Request for Proposal (RFP): Compound DAO Security Service Provider (SSP)

Governance Process
22

Section 3: Risk Management and Incident Response

Cantina currently offers full incident command, 24/7 monitoring and response services with a fully staffed SOC team that is intimately trained in both web2 and web3 attack vectors and threats. Our program was created in collaboration with a former lead of threat intelligence at Coinbase and will cover Compound’s complete attack surface for both web2 and web3, both physical and digital threats. Cantina offers this as a stand alone service meaning it is handled by a dedicated full time team, separate of our security researchers so that our customers can count on dedicated attention for their incident command as opposed to a generalized offer facilitated by security researchers who have competing priorities. Cantina’s incident command offering is based on the firm, legally documented SLA response times standard in the web2 world with 24/7 coverage based on teams across globally distributed timezones giving you the benefit of web2’s battle tested incident command structure while also incorporating the threats that are unique to web3 and the mechanisms needed to account for them including web3 monitoring tooling and safeguards like multisig safe signer and guardian signer. Recent examples of customer’s who use our full incident command offering include Matter Labs and EigenLayer.

3a) Vulnerability Triage & Disclosure

Communication channels are set up and always available between the Compound and Cantina team. Our global team covers all timezones, allowing for quick reactions and responses.

  • During the course of an audit, the Compound developer team will have 24/7 access and visibility into our internal communication channels and discussions. If a critical bug were to be discovered during an audit, the exact lines of code and issue will be described, the responsible people at the Compound team involved in the audit will be made aware of it immediately, a remediation will be proposed and reviewed to make sure the vulnerability is patched and that the remediation does not introduce any other issues.
  • If the vulnerability is found in live code, it will be immediately triaged by our internal team and notified to the relevant people at Compound through our already created communication channels. While establishing contact, the team will be proposing a fix and monitoring the live code. If no response were to be had, we will contact the relevant points of contact via Telegram, Email, Slack, or through any other party that can reach out to the person(s) responsible to address the issue.
  • Our responses and coordination plans are measured in hours. In less than 8 hours a critical vulnerability can be discovered, communicated, a fix can be proposed and helped to be deployed into production.
  • We will always notify developers and provide advice on fixes.
  • Public disclosure is at the Compounds team and community’s discretion. We will never publish nor disclose anything unless explicitly allowed.

3b) Incident Response Support

In case of an exploit the following steps are taken:

  1. Compound’s responsible points of contact will be added to a specific war room Telegram channel together with our specialized team of security researchers assigned to the Compound engagement.
  2. Our Incident Response Commander will enter into a call with the Compound team to coordinate all parties and immediately start collecting evidence on a privately shared document.
  3. In the meantime, an OSINT and technical investigation by our security team will be conducted to identify the exact root cause of the issue and start developing a recovery plan.
  4. Thanks to our reputation and connections in the space, we can immediately reach out to any third party to aid in the investigation such as other whitehats, Centralized and Decentralized Exchanges, Private Investigators and Law Enforcement.
  5. Recovery plans are consolidated using the collected evidence.

A private example where Cantina helped in fund recovery was when one of our clients reached out for help when they suffered an exploit. This was not part of any engagement nor contract we worked on, but we still stepped in to assist. Following the steps outlined above, we identified the exact root cause and helped pause the protocol. We then conducted an exhaustive OSINT operation to link the address of the hacker to an abandoned CEX account thus revealing his identity. In less than 5 hours we had enough evidence and information on the hacker to initiate targeted negotiations. The hacker returned the funds when we contacted one of his family members - who we identified during our OSINT operation - to apply pressure or risk legal consequences. Funds were returned in full.

3c) Continuous Monitoring & Threat Detection

Blockaid and Cantina jointly deliver a comprehensive, multi-layered monitoring and threat detection system that operates 24/7 across all protocol assets, governance mechanisms, and user interactions. Blockaid’s approach combines multiple complementary security solutions in one platform to create an integrated defense framework that protects against the full spectrum of onchain threats while maintaining operational efficiency.

Unlike traditional monitoring solutions that focus solely on post-incident detection, Blockaid provides real-time threat prevention at multiple layers: stopping wallet drainers and malicious dApps at the transaction level to preserve user trust and prevent churn, enforcing security policies at the multisig level, and providing comprehensive threat detection and automated response across the entire protocol infrastructure.

Infrastructure Monitoring Stack

The Blockaid Platform serves as the foundational monitoring layer for Compound’s entire ecosystem, providing real-time visibility and threat detection across all critical assets and operations.

Asset Coverage:

  • Smart Contracts: All Compound V3 deployments across Ethereum, Base, Arbitrum, Optimism, Polygon, Mantle, Scroll, Ronin, Linea, and Unichain

  • Governance Infrastructure: Delegate consolidation, Proposal payload mismatches, quorum risk

  • Treasury & Reserve Assets: Protocol reserves, community multisigs, and treasury wallets across all chains

  • Cross-Chain Infrastructure: Bridge contracts, L2 deployment mechanisms, and chain-specific governance receivers

  • External Dependencies: Oracle feeds, yield-bearing assets, and integrated protocol interfaces

Real-Time Monitoring Capabilities: Blockaid’s monitoring infrastructure continually covers threat vectors across multiple dimensions:

  1. Smart Contract Activity

  • Unauthorized proxy upgrades or implementation changes

  • Suspicious function calls to sensitive protocol methods

  • Unusual permission changes or access control modifications

  • Detection of exploit contract deployments

  • Detection of reentrancy, arbitrary delegatecalls, oracle manipulations, and logical vulnerabilities

  1. Financial Anomalies

  • Large or unusual asset movements from protocol reserves

  • Abnormal liquidation patterns or market manipulation attempts

  • Cross-chain fund movements that deviate from expected patterns

  • Treasury withdrawal anomalies

  1. Governance Security

  • Sudden accumulation of voting power approaching proposal thresholds

  • Malicious proposal monitoring

Threat Detection Engine

Machine Learning-Enhanced Analysis: Blockaid’s detection system leverages ML models trained on billions of onchain transactions to identify suspicious patterns while minimizing false positives. The system automatically learns from the protocol’s normal operational patterns to establish behavioral baselines.

Threat Intelligence Integration: Blockaid’s detection capabilities extend beyond Compound’s directly controlled assets through internet-wide threat intelligence:

  • Emerging Threat Identification: Detection of new drainer-as-a-service kits or exploit techniques that could target Compound

  • Impersonation Monitoring: Continuous scanning for malicious dApps or phishing sites targeting Compound users

  • Supply Chain Threats: Monitoring for compromised frontend deployments or malicious dependencies (both onchain and offchain)

Security Enforcement for Compound Multisig

Blockaid Cosigner is a unique enforcement layer that actively prevents malicious transactions in Compound’s governance and treasury operations. It acts as an additional layer of security specifically designed for Compound’s multisig operations, acting as an automated security reviewer for every transaction before it can be executed.

Policy Enforcement Framework: Cosigner operates as a 1-of-2 Safe wallet that serves as a signer on Compound’s main multisig wallets. Every proposed transaction is automatically:

  1. Simulated in on a dedicated node to understand its complete effects - state changes, fund movements, and side effects

  2. Analyzed against Blockaid’s threat detection engine and evaluated against Compound-specific security policies. This includes:

  • Known Threat Detection: Comparing against known attack vectors and exploit patterns

  • Behavioral Analysis: Detecting deviations from normal multisig usage patterns

  • Destination Validation: Verifying interaction with known-safe contracts and addresses

  1. Either approved automatically or flagged for manual review

Compound-Specific Security Policies:

  • Governance Proposal Validation: Ensuring proposal calldata matches expected governance patterns

  • Treasury Protection: Validating that fund movements align with approved governance decisions

  • Upgrade Path Security: Verifying that proxy upgrades point to audited implementations

Override Capabilities: For urgent situations where automated approval is inappropriate. The Compound team retains full control through dedicated override signer keys.

End-User Protection: Transaction-Level Security

Comprehensive Transaction Monitoring

Blockaid’s End-User Protection extends monitoring to every individual transaction across Compound-integrated wallets and interfaces, providing real-time protection at the point of user interaction. Through integrations with leading wallets (MetaMask, Ledger, Coinbase Wallet, Rainbow, and more), Blockaid enables:

  • Real-Time Scanning: Continuous monitoring of Compound-related websites and interfaces

  • Impersonation Detection: Identifying fake Compound interfaces designed to steal user funds

  • Supply Chain Monitoring: Detecting compromised or malicious deployments of Compound frontends

Integrated Alert and Response System

Unified Incident Management

Cross-System Correlation: Threats detected by any component of the Blockaid system are correlated across all monitoring layers:

  • Platform detecting unusual protocol activity can trigger enhanced Cosigner scrutiny

  • End-User Protection identifying widespread phishing attempts can inform Platform monitoring priorities

  • Cosigner detecting governance anomalies can trigger broader Platform investigation

Automated Response Workflows: Critical threats trigger immediate automated responses:

  1. Contract Pausing: Automatic pausing of affected Compound contracts when exploits are detected

  2. Transaction Blocking: Preventing user interactions with compromised contracts or malicious dApps

  3. Governance Protection: Blocking or delaying suspicious governance proposals

Alerting, Escalation & SLAs

Blockaid’s detection engine is tightly integrated with Cantina’s 24/7 staffed Virtual Security Operations Center (vSOC), providing rapid triage and escalation.

