Updated before Snapshot: Request for Proposal (RFP): Compound DAO Security Service Provider (SSP) Cyfrin - Part 1

Motivations to proceed to snapshot

Firstly, we want to thank the Compound Foundation, the CGWG, and especially Michael Lewellen and Aaron Schnarch for their transparency, professionalism, and thoughtful handling of this RFP process. An immense amount of care has gone into shaping the security future of Compound.

We fully respect the Foundation’s recommendation of ChainSecurity and Certora, both highly respected firms in the space. At the same time, we continue to believe that Cyfrin offers a uniquely strong alignment with Compound’s evolving needs and remain committed to this community as we move toward the final vote.

Why Cyfrin?

While it has been noted that Cyfrin lacks a prior audit history with Compound, we believe that security is ultimately about capability and commitment.

For much of Compound’s history, security was handled by a single, long-term, and respected partner - OpenZeppelin. This meant fewer opportunities for external vendors to demonstrate direct experience. But Compound is entering a new chapter, and with that comes new criteria: scale, responsiveness, involvement, and DAO alignment.

That’s where we believe Cyfrin leads.

vCISO

We’ve nominated Patrick Collins as our vCISO because we believe this role requires more than just deep technical skills. It demands a visible, principled leader who has the trust of both the developer, security, and institutional communities alike.

• Patrick is one of the most recognizable names in the Web3 security space.

• He has taught Compound to hundreds of thousands of developers over the years.

• He builds open-source tooling, contributes to standards, and educates with integrity.

With Patrick as vCISO, Compound gains a respected public representative who will champion its vision and advocate on its behalf, rather than just conducting reviews behind the scenes.

As Web3 enters a new era of regulatory clarity and TradFi integration, it needs more than a security vendor; it needs a strategic partner who understands both Worlds. With Patrick Collins as vCISO and Cyfrin’s connections, Compound gains a visible, engaged leader who will champion its vision and represent the protocol with authority.

Post

Throughput and bottlenecks

One of the significant points raised in this RFP process was throughput, the ability to execute multiple audits and reviews without bottlenecks.

Cyfrin answers this directly:

• 4 named full-time Lead Security Researchers (LSR), with no junior staff.

• 2 concurrent audits, guaranteed, scalable through our Eagles program (a vetted network of elite external researchers).

• Flexible bandwidth to support governance reviews, upgrade audits, and tooling support. Simultaneously.

Other proposals mention “three teams” or “multiple firms”, without considering the number of LSR involved in each audit. When it comes to capacity, our model addresses the exact throughput issues Compound has faced in the past.

Lower costs with no tradeoffs

In light of the DAO’s priorities and ZeroShadow’s collaboration with the DAO, we are lowering our proposed fee to $1.5M annually, 60%+ below historical spend and competitive with all finalists, while preserving full audit capacity, vCISO leadership, and security tooling.

We believe this is the most sustainable value-for-cost model for the DAO:

• Two audits in parallel (not sequentially)

• Dedicated advisory capacity

• Named, public-facing vCISO

• Open-source tooling and continuous education

Web3 is evolving. With increased regulatory focus, institutional scrutiny, and complex governance demands, Compound needs more than audits.

Cyfrin uniquely combines:

• Security talent trained and led by former senior auditors from the leading firms

• A strong educational arm (Updraft) to support internal team onboarding and DAO contributors

• Strategic partnerships across institutions, research organizations, and security standards bodies

This isn’t just about coverage, it’s again about long-term stewardship, aligned with Compound’s vision.

A commitment to the DAO

We’ve chosen to move forward with the Snapshot vote because we sincerely believe our proposal offers more substantial alignment with Compound’s current needs, particularly in terms of cost efficiency, execution speed, education, and public-facing leadership.

While we respect the Foundation’s process, we believe that the evaluation may have placed too much weight on legacy affiliations and formal verification tooling, whilst we will be using Halmos from A16z, there is still not enough on sustained, real-world value to the DAO.

We’re not here to rely on prior relationships or incumbency. We’re here to bring a well-resourced, execution-focused security partner to the table. One that’s capable of delivering both strategic guidance and hands-on security from day one.

Cyfrin brings a leaner security model, built for continuous delivery and engagement, not point-in-time optics.

Compound deserves a partner who is both strategic and hands-on, capable of scaling with the protocol and engaging with the community at every level. That’s precisely what Cyfrin offers.

Updated Proposal

About Cyfrin

Cyfrin is a leading smart contract security firm providing industry-leading security audits, consulting, research, education, professional certifications, and security tools, to some of the world’s most prominent institutions, organizations, and protocols.

