early impact while meeting the demands of today’s fast-moving landscape.

We deeply understand that security should accelerate development, not slow it down. Our approach is designed to support rapid iteration while maintaining rigorous standards. By integrating early into the development lifecycle, reusing proven security components, and collaborating closely with builders, we ensure that security is a foundation for faster, safer shipping—not a bottleneck. Our work is tailored to enable Compound to move quickly with confidence.