Severity Description Escalation Path Example
Sev 0 Critical threat to funds or governance PagerDuty → Cantina on-call → Foundation security leads Protocol pause, treasury drain, rogue upgrade
Sev 1 High-risk but non-immediate threats Slack + Telegram + analyst review Oracle deviation, governance concentration
Sev 2 Monitor-only anomalies Logged + batched summaries Delegation shifts, minor frontend mismatch

Response time SLA:

  • Critical: <5 minutes

  • High: <15 minutes

  • Informational: Batched hourly

Real-Time Alerts:

  • Discord Integration: Immediate alerts to Compound community channels for transparency

  • Email/Slack/Telegram Notifications: Critical alerts sent to Compound Foundation and key stakeholders

  • Platform Access: Real-time visibility into security status through dedicated monitoring dashboards and tools

All alerts are deduplicated, labeled, and triaged by Cantina analysts in real time.

Continuous Vigilance Between Audits

Proactive Threat Hunting

Emerging Threat Research: Blockaid’s security team continuously researches and develops protection against new attack vectors:

  • Novel Exploit Patterns: Studying new attack methodologies to update detection rules

  • Governance Attack Research: Investigating emerging DAO attack vectors and implementing preventive measures

  • Cross-Chain Risk Analysis: Understanding evolving multi-chain attack patterns

Threat Intelligence Feeds:

  • Blockaid Data Network: By analyzing data from both its security integrations and global internet scanning, Blockaid discovers emerging threats as they develop

  • Industry Collaboration: Sharing and receiving threat intelligence with other security providers

  • Community Reporting: Integrating reports from whitehats and security researchers

Adaptive Security Posture

Dynamic Policy Updates: Security policies and detection rules are continuously updated based on:

  • Protocol Evolution: Adapting to new Compound features and deployment patterns

  • Threat Landscape Changes: Responding to emerging attack vectors and exploitation techniques

  • Operational Feedback: Incorporating lessons learned from security incidents and near-misses

Performance Optimization:

  • False Positive Reduction: Continuously tuning detection algorithms to minimize alert noise

  • Response Time Improvement: Optimizing automated response speeds while maintaining accuracy

  • Coverage Expansion: Extending monitoring to new assets and interaction patterns as Compound grows

Cantina integrates with Blockaid to provide the monitoring and alerting portion of our offering, along with this comes a multi-stage approach to incident command attack surface mapping, mitigation, and response as outlined below

Threat Modeling

Cantina will work closely with Compound’s core contributors to define and document the foundational threat landscape for the protocol. This includes:

  • Identifying the top 3 threats, top 3 crown jewels, and top 3 threat actors

  • Mapping risks across key domains:

    • On-chain assets including:
      • Smart contracts
      • Multisigs - Multisig practices: recommendations on expansion and improvements in structure, implementation, tools
      • Treasuries
      • Grant systems
    • Front-end interfaces and user interaction points
    • Ecosystem integrations (bridged assets, DeFi dependencies)
    • Infrastructure components (RPC endpoints, load balancers, validators)
    • Social and communication channels, including brand integrity risks
    • Personnel and endpoint vulnerabilities
    • Physical and nation-state threat scenarios

Expected Outcomes

  • Detailed threat modeling profiles for each key domain
    Initial risk mitigation recommendations mapped to critical assets
  • Foundation for integrating detection, monitoring, and IR escalation into Client’s workflow

Program Design and Training

Cantina will guide the creation and refinement of a customized Incident Command (IC) playbook tailored to Compound’s operational environment. This includes:

  • Designing and validating the full IC process from detection to containment
  • Clearly defining roles and escalation paths across technical, legal, governance, and comms teams
  • Outlining internal and external communications procedures, including:
    • Law enforcement coordination
    • Social media response strategy
    • Protocol shutdown decision-making
  • Delivering legal and operational checklists and decision trees for high-severity scenarios
  • Assigning ownership of emergency contact trees and escalation responsibilities

Expected Outcomes

  • Delivery of Incident Response Playbook v1
  • Visual escalation and communication protocol map
  • Complete emergency contact coordination table

Attack Simulations

Cantina will design and execute a customized, live tabletop simulation to test Compound’s incident readiness. This scenario will be tailored to include realistic technical, legal, and communications challenges, and will engage both internal and external stakeholders.

Simulations may include:

  • Social team takedown scenarios (e.g., impersonation, coordinated disinfo)
  • DeFi protocol exploits with live triage walkthroughs
  • Treasury multisig phishing or compromise under time pressure

The exercise will evaluate response workflows, communication coordination, and decision-making under stress.

Expected Outcomes

  • Comprehensive Tabletop Exercise Report
  • Detailed Gaps & Friction Analysis
  • Actionable Recommendations to improve:
    • Response speed
    • Access control
    • Decision thresholds
    • Updated Incident Response Plan incorporating drill learnings

Security Development Plan

  • Synthesize findings from all previous exercises
  • Develop a prioritized plan covering security controls, processes, and monitoring enhancements

Expected Outcome:

  • Security development plan with actionable steps for continuous security improvement

Integration into Compound’s Multisig

Cantina will serve as either a trusted signer on Compound’s multisig or will serve as a guardian signer to ensure that the incident command team has eyes on all transaction to ensure no faulty, bugged, or malicious transactions

Incident Command Continuous Monitoring and Response SLA

Cantina will deliver Incident Command service to Compound, enabling rapid detection, escalation, and response to critical security incidents

This includes:

  • Full integration with Blockaid on Compound’s behalf
  • 24/7/365 availability of Cantina’s Security Analyst team with active multisig signing authority for emergency protocol pausing. Compound will be fully onboarded into Cantina’s globally distributed incident response infrastructure, with escalation channels, war room coordination processes, and protocol-level mitigation paths configured. Cantina will respond to critical incidents within 15 minutes, executing predefined actions aligned with Compound’s incident response playbook
  • SLA on all events: 15 minutes

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

Commercials submitted via private form as per request

4b) Milestones and Performance Metrics

Milestones:

  • Audit scopes acknowledged within 1 hour from receipt, and final quote delivered within 5 hours

  • Audit team booked and ready to kick-off within 24-48 hours of contract confirmation

  • Audit reports delivered within 1 business day of fix review completion (draft) and fix review confirmation (final)

  • Outreach about any critical issues delivered within 1 hour

  • Critical issues triaged within 24 hours

  • 1 Cantina representative to participate in governance calls and inform the community of security initiatives/updates during this time

4c) Conflict of Interest Declaration

Cantina works with multiple DeFi protocols, some of which are Compound competitors, however we have no known conflicts. Should a conflict arise we will notify the Compound team immediately. Note that Cantina has multiple types of confidentiality safeguards and protections in place to ensure.

4d) Transition and Offboarding Plan

Due to the use of Cantina Code, Cantina can easily export and share all audit reports with the incoming provider and will facilitate one month of transitionary services to ensure a smooth transition to the new team. We will be fully offboarded with the new team onboarded within 30 days and available to help with any remaining questions for another 30 days (60 days in total).

Section 5: Service Level Expectations (SLA)

5a) Incident Response

Reaction times are below 15 minutes since we are using Cantina’s Incident Command System and have a team of tier 1 security analysts. Coverage is 24/7 across all timezones. In an urgent situation, our automation tools will alert of an incident and create a slack channel to which the Compound team will also have access. Security analysts will triage the issue in less than 15 minutes and execute the playbook.

5b) vCISO Support

  • On-demand advisory: Same day

  • vCISO check-ins: Weekly

  • Threat modeling refresh: Monthly

  • Attack simulations: Twice annually

  • Primary contact: vCISOs

  • Secondary contact: Account manager

5c) Governance Proposal Reviews

From proposal request to kick-off: 24-48 hours

Team is available for all last minute requests and will maintain a 48-72 hour turn around

Findings will be delivered via report to the DAO for delivery to the community

5d) Code Audits

24-48 hours lead time is feasible for all projects, however as much time as possible is always appreciated

Audit to kick off within 24-48 hours from booking request for all team sizes

  • Once the audit completes, the Compound team will then implement fixes and drip those fixes back to the audit team so that the audit team can confirm that they were implemented correctly and introduce no new findings

  • The draft report will then be delivered to client within 1 business day for all scopes

  • Once the Compound team and Cantina team has agreed that all fixes have been implemented correctly, Cantina will deliver the final report with 1 business day for all scopes.

  • After the final report has been delivered, clients will be able to onboard into Cantina’s Bug Bounty Program free of charge.

Final Considerations

Cantina is pleased to submit this proposal in response to Compound’s Security Partnership RFP. With our founding in 2022 and specialized focus on on-chain and off-chain security, we understand the critical security challenges facing DeFi protocols like Compound, and we are confident in our ability to provide comprehensive security coverage.

Our proposed solution leverages a proven hybrid security model and cutting-edge monitoring technologies to ensure continuous protection across all of Compound’s multi-chain deployments and holistic attack surface. We’ve included a flexible engagement structure designed to align with your operational and commercial needs while providing maximum security coverage.

Key Benefits of Our Proposal Include:

Comprehensive Security Leadership: Dual vCISO model providing both on-chain protocol expertise and operational security oversight, ensuring strategic security planning, threat modeling, and executive-level communication with the DAO while maintaining continuous context across all security initiatives

Enterprise-Grade Incident Response: Professional 24/7 security operations center with trained tier-1 analysts across all timezones, delivering sub-15 minute response times, coordinated war room capabilities, and proven fund recovery expertise through established relationships with exchanges, law enforcement, and white hat communities

Proven DeFi Expertise: Deep specialization in lending protocols and governance security with extensive track record across Aave, Morpho, Euler, Sky and other major DeFi platforms, including experience with multi-chain deployments, protocol upgrades, and complex governance attack vectors specific to Compound’s ecosystem

Institutional-Quality Infrastructure: Proprietary Cantina Code platform for real-time audit tracking, established partnerships with leading security tools and mature incident response systems that integrate seamlessly with your existing operational workflows to streamline your security infrastructure

Our Track Record

Our clients, including Aave, Coinbase, Uniswap, Optimism, and Sky, have seen measurable security improvements through our multi-layered approach and we are proud to deliver them continuous security support.