In the last two years alone, Cyfrin has audited hundreds of protocols, trained over 100,000 blockchain developers and security researchers, while protecting more than $40 billion in Total Value Locked (TVL) across various chains. Our team combines technical depth, real-world DeFi experience, and a strong public track record to raise the security standards across Web3.

Cyfrin is the security partner trusted by some of the most targeted institutions, protocols, and infrastructure providers, including Uniswap, Lido, Ethena, Chainlink, Axelar, MetaMask, Euler, Ondo Finance, Benqi, Swell, Wormhole, M^0, Curve, Linea, Starknet, ZKsync, and Sonieum. Our engagements span the full spectrum of decentralized finance, cross-chain interoperability, and blockchain ecosystems. See the list on our Github (Please note some reports and/or clients are not present due to confidentiality)

In addition to our work in Web3, Cyfrin also actively supports leading organisations in traditional finance and capital markets, including PwC, Libre Capital, and Securitize, reflecting our ability to meet the security and compliance standards of both crypto-native and regulated institutions.

Cyfrin acts as a key provider for several Security funds, including the Uniswap Foundation, Sonieum, and the ADPC, while closely working with Areta, a platform for Web3-native fund infrastructure, to deliver audit services, governance reviews, and deep technical due diligence to protocols backed by these ecosystems. Most recently, the Uniswap Foundation awarded a $1.2 million grant to Areta to launch the Uniswap Foundation Security Fund, aimed at supporting Uniswap v4 hook developers with subsidised access to top-tier audits.

Member of the Abstract Chain Security Council and founding member of the ZKsync Security Council, Cyfrin is entrusted with core governance and security roles within the ecosystem. The Security Councils are responsible for safeguarding protocol integrity, coordinating emergency upgrades, and enabling rapid, decentralized responses during high-risk security incidents. Our responsibilities include protocol-level threat modeling, emergency decision-making, and active collaboration with the ZKsync and Abstract Chain core teams, validators, and whitehat communities. This work reflects both Cyfrin’s deep expertise in smart contract security and our commitment to decentralized governance at scale.

In 2025, Cyfrin was part of the response team that helped mitigate a high-severity exploit involving over $5 million in at-risk funds. Acting in coordination with the ZKsync core contributors and other council members, we supported the successful recovery of the funds and closure of the incident via a negotiated whitehat bounty. Cyfrin’s involvement with ZKsync, Abstract Chain, and other Security Councils demonstrates our capacity to secure large-scale, cross-chain, governance-intensive protocols, not just through preventative audits, but by playing an active role in live incident response, security governance, protocol stewardship, and growth.

The Cyfrin Team

Cyfrin is founded and operated by some of the most prominent figures in the Web3 space:

Patrick Collins, CEO and one of the top Solidity educators and engineers worldwide, with over 8 million views on his courses and more than 250,000 subscribers across platforms. Beyond education, Patrick boasts extensive hands-on engineering experience, having worked on critical protocols and integrations within the blockchain space.

Alex Roan, CTO of Cyfrin and a seasoned Web3 developer with deep expertise in DeFi infrastructure. He has played a key role in building and securing major projects, including Chainlink, GMX, and Compound. His contributions have helped safeguard billions of dollars in value across DeFi. Alex’s technical leadership drives the development of security solutions tailored for complex, decentralized protocols.

Hans Friese, co-founder and lead security researcher at Cyfrin, where he drives innovation in smart contract auditing and Web3 security. Renowned for his deep expertise and unmatched precision, Hans earned the distinction of being the #1-ranked auditor on Code4rena. Widely respected, Hans has played a pivotal role in shaping modern smart contract security practices. He is also the creator of Solodit, a platform that empowers auditors and developers by aggregating real-world audit findings.

Dacian, the Security Research and Audit Team Lead at Cyfrin, oversees high-impact smart contract audits and advanced protocol security reviews for some of the most sophisticated projects in the blockchain ecosystem. Known for his meticulous attention to detail and deep understanding of complex DeFi architectures, Dacian is widely recognized as one of the top security auditors in the space. Dacian is a prolific researcher whose in-depth technical articles regularly appear in leading industry publications and newsletters, including BlockThreat.

Mark Scrine, CSO, previously the Strategic Lead for Proof of Reserve & Real World Assets at Chainlink Labs, where he led several of their biggest integrations, including protocols such as: Circle, TrueUSD, Matrix Port, Avalanche Bridge, BackedFi, and Swell Network.

Vittorio Rivabella, formerly leading Developer Relations at Alchemy, the leading Web3 infrastructure provider, where he helped create Alchemy University and Road to Web3, educating tens of thousands of engineers.