Additional Offerings - Institutional Support

Along with our security services, Cantina is also deeply entrenched in the web2 and web3 community at large with meaningful relationships across a wide range of institutions. As the web2 world begins to pursue web3 partnerships at an increasing rate, Compound is well positioned to be a preferred partner in web2 adoption of blockchain. To help facilitate this, Cantina will commit to making formal introductions between the Compound team and all institutions Cantina currently works with as well as performing 5 hours of dedicated business development work for institutional connections on Compound’s behalf each week. Due to our extensive security community who come from a diverse set of web2 backgrounds and our Web3SOC due diligence efforts on the behalf of institutions looking to participate in web3, we have extensive connections to top institutions and will utilize these connections on Compound’s behalf. Outside of these efforts, Cantina will also represent Compound alongside Cantina at all institutional events and invitationals.

We’re excited about the opportunity to bring our proven security expertise to Compound and are committed to delivering exceptional service that protects Compound and its community while also contributing to Compound’s growth. We welcome the opportunity to discuss this proposal in detail and look forward to partnering with you on this critical security initiative.

2 Likes
23

Sherlock & Guardrail - Proposal for Compound Security Partnership - Part 1

Executive Summary

Sherlock, in partnership with Guardrail, proposes an industry-leading, highly responsive, cost-efficient, and holistic security solution to empower Compound’s growth. With over 350 audits completed and a 94% success rate in identifying Medium+ vulnerabilities, Sherlock leverages an in-house team of elite Security Researchers (SRs), a dedicated scoping team for rapid turnarounds, and an unmatched pool of over 10,000 independent Security Researchers to deliver scalable, high-performance security services for high-stakes blockchain infrastructure like Ethereum, Aave, Cosmos, Sky/MakerDAO and hundreds of others.

Extending security past audits and advisory, Guardrail provides the most advanced continuous monitoring, detection, and incident response system in Web3 for teams like Eigenlayer and Euler. Guardrail’s system covers AI-based anomaly detection, custom-invariant monitoring, financial risk, operational risk, and multi-chain threats. A highly modular approach allows for complete security coverage of every on-chain use case (bridges, stablecoins, AMMs etc).

Sherlock has been deeply involved in the Compound community, posting DAO proposals and hosting calls with stakeholders, core members, and delegates to gather feedback. The takeaway: speed, quality, and scalability are key to removing the current bottlenecks to Compound’s growth. We spent time manually scoping every publicly available audit scope available on the forums to better inform our team of how we can be most helpful to Compound. Sherlock’s solution dedicates a team of top-caliber researchers to Compound, augmented by on-demand talent from our platform of 10,000 researchers. This approach is perfectly suited to Compound’s current position. The speed and scalability we can provide will enable Compound to vastly accelerate its pace of development, reduce security costs by at least 75%, and bolster Compound’s position as a beacon of growth and innovation.

About Sherlock

Sherlock is the leading blockchain security platform, founded in 2021, dedicated to safeguarding Web3 by providing audit contests, traditional audits, bug bounties, exploit coverage, security advisory, and more. We have exclusive agreements with the world’s quantifiably top security researchers through our elite Blackthorn security group, where they work exclusively with us on audit contests, traditional audits, advisory engagements, and more. We also have a broader network of over 10,000 independent researchers on our platform who compete to identify vulnerabilities in users’ codebases. Our unique approach combines the meticulous focus and collaboration of traditional audits with the extensive participation of security experts from our audit contests, creating a scalable “best of both worlds” solution.

About Sherlock
About Sherlock1600×900 67.1 KB

Sherlock is trusted by leading teams in the blockchain industry such as Ethereum, Optimism, Aave, Cosmos, Babylon, Sky and many more. Sherlock recently served as the last line of defense for high-stakes updates to Ethereum and Aave. Please see the following case studies, illustrating how we identify more critical vulnerabilities than competitors, more quickly.

Unmatched Speed and Scalability

Speed is a core strength at Sherlock. In addition to our assigned “bench” of SRs dedicated specifically to Compound, we can also tap into our talent pool of 40+ Lead Senior Watsons and over 10,000 independent researchers to scale resources instantly, allocating multiple auditors for parallel reviews or surging capacity for critical incidents. If needed, we can conduct 5 audits simultaneously without sacrificing quality, ensuring no delays in protocol upgrades or expansions.

This depth and flexibility enable Sherlock to deliver more responsive, scalable services than any other firm, minimizing bottlenecks and aligning with Compound’s dynamic DeFi environment.

About Guardrail

Guardrail is the fastest-growing, customer-loved on-chain monitoring, detection & incident response platform for blockchain security. Founded in 2022, our mission is simple: make DeFi safer for all. Our core principles are quality first, transparent partnership over product, 24/7 customer service, and custom over generic security. We recognize security doesn’t stop at audits. Teams need continuous attacker research, 24x7 contract visibility, and context-aware workflows in-house to respond to threats in real time.

Using Guardrail, teams gain access to the most advanced monitoring capabilities, rigorous threat analysis, and a well-connected incident response system in crypto:

  • Comprehensive analysis across AI-powered anomaly detection, custom invariant monitoring, financial risk assessment, operational risk management, and multi-chain threat detection.
  • Universal monitoring with a modular design: build once, use anywhere.
  • White-glove implementation for the highest precision and fastest time-to-deployment.

What sets us apart: Our combination of proprietary infrastructure + proven enterprise delivery + unique technical capabilities makes Guardrail the only monitoring solution capable of matching Compound’s scale and security requirements:

  • Technical innovations in real-time monitoring: Only monitoring team with dedicated data infrastructure team creating:
    • SOTA price engine for token prices, pool metrics, and onchain fund flows analysis.
    • Unique technical solution for multi-chain monitoring not offered by competing monitoring tools.
    • Only real-time solution creating per-contract trained models for anomaly detection, with at least 2x (higher in most cases) relative performance to competing AI applications.
  • Designed and deployed 50+ guards to secure protocol components (including previously not possible detectors elsewhere) for Eigenlayer.
  • 45 custom monitors and new chain support delivered with 48h for Story Protocol.
  • Consolidated 3 monitoring tools and delivered dynamic oracle monitoring for Euler’s modular vault system.
  • Contextual AI powered guards & auto-monitor configurator built for Magic Labs.
  • 2x more accurate AI anomaly detection model developed and shipped for Scroll, within 14-days trained on over 100 past incidents.

Our team is over 90% engineers with security experience, trained at the University of Waterloo and previously at companies such as LinkedIn, Palantir, and Messari. We’re an RSA Security Launch Pad Winner and are backed by Haun Ventures, Coinbase, AllianceDAO, DeFi builders, and CISOs from Chainlink.

Contacts

Primary Contact: Gabriel Jaldon (vCISO) / gjaldon85@gmail.com / TG: @gjaldon

Secondary Contact: Chris Stevenson (Sherlock) / chris@sherlock.xyz / TG: @glory_eth

Secondary Contact: Samridh Saluja (Guardrail) / samridh@guardrail.ai / TG: @sam_saluja

Existing Relationship with Compound

We have multiple top Sherlock and Blackthorn researchers who have made deep contributions to Compound’s protocol evolution and security enhancements, particularly since the launch of Compound V3 (Comet).

Gabriel Jaldon (vCISO)

Gabriel Jaldon is a Founding Security Researcher at Blackthorn and Lead Senior Watson with over 10 years of experience, having transitioned into Web3 auditing with a focus on Solidity, EVM, and DeFi protocols. Proficient in languages including Solidity, Rust, and Go, he brings a multidisciplinary approach to security research and development. Gabriel has significant DAO security experience, holding one of only two positions on Optimism’s Developer Advisory Board Audit Request Team.

  • CometWrapper Development: Authored the initial version of the CometWrapper - an ERC20 token wrapper for Compound V3 that replicates cToken-like exchange-rate behavior to enhance compatibility and ease of integration. This initiative was executed under a Compound grant, streamlining user interactions with Compound III assets.
  • Reserve Collateral Plugins: Engineered Reserve’s collateral plugins for Compound V3, enabling secure collateral management and seamless incorporation into the Reserve Protocol ecosystem.
  • Expertise and Validation: With more than 10 years of software development experience and specialized expertise in Web3 auditing (focusing on Solidity, EVM, and DeFi), Gabriel’s proficiency in languages like Solidity, Rust, and Go has facilitated thorough validation of protocol upgrades. His impressive track record of several audits in the last years further solidifies his expertise.

Eric Shi (aka pkqs90)

Eric is a Founding Security Researcher at Blackthorn and Lead Senior Watson at Sherlock, specializing in smart contract audits with a proven track record in public audit contests. He has 11 first-place finishes and 17 top-3 placements, including dominating Uniswap V4 hook audits, Fraxlend forks, and liquid restaking systems. His prior work in complex system design (self-driving cars) complements his ability to analyze intricate DeFi logic.

  • Placed 2nd in the Deepr audit contest (a Compound V2 fork), identifying 4 medium-severity findings related to interest rate and collateral flows, thereby improving the security of lending and staking mechanisms in Compound-like systems.
  • Contributed to the security of related lending protocols through audits of Fraxlend forks (e.g., 1st place in Peapods, a volatility farming system based on Fraxlend), addressing global interest rate calculations and liquidity flows that align with Compound’s lending models.

Vijay Reddy (aka jokr)

Vijay is a Lead Senior Watson and specialized Compound auditor specializing in interest rates, collateral, and liquidity management, with a focus on Solidity and DeFi risks such as reentrancy, oracle manipulation, slippage, and MEV-aware lending.

  • Placed 1st in the Numa audit contest (a Compound fork), identifying high- and medium-severity findings on token accounting, thereby strengthening liquidity and collateral handling in Compound-like systems.
  • Placed 1st in the Deepr audit contest (a Compound fork), uncovering 1 high-severity and 3 medium-severity findings on interest model drift, improving the robustness of interest rate calculations and lending flows.

Linus Lepschies (aka oot2k)

Linus Lepschies was an auditor for Compound V2, bringing expert-level knowledge of Compound-based lending protocols and in-depth familiarity with its architecture and security risks.

  • Audited MetaLend (a Compound V2 fork), contributing to the security validation of its lending architecture.
  • Audited other Compound-related lending markets, such as Predict.fun, where he uncovered 2 medium-severity issues including collateral seizure and repayment denial vectors.
  • Audited Venus Isolated Pools, identifying vulnerabilities like frontrunning, staking dilution, and exchange rate manipulation, which align with Compound’s pooling and lending models.

Team-Wide Security Enhancements

Complementing the above work, our security research team has extensively audited Compound V2 forks and analogous lending protocols, uncovering critical vulnerabilities to bolster overall ecosystem security. Notable achievements include:

  • Deepr Audit (Compound V2 Fork): Top placements identifying medium-severity issues in interest rates and collateral flows, as well as high-severity findings on interest model drift.
  • Numa Audit (Compound Fork): Exposing high- and medium-severity flaws in token accounting to strengthen liquidity and collateral handling.
  • Metalend Audit (Compound V2 Fork): Validating lending architecture against exploits like collateral seizure, repayment denial, frontrunning, and exchange rate manipulation.
  • Lend Audit (Compound-Based Contest): Top performances in Lend and other Compound-based contests, validating lending flows and cross-chain integrations.

Additional Forks and Related Systems: Expertise in forks like Mach (focusing on interest and flows), Fraxlend (addressing global interest rate calculations), and Venus Isolated Pools (identifying vulnerabilities such as oracle drift and liquidation mechanics), preventing risks that could mirror those in Compound’s models.

Relevant Security Partnerships or Clients

Sherlock has supported numerous DAOs and DeFi protocols, particularly those involving governance, lending, and cross-chain functionalities. Notable examples include:

  • Sky/MakerDAO: Sherlock hosted a $1.35M audit contest for Sky/MakerDAO’s codebase, focusing on governance and lending aspects.

"It only makes sense that our team would work with the market leader, Sherlock.” - Rune Christiansen, Founder of Sky/MakerDAO

  • Optimism Ecosystem Projects: Sherlock audited Kyo Finance, a DEX and liquidity hub on Soneium (an Optimism grantee), emphasizing cross-chain liquidity. They also serve as a governance delegate for Morpho Labs on Optimism.

"Optimism’s codebase was audited by the best in the industry before coming to Sherlock, and the Sherlock audit contest still surfaced unique issues that we were grateful to learn about before deploying. If possible, I’d recommend any protocol team try a Sherlock audit before going to mainnet.” - Optimism

  • Ethereum Foundation: EF chose to pay Blackthorn over 40+ other firms that offered free services due to the fact that each Blackthorn auditor is quantifiably one of the best in the world. 1 Medium and 16 Low bugs were found - significantly more than the EF team expected.

“We chose Blackthorn because we were intrigued by the value of having multiple independent security researchers collaborating together. The findings increased the security and overall confidence in the bytecode system contracts of Ethereum. Our favorite part was the collaborative environment and effective feedback cycle between our team and Blackthorn, making it a very productive experience.” - Ethereum Foundation

  • Aave: Sherlock contributed to the security review of Aave v3.3 and Aave v3.4 upgrades, which include governance and liquidation mechanisms.
  • Lending Protocols: Audited Extra Finance (smart-account multi-chain lending strategies), LEND Finance (omnichain lending and borrowing), and Notional Finance (lending with external integrations), Sentiment V1/V2 and Zerolend One.

“Notional has gotten 14 audits from 6 different firms, and ever since we first used Sherlock in October of 2022 they have been, and will continue to be for the foreseeable future, our exclusive audit provider. Sherlock is the best audit experience we’ve ever had, hands down.” - Notional Finance

  • Cross-chain Protocols: Audited Zeta Blockchain (cross-chain infrastructure), BreederDodo (ZetaChain-powered cross-chain DEX) , and Tapioca DAO (omnichain money market).
  • Other DeFi/DAO Examples: Audited Tally (ARB governance staking) , Symm.io (derivatives with staking/vesting), Telcoin (updates with cross-chain elements), and PinLinkAi (AI-related DeFi).

Sherlock also has an extensive track record as a key security partner for a range of ecosystem security and audit grant programs, including Arbitrum, Optimism, Uniswap, Soneium, Scroll, and more.

Guardrail monitors protocols across every vertical of crypto, delivering real-time visibility, threat detection, and automated responses to safeguard $1.3B in assets across 24+ chains.

Over the last 6 months, Guardrail has onboarded one protocol weekly - many migrating from incumbents - and no team has ever deactivated Guardrail once live, underscoring its indispensable value in preventing exploits.

Trusted by leading DeFi innovators, relevant clients include:

  • EigenLayer: Full-stack monitoring covering Beacon chain, AVS, and internal/external threats for comprehensive restaking security.
  • Euler Finance: Vault and price feed monitoring, consolidating three tools into one for oracle deviation tracking and multi-chain scalability.

“Getting from three tools to one… is a huge win.” – Erik Arfvidson, Head of Cybersecurity

  • Avantis Finance: Invariants and price flow monitoring, automating suspicious activity alerts via Slack/PagerDuty.
  • BadgerDAO: Governance and post-hack monitoring.
  • Concero: Bridge aggregator multi-chain monitoring, ensuring transaction integrity with custom guards and instant anomaly detection.

“No one can tell me anything that will convince me not to use Guardrail.” – Andy Bohutsky, Founder

In every engagement, we’ve augmented customers’ teams with our SRs for seamless onboarding and resolutions. Guardrail delivers a consolidated, reliable, and intelligent platform, addressing gaps in tools like Tenderly, Hypernative, and OpenZeppelin Defender.

Section 1: Scope of Security Work

1a) Scope of Services Overview:

Sherlock offers comprehensive on-chain security reviews at every stage. A dedicated team, with deep Compound experience, will be assigned to the Compound ecosystem for the full duration of our partnership. During periods of heightened demand, we will also leverage our flexible pool of talent on the platform to provision additional resources, allowing us to perform up to 5 audits simultaneously when needed, and reducing any potential bottlenecks to progress without sacrificing quality.

  • Ongoing Smart Contract Audits & Code Reviews: Sherlock performs full-codebase audits for new deployments, protocol upgrades, new markets, new assets, new external oracles, and ongoing maintenance. Each audit includes one of our dedicated Compound auditors as well as specifically selected independent researchers from our platform as needed.
  • Governance/Proposal Reviews: Our team, with the vCISO acting as a dedicated security partner, will review any governance proposals or contract changes for Compound. We identify risk conditions in proposals and advise the community on security implications.
  • vCISO: Sherlock will include a dedicated vCISO who will provide ongoing security advisory, guide governance and protocol enhancements, ensure alignment with best practices, and serve as the DAO’s point of contact for audit findings, security reviews, and on-demand guidance, while maintaining tailored security documentation.
  • Monitoring: Guardrail monitors all assets, contracts, and wallets across Compound’s ecosystem with 24x7 protection and is tightly integrated with Sherlock.
    • Guardrail is the only team across monitoring platforms focused exclusively on monitoring (not offering fraud prevention, testnet as a service, wallet MPC etc). Due to this extreme focus on monitoring, we have faster iteration, deeper coverage and better outcomes.
  • Pentesting: Infrastructure and application-layer penetration testing to identify and mitigate vulnerabilities.

1b) Multi-Chain Support & Upgrade Expertise:

Sherlock’s model is uniquely suited to meet Compound’s needs, offering demonstrated experience across various chains. Our audit capabilities are chain-agnostic and have been battle-tested on complex cross-chain deployments.

Sherlock conducted a comprehensive audit contest for ZetaChain, a foundational protocol with a novel cross-chain messaging architecture. The audit scope was extensive, covering the Cross-Chain Transaction (CCTX) logic, token wrapping and unwrapping mechanisms across multiple chains, and the security of the off-chain Threshold Signature Scheme (TSS) relayer. This engagement demonstrates our ability to analyze and secure new and complex cross-chain primitives at their deepest level.

Our audit of DODO’s cross-chain decentralized exchange required a deep analysis of its integration with ZetaChain’s infrastructure. This included assessing the critical onRevert and onAbort logic, which handles failed cross-chain transactions - a common source of vulnerabilities in cross-chain applications.

Beyond these specific audits, our history is replete with protocols planning deployments across multiple EVM-compatible chains. In each engagement, our auditors conduct a detailed analysis of the specific requirements and nuances of the target chains. This meticulous, chain-aware approach is critical for ensuring security across the diverse landscape of L2s. Our auditors look at all of the specificities of different rollup types, from EVM-equivalent (Type 1) to EVM-compatible (Type 2) environments. They pay special attention to potential issues that can arise in Type 2 rollups, where subtle differences in precompiled contracts, gas costs, or opcode behavior can introduce unique risks. By thoroughly analyzing these chain-specific details, we ensure the protocol’s logic remains sound and works perfectly on every intended chain. (eg. Titles , Real Wagmi, Allo V2)

The vCISO will be deeply engaged in Compound’s multi-chain expansion. For any new chain Compound targets for deployment, the vCISO’s primary responsibility is to become an expert on that specific environment to preempt any potential issues.