Overview

To streamline Compound’s ongoing security operations, Cyfrin will dedicate a fully tailored security solution led by a dedicated vCISO, Patrick Collins, a prominent figure in blockchain security. Patrick brings strategic insight, advisorship, technical depth, visibility, and industry-wide influence through his work on smart contract best practices, wallet security standards, and multi-chain deployment frameworks.

Cyfrin commits four full-time Lead Security Researchers to Compound, along with one vCISO, ensuring rapid, context-aware responses and continuity.

Our audit methodology combines industry-leading expertise and manual reviews with cutting-edge static analysis, fuzzing, and formal verification, cutting-edge proprietary open-source security tooling, multi-sig threat modeling, and DAO-native incident readiness.

Leveraging our Lead Security Researchers and expertise, we will deliver on-demand availability for the deployment of new capabilities and significant upgrades.

By involving a broader team of seasoned domain-expert Lead Security Researchers, Cyfrin brings a variety of perspectives and fresh insights to each engagement, significantly improving coverage while reducing blind spots. This same layered, battle-tested, and collaborative approach tailored to Compound’s needs will extend to all vCISO discussions and governance reviews, led by Patrick Collins, reinforcing thoroughness and resilience across the board.

This fully personalised, dynamic framework streamlines onboarding and improves both the quality and efficiency of our assessments.

Under Patrick’s leadership, and with the help of 4 LSRs (Lead Security Researchers), Cyfrin will comprehensively cover all of Compound’s security needs, including:

• Smart contract audits, with targeted formal verification, invariant, and fuzz testing

• Audits of off-chain components, including infrastructure and tooling

• Governance reviews, including calldata validation, risk modeling, and simulated executions

• Real-time monitoring, dashboards, and alerting for governance-critical flows integrated directly into Compound’s coordination tools

• 24/7 incident response, coordinated with multi-sig and foundation teams

• War room coordination

• Periodic security drills test

• Proactive security advisory and security governance, driven by DAO alignment

• Compound representation in Security contexts

In addition to the expertise of our security engineers, researchers, and engineers, Cyfrin brings unique value through:

• Cross-chain deployment expertise, including chain-specific threat reviews and onboarding risk assessments

• Ongoing training and Cyfrin Certifications for Compound contributors at no additional cost

• Developers education

• DevSecOps services for multisigs, hardware wallets, and privileged accounts

The vCISO will serve as Compound’s representative in public security-related engagements, acting as the primary point of coordination for security communications and actions. Patrick Collins will make sure that contributors, stakeholders, and the broader Compound community have clear and timely insight into security priorities.

Responsibilities will include scoping and prioritizing security reviews, maintaining a comprehensive knowledge base of current and historical efforts, and defining clear expectations and best practices. The vCISO will work closely with both the Compound Foundation and the DAO, aligning security initiatives with the protocol’s strategic goals.

A team of dedicated Lead Security Researchers will support the vCISO, enabling depth and breadth in execution. The vCISO will also provide ongoing advisory support to Compound, including participating in protocol design discussions, reviewing governance proposals, and assisting contributors in identifying and mitigating risks across the stack.

Finally, Cyfrin will also create Compound-specific content on Cyfrin Updraft, the leading educational platform for Web3 engineers and security researchers. Amplifying Compound’s reach to over 100,000+ developers. Discussed in Section 6.

Cyfrin brings an integrated education funnel, where Compound can not only secure protocol code, but also grow the next 10,000 secure developers building on it.

Existing Relationship With Compound

Cyfrin brings extensive expertise in DeFi protocols, with a strong understanding of Compound’s V3 architecture developed through proactive study of its public codebase, community discussions, and direct auditing experience. Several of our Eagles and Security Researchers have previously participated in audits or projects that are forks of the protocol, demonstrating a proven track record of high-quality findings, including winning a $100,000 contest of a v2 Compound fork.

Our strategy includes arranging a joint kickoff session and launching internal “Compound bootcamps” to accelerate the onboarding of the vCISO and auditors. These bootcamps will be supported by our CTO, former Smart Contract Lead at Chainlink Labs for several Compound integrations, and Cyfrin Eagles Security Researchers, who have previously audited the protocol:

Compound Governance Discussion

Compound Github Commit
Compound Governance Proposal

Testimonial & Testimonial 2on the work completed

The Cyfrin team has conducted numerous audits across DeFi protocols, with a strong track record in uncovering critical and high-severity issues. The most relevant audit categories include:

• Lending & Borrowing Protocols
  

  • Average of 3.67 Critical/High issues per audit

  • Demonstrates our deep technical understanding and consistent identification of high-impact vulnerabilities in complex financial primitives.

• DAO Governance Systems
  

  • Average of 4.17 Critical/High issues per audit

  • Reflects our leadership in identifying systemic risks in on-chain governance mechanisms.