This process begins with the vCISO taking a close, manual look at the code, performing a detailed analysis of the smart contracts and their interactions. They will then thoroughly review all relevant documentation and the technical specifics of the target EVM chain. This deep dive allows the vCISO to build a comprehensive understanding of potential architectural, economic, or composability risks that could arise from the new deployment. By understanding the unique properties of each chain, the vCISO can identify and help mitigate problems before they occur, ensuring that each new deployment is as secure as the last.

Guardrail is live across 45 chains, with Compound’s target chains all included in that list.

Guardrail also supports select non-EVM chains & high throughput chains, and has a unique technical solution for multi-chain monitoring not offered by competing monitoring tools.

1c) Resource Allocation and Availability:

Allocation and Availability

  • Gabriel Jaldon, Compound’s dedicated vCISO will provide ongoing security advisory, guide governance and protocol enhancements, ensure alignment with best practices, and serve as the DAO’s point of contact for audit findings, security reviews, and on-demand guidance, while maintaining tailored security documentation.
  • Four Full-Time Security Researchers (named above) dedicated to Compound (who have audited Compound V3 in the past), available to begin working on new audits and other security work immediately.
  • Eight On-Call Security Researchers who have already audited Compound V3 and can be flexibly called in to handle periods of large workloads.
  • One Full Time Project Manager to coordinate and communicate between the various stakeholders.
  • If needed, Sherlock will select additional backup capacity from our 40+ Lead Senior Watsons and 10,000 independent researchers anytime simultaneous audits are needed. Each audit will be led by one of the Four dedicated Compound SRs.
  • 1 FTE selected from Guardrail’s team of dedicated DeFi Security researchers and incident responders.

Historical Context

Sherlock has been active in Compound’s governance for over a year, participating in discussions, speaking with delegates and other stakeholders, and learning about the needs of the DAO and the community. What we heard was loud and clear - the existing $4mm engagement with OpenZeppelin was inadequate for the needs of a dynamic and fast-moving organization like Compound, leading us to author a proposal as far back as June 2024. There were two significant issues with the OpenZeppelin relationship that we repeatedly heard from stakeholders:

  • Lack of Speed - Compound’s development and competitiveness as a lending protocol was consistently held back by months due to OpenZeppelin’s delayed scheduling, lengthy backlog, and lack of ability to run multiple concurrent audits
  • Exorbitant Cost - OpenZeppelin’s $4mm annual contract, when amortized over the work completed, was the largest cost by far for all chain, market, and asset additions, as seen in AlphaGrowth’s analysis.

Our Solution

Sherlock is singularly suited to solve this problem. We have a unique combination of exclusive, high-caliber dedicated talent along with a community of 10,000 independent researchers. This combination cannot be replicated by any other company, and allows Sherlock to produce quantitatively better results, perform more audits simultaneously than any other company, and execute the entire audit process with speed that can’t be matched.

Sherlock has handpicked a “Seal Team 6” of researchers who have experience with Compound V3 and will be specifically dedicated to working on Compound audits and other security work in the scope of this proposal.

Monitoring & Incident Response

  • Joint Dedicated Security Operations Team:
    • Incident responders with over 200 incident handling experience
    • 24x7x365 coverage across timezones and escalating triage policies
    • Specialized in-house DeFi security researchers bringing exploit investigation analysis expertise
  • Guardrail’s Proven On-Demand Scaling:
    • 40 custom monitors created, tested, and deployed in one day for critical deployments
    • New chain implementation within 24 hours past experience
    • Custom monitoring use cases development with a 24-48 hour turnaround
    • <1 second detection across 24+ chains
  • Guardrail’s Compound-Specific Resource Commitment:
    • Dedicated technical point-of-contact for Compound’s unique monitoring needs
    • Direct access to Guardrail’s security analysts for threat intelligence & incident response
    • Weekly platform optimization & internal check-in’s specifically tuned for Compound’s smart contracts
    • Network intelligence & product insights from monitoring Euler, Avantis, BadgerDAO, BlueFin, Pendle, Li.Fi

1d) Additional Services or Tools (if any):

$500,000 Bug Bounty & Exploit Coverage: Every Compound audit through Sherlock is automatically enrolled in a 1-month, $500,000 bug bounty & exploit coverage program. This ensures that Compound users are protected not just after the audit process but also throughout daily operations, providing extended security assurance.

Complimentary Bug Bounty Hosting and Triaging: Sherlock offers complimentary bug bounty hosting for Compound. This service encourages ongoing security vigilance by incentivizing the wider community to identify and report vulnerabilities, thereby enhancing the protocol’s overall security posture. The same team of researchers who audit Compound will also triage vulnerabilities submitted through this program, ensuring fully-integrated, lightning-fast responses to any potential threats to Compound by the security researchers who know Compound best.

1 Like
24

Sherlock & Guardrail - Proposal for Compound Security Partnership - Part 2

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology:

The centerpiece of Sherlock’s methodology is an intense emphasis on manual review by the world’s best auditors, with a focus on finding Critical vulnerabilities that defy core protocol invariants. Our auditors augment this core foundation with proprietary, cutting-edge tooling, giving them the ability to find vulnerabilities that escape the human eye alone.

Tooling and Automation

We leverage a full suite of automated tools as a foundational step in the audit process. Our Watsons employ industry-standard static analysis tools like Slither, linters, and symbolic execution tools such as Mythril to automatically detect common vulnerability patterns and ensure code quality. Furthermore, fuzzing is a key technique used by our auditors to discover edge cases and unexpected state changes, particularly in contracts with complex mathematical logic or state machines. We do not mandate a specific tool, allowing our experts to use the best fuzzer for the task, such as Echidna or Foundry Fuzz. Our auditors conduct thorough private audits, using a combination of advanced security tools and techniques as they see fit to ensure a comprehensive assessment. The primary focus of our audits remains on detailed manual code reviews, enabling deep identification of potential issues that automated tools might miss. However, to complement this manual scrutiny, our auditors also leverage automated tools and static analysis techniques where necessary, facilitating efficient scanning for known vulnerabilities and enhancing overall coverage in Solidity code analysis, particularly for complex financial protocols.

Identifying Non-Code Risks: Governance and Economic Attacks

Our auditors are adept at identifying complex scenarios like governance and economic attacks. Top auditors, including the vCISO, possess an attacker’s mindset, enabling them to find vulnerabilities that are not apparent in the code itself but emerge from the protocol’s economic design and its interactions with the wider DeFi ecosystem. Our auditors have deep governance experience, creating and voting on proposals, and will stay vigilant against the many forms of governance and economic attacks possible in a DAO-based lending protocol.

2b) Audit Workflow & Deliverables:

Sherlock’s audit process combines the rigor of traditional audits with the collaborative power of selected top SRs, ensuring thorough vulnerability detection. Below is an outline of our workflow from scoping to final report, followed by details on report format, publicity of results, and turnaround times.

Audit Workflow

  • Scoping: Our dedicated scoping team assesses the project’s complexity, dependencies, and requirements. We assign one of our dedicated Compound SRs along with any additional resources required, based on their relevant expertise and experience.
  • Audit Initiation: Upon setup of a dashboard for the specific scope, the audit will begin. A Sherlock GitHub repository, cloned from the scoped codebase, is established, and all participants are invited.
  • Audit Execution: During the audit, SRs communicate with relevant Compound team members in the dedicated communication channels regarding potential issues and leads. Findings are documented as issues in the GitHub repository for transparency and collaborative commentary.
  • Real-Time Fix Review: For critical findings requiring immediate attention, the Compound team can submit fixes during the audit. In coordination with the operations manager, our SRs actively review these to ensure timely resolution.
  • Fix Period: The Compound team addresses issues, linking fix pull requests (PRs) via their dashboard task. They may also dispute findings or mark them as “won’t fix at this time.” Fixes are merged into a single commit; if they fully resolve issues without introducing new vulnerabilities and the final commit hash is secure, SRs sign off. If not, additional changes are requested, and the process iterates until approval.
  • Final Report Generation: Upon sign-off, the report is generated and refined based on the audit outcomes.

Report Format and Deliverables

Our audit reports are comprehensive, structured documents delivered in both PDF format as well as published on our dashboard. They include an executive summary, detailed findings, and appendices. Findings are categorized by severity levels:

  • High Severity: Direct loss of funds (>1% of principal/yield or >$10) without significant external conditions.
  • Medium Severity: Conditional loss of funds (>0.01% of principal/yield or >$10), core functionality breakage, or funds locked for over a week.
  • Low Severity: Minor issues with limited impact, such as gas optimizations or informational notes.

Each finding includes a description, vulnerability details, impact assessment, root cause analysis, code snippets, tools used, and a proof-of-concept (PoC) where applicable. We provide detailed fix guidance with recommended code changes or configurations to mitigate risks effectively. Results are made public on our GitHub repositories (e.g., sherlock-audit) to promote transparency and community learning, unless the client requests confidentiality. See a few example reports below:

Turnaround Time Ranges

Turnaround times vary by audit scope but are designed for agility - we can initiate audits within 24 to 48 hours and handle up to 5 parallel audits. Examples based on historical needs:

  • Small Scope (e.g., Asset-Level Audit): 2–3 days.
  • Medium Scope (e.g., Market-Level or Oracle Integration Audit): 3–5 days.
  • Large Scope (e.g., Chain Deployment or Functionality Update Audit): 5–7 days. Fix review periods typically span 1–3 days, depending on the number of issues.

2c) Quality Assurance and Track Record:

Sherlock maintains an unwavering commitment to excellence in blockchain security, backed by a history of delivering high-impact results. To date, we have completed over 350 audits, achieving a 94% success rate in identifying vulnerabilities rated Medium or higher.

Beyond identification, we prioritize collaborative remediation. For every audit, our team works hand-in-hand with clients to clearly define vulnerabilities, provide detailed fix recommendations, and offer guidance on implementation. This end-to-end support fosters not just immediate security enhancements but also long-term resilience.

In the rare event a client encounters a vulnerability, even when the hack is outside the scope of our audit, we proactively engage with the team to provide our response services. We collaborate closely to mitigate threats and minimize potential impact, demonstrating our role as a long-term security partner.

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure:

Sherlock’s approach to handling discovered vulnerabilities is tailored to the context of the code being audited, ensuring the highest level of security and discretion. Our process is bifurcated to handle pre-launch code and live code with distinct, appropriate methodologies.

Case 1: Auditing Pre-Launch Code

When auditing code that is not yet live - such as new mechanics, asset integrations, or oracle upgrades - our process is comprehensive and transparent with your team. We conduct a full audit and present a detailed report that includes all identified vulnerabilities, regardless of severity (Critical, High, Medium, etc.). Our goal is to provide a complete picture of the code’s security posture. We then work collaboratively with your developers, providing important information about the issues and helping to mediate and resolve each one before deployment.

Case 2: Auditing Live Code with Funds at Risk

For code that is already live and securing user funds, our protocol shifts to one of maximum urgency and confidentiality. Upon discovery of a critical vulnerability, we immediately prioritize the issue and work in close coordination with the Compound team to address the threat. All communication and remediation efforts are conducted privately to prevent any information from leaking and creating an exploit opportunity. The decision and timeline for any public disclosure rest entirely with the Compound team, and would only occur after a fix is securely in place.

Collaborative Remediation and Secure Communication

In both scenarios, our partnership extends beyond simple disclosure. We work closely with your development team throughout the remediation process. This includes helping to design an effective patch and, where needed, providing a fix for the identified problem. A mandatory step in our process is the fix review, where we meticulously verify that the implemented solution fully resolves the vulnerability without introducing any new issues.

To ensure seamless and confidential collaboration, we are flexible and will utilize any secure communication channel that the Compound team prefers.

3b) Incident Response Support:

In the event of a live exploit, Sherlock provides immediate and expert assistance focused on rapid containment, analysis, and recovery. Our incident response support is structured around three core pillars:

  • Technical Investigation: Our first action is to launch a deep technical investigation to perform a rapid and thorough root cause analysis. We work to understand the precise attack vector, the full scope of the financial damage, and the exact nature of the vulnerability that was exploited. This forensic analysis is critical to informing all subsequent mitigation and recovery efforts.
  • Coordination: We believe in a unified response. Our team, led by the vCISO, will immediately coordinate with the Compound team and any other top auditors or whitehats involved. We will establish a dedicated “war room” to serve as a central hub for communication and strategy. This ensures all parties have a shared understanding of the damage and can work together effectively on a unified mitigation plan.
  • Recovery: Our top priority during any incident is to recover any possible funds lost and to mitigate the damage to the protocol and its users as much as possible. All our investigation and coordination efforts are directed toward this ultimate goal, working tirelessly to contain the exploit and restore the protocol to a secure state.

3c) Continuous Monitoring & Threat Detection:

Partnering with Guardrail, Compound will receive a white-glove, tailored monitoring setup with collaborative education and preparedness reviews. Monitoring crucially answers: which system components are healthy, in all scenarios, at all times. Paired with code security, continuous monitoring ensures proactive incident readiness and security flywheel from monitor → detect → mitigate → test.

Guardrail is a consolidated, intelligent, essential platform for continuous security with several components:

  • Chain Support: Guardrail supports 45+ EVM networks and 3 non-EVM networks with finely tuned data & token models for highly accurate data (lower false positives) compared against alternative monitoring platforms.
  • Security Engine:
    • Guardrail leverages DeFi composability by offering pre-researched security blueprints for governance, events, oracles, and upgrades, paired with a per-contract trained AI behavior model detecting anomalies and a researcher-assisted custom-invariant monitor. Guardrail’s platform delivers bottom-up, top-down, and comprehensive risk coverage for exploits, economic risks, and custom invariants.
    • Liquidation behavior analysis, COMP governance changes, cToken & interest rate changes, critical upgrade monitoring and cross-chain risks are all supported with Guardrail’s existing & customized blueprint engine.
    • Guardrail monitoring engine is built natively for multi-chain detection support, multi-language detector support and executable across different phases of development.
  • Customization
    • Security is not one-size-fits-all and needs continuous updating to be effective. Our proposal includes, at no additional cost, white-glove monitoring management with proactive tuning, education & reviews from Guardrail’s head of research.
    • Guardrail includes unlimited user access, mobile friendly, and easy exports & stakeholder reviews.
  • Anomaly Detection
    • Guardrail’s Anomaly Detection is 100% developed in-house, performant (<1s) and detects risks with at least 50% reduction in noise from other similar monitoring platforms with no additional attack coverage loss.
    • This performance has been achieved due to highly accurate state-of-the-art data accuracy, focused signal curation, and per-customer per-contract built-in training.
    • Anomaly Detection is live across our customer base with successful hack detection for non-Guardrail customer protocols and high signal-to-noise continuous monitoring.
  • Alert Workflows
    • Each monitor is paired with a defined runbook, with alerting to Compound Foundation and key security delegates via preferred communication channel (all popular platforms supported). Guardrail, Sherlock’s vCISO and core stakeholders are included on PagerDuty OnCall rotation with 24x7x365 coverage.
    • Core flows supported with Dashboards, Reporting, and intelligent automation for contextual investigation information given by Guardrail’s bot and assistance throughout security workflows.

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model:

The pricing proposal has been submitted privately to the Compound Foundation as requested. We agree to the continuous streamed payment setup.

4b) Milestones and Performance Metrics:

  • Audit Lead Time: Audit engagements start within 24 to 48 hours of the scope being submitted.
  • Fix Review Lead Time: Fix Review starts within 1 day of scope being submitted.
  • Audit Scalability: Ability to provide up to 5 parallel audits.
  • Governance Proposal Reviews completed within 24 business hours of request.
  • Zero High or Critical severity bugs in production.
  • Governance Participation:
    • Monthly and Quarterly updates submitted to the DAO for review and accountability
    • vCISO is active in the DAO forum and provides recommendations based on his security expertise.
    • 1 Sherlock representative to participate in governance calls and provide community updates

4c) Conflict of Interest Declaration:

Sherlock confirms that the company currently works with other clients in the same or adjacent domains as Compound, including some who may be considered protocol forks or direct competitors. While this is a typical feature of the blockchain ecosystem given its permissionless nature and open-source foundations, we have no known conflicts at present and will promptly notify the Compound team should any arise. Sherlock maintains robust confidentiality safeguards, professional integrity, and ethical standards to handle each engagement responsibly.

4d) Transition and Offboarding Plan:

Sherlock has a strong relationship with OpenZeppelin and will work with them to ensure a smooth transition. In terms of offboarding, we will preserve all documentation and knowledge in a consolidated database, ensuring it remains accessible to the DAO. Furthermore, we will oversee the handover of all relevant information in the 30-day interval leading up to the conclusion of the 60-day termination timeframe. We’ll also provide 30 days of complimentary transition assistance.

Section 5: Service Level Expectations (SLA)

5a) Incident Response:

  • 24x7x365 coverage with experienced incident responders (250+ critical incidents handled, nation state & financial crime experienced)
  • <1s real-time detection with Guardrail + 15-min triage for Critical & High-severity detectors, coordinating with vCISO, Compound’s foundation in PagerDuty & live call war-room.
  • Remediation guidance provided with 4 hours following notification and investigation.
  • Automated response orchestration - coordinated runbooks for webhook driven emergency actions (pausing, communication, upgrades).
  • Real-time and Analytical data support for triage and investigation throughout incident lifecycle (including in-house onchain data enrichment tooling).
  • Support across monitoring and triage available with team members in North America, Europe, and Asia to achieve a 24hr and Monday through Sunday coverage.

5b) vCISO Support:

vCISO will provide on-demand advisory support within 4 hours of inquiry from the Compound team. In addition, the vCISO will commit to monthly check-ins with the Compound team as well as regular attendance on Compound Developer calls. vCISO will be available for real-time consultation during critical deployments. Primary contact will be the vCISO, and secondary contact will be the Project Manager.

5c) Governance Proposal Reviews:

Turnaround Time

Standard Review: 48 hours from proposal request

Urgent Proposals: 24 hours review for urgent or important proposals

Emergency Availability: 24/7 availability for emergency governance response in case of time-sensitive decisions

Delivery and Format

Findings Delivery: A report will be compiled outlining potential risks and Sherlock’s recommendations in a clear and concise way.

Communication: A summary of the report will be shared publicly with the DAO through the governance forum as well as on governance calls.

5d) Code Audits

  • New audit scope acknowledgement: 1 hour
  • Audit scheduling lead time: Sherlock commits to starting an audit within 24 to 48 hours from the moment the scope is received.
  • Team composition: Each audit will have a minimum of 2 Security Researchers (SR) reviewing the code, with the size increasing to 4 for bigger scopes that require various skill sets.
  • Fix Review: After the developers have fixed the vulnerabilities identified during the audit, Sherlock commits to starting the fix review period within 24 hours of receiving the scope (PRs with the fixes).
  • Fix review periods typically span 1–3 days, depending on the number of issues.
  • Final Delivery: Once the Security Researchers have signed off on all the fixes, Sherlock issues an audit report within 24 hours.
  • Post Audit Support: Sherlock & Guardrail commit to support the development team with the deployment of the audited code, given a 24-hour notice period.
  • Post-Deployment Support: Guardrail commits to live contract validation against audit findings and new Guard set-ups for the deployed code within 24 hours of deployment.

Final Considerations

Sherlock and Guardrail’s joint proposal focuses on comprehensive security coverage that is fast and scalable, allowing Compound to unlock a new level of future growth and competitiveness. Compound will be a top priority for our respective teams, and we’ll deeply integrate with your core team, the Compound Foundation, Woof, Gauntlet, and other stakeholders. We’ll foster active communication and a feedback loop for comprehensive risk coverage across lending, governance, and economic security.

We propose a unique compensation structure under our pricing model, which has been submitted privately to the Compound Foundation. Our model, which will be published publicly, provides for flexible, ongoing support, and significantly reduces financial risk for Compound. This ensures accountability and incentive alignment in advancing Compound’s development.

1 Like
25

RFP: Compound DAO Security Service Provider - Hexens, zeroShadow, and Runtime Verification

Contact Information

Hexens, zeroShadow and Runtime Verification

Represented by Vahe Karapetyan, CTO and Co-Founder of Hexens.

Email: v.k@hexens.io

Telegram: kemmio

General Overview

Hexens (founded 2022) is a Web3 security firm that delivers manual-first, adversarial smart-contract reviews backed by advanced tooling. We have completed more than 250 audits across DeFi, bridges, and governance systems, securing code that safeguards > more than $120b in on-chain value for clients, including EigenLayer, Lido, 1inch, LayerZero, PancakeSwap, and others. Our audit process always includes two independent senior-led teams to reduce blind spots. Notably, none of the code audited by Hexens has ever been hacked.

Consortium Delivery: Hexens (smart contract + fuzz + Glider analytics + vCISO), Runtime Verification (formal methods / Kontrol CI), zeroShadow (24/7 incident response + monitoring).

The auditors at Hexens are known globally, notably with our Head of Audits Kasper and Lead Auditor Soon sitting at the top of the leaderboards of the biggest bug bounty platforms. Besides that, we have achieved in Web3 competitions:

  • Paradigm CTF 2022, 2nd Place
  • Paradigm CTF 2023, 6th Place
  • ETH Escape Bangkok 2024, 1st Place

Besides competing in CTFs, our deep-rooted passion for competitive hacking led us to launch RCTF (ctf.r.xyz) - a Web3-focused CTF that quickly became the largest in the space by many metrics. Designed around real-world exploitation scenarios, it attracted top talent across the globe and set a new standard for security challenges in Web3. We are making it an annual event.

We specialize in complex DeFi logic, including AMMs, concentrated liquidity, lending markets, tokenomics, oracle integrations, and cross-chain bridges. Reviews are manual-first, with exploit modelling, gas efficiency reviews, and bytecode-level analysis when needed.

Runtime Verification is a pioneer in applying formal methods to blockchain security. Since entering the space in 2017, we’ve worked with leading protocols to audit smart contracts, cross-chain bridges, and core infrastructure across ecosystems like Ethereum, Solana, Polkadot, Cosmos, and beyond. Our team brings deep expertise in formal verification, with tools and techniques tailored for Solidity, Rust, and Go, and more. We build mathematical specifications and executable proofs to rigorously validate protocol behaviour, uncover edge cases, and ensure system safety. From DeFi to L1 consensus, our mission is to raise the standard of security across web3.

RV is our partner for the Formal Verification part of the proposal.

zeroShadow is the global leader in Web3 Security and Incident Response Services. As part of our mission to ensure the security and resilience of Web3 businesses and protocols, we are proud to introduce our Virtual Security Operations Center (vSOC). Given the unique challenges and inherent risks associated with decentralized ecosystems, we will be providing comprehensive 24/7/365 incident response capabilities across all critical areas.

zeroShadow is our partner for the Incident Response/monitoring part of the proposal.

Existing Relationship with Compound:

This would be our first official engagement with Compound, however, some team members have engaged in bug bounty research on the codebase, and our team is already familiar with Compound’s codebase. As one of the larger protocols in decentralized finance, we frequently engage with clients that integrate with or have forked the Compound codebase, and as such, we have had the pleasure of diving deep into Compound. We have a scheduled 30-day onboarding plan (repo sync, config review, market parameter map, risk model alignment, testnet harness, governance review playbook) to properly start reviewing the scopes.

Relevant Security Partnerships or Clients:

We have performed audits for various clients with governance, as well as lending protocols and protocols with cross-chain functionality.

Some notable examples include:

Besides these audits, some team members have also reported issues to bug bounty programs of protocols that fit into these categories:

  • Lending: Aave, Exactly, Arcade.xyz, BendDAO
  • Governance: Sovryn, Eco, Nexus Mutual, Livepeer, Q Blockchain
  • Cross-chain: Polygon

Section 1: Scope of Security Work

1a) Scope of Services Overview:

Code Review:
The greater part of our work consists of rigorous code review audits of both completely new protocols and iterative upgrades to existing protocols. In addition to code review, we also perform reviews of live deployments (on-chain), deployment scripts, and governance proposals.

We also have a team for Web and off-chain systems for both black-box and white-box testing.

List of offensive security certifications that our team holds:

  • OSCE3
  • OSCP
  • OSMR
  • OSWE
  • OSED
  • OSEP

Fuzzing:
Besides code review, a separate team of fuzzing engineers (at least 2) will be working on creating fuzzing harnesses and running dynamic analysis of the code, the auditing team and fuzzing team work closely to generate invariants and test cases for better coverage and to avoid disconnect between teams.

FV:
Our formal verification methodology begins with a structured design review, producing executable specifications and behavioural invariants that reflect the protocol’s intent. This process enables us to prove security-critical properties under all possible execution paths.
Runtime Verification has applied this approach in audits for high-assurance systems such as Ethereum 2.0, Optimism, and Lido. We are frequently brought in to verify the correctness of core protocol logic, particularly where trust assumptions, user funds, or consensus integrity are at stake.

1b) Multi-Chain Support & Upgrade Expertise:
The majority of partners we work with have multi-chain support (a notable list of clients can be found at the webpage https://hexens.io/); some of the vulnerabilities found during our audits originated from the protocol’s multi-chain aspects.
Moreover, as mentioned above, the security team also reviews the deployment and migration scripts, which will be done for all the supported chains.
All of the proposed services and tooling cover a wide range of EVM chains and are compatible with all of the well-known EVM L1/L2s.

We have experience with all networks listed. Besides the obvious similarities to the Ethereum mainnet, a few of those have more specific traits that need to be taken into account during an audit. For each audit, we review the code in the context of the chain it will be deployed on. As such, researching the specific chain will become part of the engagement.

We have also done audits for Boba Network and Celo (both forks using the Optimism stack) and are very familiar with Ethereum chain internals.

Hexens will leverage the full in-house potential to cover wider vCISO tasks (main point of contact being Kasper Zwijsen):

  • Security Architecture & Infrastructure Review; including comprehensive threat modelling of both on-chain and off-chain components

  • Oversee OpsSec of the core team and in case needed major delegators

  • Threat Intelligence; always keep up with the latest threat intelligence and assess the risks

  • Be in constant contact with the Incident Response and Monitoring team

  • Integrate and improve SSDLC - Secure Software Development Lifecycle, with automating security processing during development and implementing SSDLC best practices

  • External Bug bounty submission triaging.

1c) Resource Allocation and Availability:
For the code review part, we include 4 security engineers FTE on the main dedicated team, by our methodology (see methodology section on https://hexens.io/services) there is always a second team reviewing the codebase, this way we achieve better coverage, less exposure to humar-factor risks and this gives ability to assign a dedicated team in cases when the leads from main team are absent for any reason. Additionally 2 FTE FV Engineers and Incident response team engineers will be assigned to Compound.

1d) Additional Services or Tools

  • Fuzzing framework with invariants and tests, all of the scripts/tools and test/invariant cases generated by the fuzzing team will be accessible to the Compound team as well, these can be open sourced if your team is willing to do that.
  • Formal Verification
    • Runtime Verification offers Kontrol, our open-source formal verification engine purpose-built for Ethereum smart contracts. Kontrol integrates directly with Foundry and allows protocol invariants to be written as Solidity-style proofs that look and feel like standard tests—making them easy to review, maintain, and extend by developers inside or outside RV.
    • Once key invariants are established during the initial audit, they can be reused and automatically re-run on each DAO proposal that modifies smart contracts. Kontrol proofs can be run in CI using our dedicated compute infrastructure, requiring minimal engineering effort from the DAO to gain high assurance that governance changes preserve critical properties.
    • This turns formal verification into a living security layer, reinforcing DAO upgrade safety over time without bottlenecking developer velocity.
  • 1day protection (via Glider) – our proprietary, scalable smart contract analysis tool that allows anyone to describe code logic and find matches on all verifiable contracts deployed on EVM chains. Our team of engineers is constantly following smart contract hacks and attack vectors and will be reporting whenever a new attack is possible on Compound’s deployed contracts. Glider (https://hexens.io/solutions/glider) has a track record of saving 200mil+ of assets on live contracts.
  • Any custom tooling developed during security engagements. During our engagements, we can implement new tooling to help automate the security review and, in the long run, improve the partners’ SSDLC processes. An example of such cases that went open source: GitHub - Hexens/piller: Static analysis framework for Polynomial Identity Language (PIL) used in zkEVM for defining state machines
  • Remedy Bug Bounty: our community bug bounty platform, where you can place and control your BB program transparently, all the program changes are registered and visible to hunters, as well as Remedy has unique features such as zk-proof-of-duplicate, which can be used to prove that a certain submission is duplicate without revealing full information about it (Remedy Engram | Main).

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology:
Our primary tool is the rigorous manual review and diligent collaboration to share notes and insights within the team. We also make use of the various static (Glider) and dynamic (Echidna, Forge, etc) analysis tools during the audit.
We have a unique methodology doing a two-team cross-checking, which eventually puts two teams on one scope, that’s on average eight people doing the audit, at least four of them are senior/lead security engineers, the rest are mid/associate staff.

2b) Audit Workflow & Deliverables:
As an example, a DEX protocol of 1800 SLoC is looking for an audit and sends a form on the website.

  • We schedule an initial call with the customer, then take up to 48 hours to provide them with the quote.
  • For DEXs, average calendar availability is 2-3 weeks, and ~1800 SLoC is usually a 2-week-long review. Our auditing cycles are weekly-based, so the start date is always on Monday.
  • We run an onboarding call one or two days after the audit start date (if necessary).
  • We share all high/critical findings on the fly in a convenient communication channel (PGP, Slack, Telegram, Email, GDrive)
  • We schedule a weekly sync-up chat where we present our findings and discuss ideas with the engineering team.
  • After 2 weeks (on Monday or Tuesday), we share the initial report with the customer, hopping on a call if necessary.
  • After receiving remediations, we review them within one week, but on average in 2-3 days, and then share the final report.
  • We schedule a final meeting with the customer when our auditing leads are sharing their impressions, ideas, and when we ask our customers for feedback.

We consider the final security review report to be our customers’ intellectual property and don’t publish it without their consent.

2c) Quality Assurance and Track Record:
We do our best to avoid this kind of situation during our engagements; such as involving two teams cross-checking the scope. So far, we have not heard of any such case.

We have had situations where clients had incidents on different scopes (like Web2 attacks, which were outside of the engagement scope), we always actively engage in the incident response process and help them free of charge. No incidents recorded with codebase audited by Hexens.

Processes that help minimize the occurrences of missed bugs are implemented on various stages of our operations, starting with is the meticulous hiring process, having bigger teams that engage in the audit process (industry average is having 1/2 dedicated engineers) while our teams are composed of 4 engineers and we involve a two-team cross-checking mechanisms to reduce the risks even more.

We also use all of the efficient tools and mechanisms during audit, not only doing a thorough manual review but also using static and dynamic analysis tools, sometimes developing custom tools if there are none that can be used.

During our engagements, we can implement new tooling to help automate the security review and, in the long run, improve the partners’ SSDLC processes. We can open source them if the Compound team wants to.

We provide feedback and are in touch via:

  • Dedicated AM and a technical person to ease the communication.
  • Live updates on high/critical findings in the setup channels such as Slack, Telegram, Microsoft Teams or email.
  • A spreadsheet (or guest access to our Jira) for sharing the issue database.
  • Weekly sync ups - Google Meet or alternative.
  • Executive Summaries are included in each report.
  • High internal standards of issue descriptions.

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure:
During our auditing process, criticals are reported on the fly to the core team. The next steps depend on whether the code is deployed and whether any immediate value is at risk.

If the code has not yet been deployed, we continue our regular auditing process after providing the bug description, PoC code, and suggested fix. If the code is deployed with assets at risk, we immediately report the issue and create a war room with all the parties that need to be informed - the core team and the incident response team. Additionally, if needed and approved by the team, we include broader IR measures such as involving SEAL911 members. We help with writing any scripts or whitehat rescue transactions and help execute them in a secure manner, if there is any need.

All bug reporting is done strictly following the Responsible Disclosure protocol. We never disclose any information about the bug until the vulnerability is fixed and, ideally, a certain amount of time has passed after the incident. Moreover, we always coordinate this kind of publication with the protocol team. We suggest that our customers use PGP-encrypted email for sensitive information disclosures.

In cases when the vulnerability found affects multiple protocols/contracts, we start a coordinated vulnerability disclosure process to ensure that all of the affected parties have implemented the fixes and are safe to go before the broader public knows about the vulnerability. For avoidance of doubt, NO public disclosure is made without explicit consent.

Our typical timelines for reporting vulnerabilities and/or kickstarting the process of remediation are:
Hack <15m; critical and high severity triage <1h; patch guidance <4h)

3b) Incident Response Support:
Hexens has helped various protocols by both reporting live vulnerabilities or by coordinating recovery and investigation after an incident. Our founders are members of SEAL, which allows us to both use resources available through SEAL, as well as provide our team as a resource for projects coming to SEAL.

Some examples include:

  • Nouns DAO, Soft DAO: Using our cutting-edge tool, Glider, we identified a live vulnerability in both the Nouns DAO and Soft DAO governance contracts and reported this responsibly.
  • Render: Through reference from Polygon, we assisted in the recovery after a hack had occurred.
  • Thirdweb incident - Hexens team leveraged Glider to describe the attack vector and find all of the deployed vulnerable contracts for certain chains.
  • Successfully returned 4M hacked funds.

Zeroshadow Service Overview
zeroShadow’s vSOC is designed to provide real-time responsive security measures to address alerts and requests with speed and efficacy. With this service, Web3 businesses and protocols gain access to a suite of critical incident management services, supported by a team of globally recognized experts.

Types of Incident Included:

1. On-Chain Exploits

  • Alerts from Hypernative or other systems that have detected abnormal, suspicious, or malicious activity that needs immediate action, review, and potential escalation.
  • Monitoring for abnormal patterns in transaction activity.

2. Counterparty Verification and Transaction Deep Screening

  • Comprehensive screening of counterparties involved in transactions to ensure legitimacy and compliance.
  • Deeper analysis for sanctions violations, funding sources, illicit activities, stolen funds, AML risk, and mixer exposure.

3. Off-Chain Alerts

  • Compromised domains, impersonations, phishing attacks, or user account compromises.

4. Operational Alerts

  • Exploited or compromised devices or systems.

3c) Continuous Monitoring & Threat Detection:

Hexens offers its smart contract scanning tool, Glider 1-day exploit protection service:
1-Day Exploit Protection

Glider will activate a 1-day protection program for Compound. In the event a novel exploit or 0-day vulnerability is identified in the wild, Hexens will promptly develop a detection query and scan all indexed contracts — including Compound contracts — within 24 hours. If a vulnerability match is found, Compound will be alerted immediately through secure channels, enabling them to patch, pause, and mitigate the issue before it can be exploited. This mechanism minimizes attacker lead time and can prevent multi-million dollar losses across the ecosystem.

Additionally zeroShadow will work with the Compound to look at the specifics of their setup, environments and goals, and will help them choose the best solution for their needs rather than assuming variables and without in-depth discussions. Our method is to understand the details and nuances of the requirements before choosing the technical tool(s) for the job.

Our specialty is the implementation, customization and optimization of those services, which is often the most critical part to get to a true actionable state for prevention and rapid resolution. It is of utmost importance to have exceptionally high clarity on the alerts if there is to be any automated actions and general off the shelf alerts will catch everything, but produce too many signals to clearly differentiate which ones need to be actioned immediately and escalated right away. Additionally, as we handle other incidents and discover different attack vectors from around the industry with other clients, we will continually update/develop new alerts and variants to cover these new exploit paths.

We work with all of the major alert and monitoring tech vendors. They are fantastic and have different strengths and weaknesses. Included in our process is a security system diagnostic evaluation that also allows us to recommend ‘off-chain’ tools and systems that should also be included in your security stack depending on Compound’s details (SEIM, EDR, MDM, policy frameworks, etc.)

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model:
Pricing has been submitted privately as per the request made by Compound Foundation.

4b) Milestones and Performance Metrics:
The metrics/KPIs suggested:

  • Smart contract security review (audit) delivered within 1 week for each 1000 SLoC (source lines of code),
  • One week for remediation fixes and final audit report for 3-week long audits, and 2 weeks remediation period for 4> week long audits
  • Deliver proposal assessment (target <48h; 24h emergency)
  • Responsiveness - critical issues triaged within 1h after finding/being informed about the bug.
  • Critical issues triaged within 1 hours
  • No critical bugs reported on the audited codebase externally (outside of the main engagements), throughout the engagement year.
  • Participate in 100% of governance calls with the security segment
  • Guaranteed slot provision for audit within a 2-week period after notice for more than 1-week-long scopes and guaranteed review of scopes with less than 300 SLoC within 10 days.
  • Incident‑Response Acknowledgement by vCISO; < 15 minutes for Critical, < 30 minutes for High alerts (24 / 7 SLA).
  • Governance Proposal Security Review Coverage by vCISO with ≥ 95 % of on‑chain proposals assessed before voting starts; report posted to forum
  • Security Awareness Sessions held by vCISO for ≥ 2 live workshops or tabletop exercises per year;

Hexens is open to discuss other KPIs/metrics.

4c) Conflict of Interest Declaration:
Hexens provides security and auditing services to a broad range of DeFi protocols. Some of those engagements involve lending/borrowing platforms that operate in the same market niche as Compound; none are identical code-base forks of the latest Compound protocol, but functional overlap is possible and future engagements may include such forks.

To manage any real or perceived conflicts of interest, we apply a mature confidentiality and conflict-management framework:

1. Strict NDAs & Engagement Letters – Every client signs a bilateral NDA and a project-specific engagement letter that clearly defines permitted information flows and ownership of findings.

2. Access-Controlled Workspaces – Source code, test suites, and deliverables reside in segmented, access-controlled environments with per-project encryption keys and audit logs.

3. Ethics & Compliance Training – All personnel complete annual training covering client confidentiality, trade-secret protection, and responsible disclosure.

4. Strict NDAs with the team - Every employee, contractor working has a strict NDIAA signed.

Current Status: Hexens treats client confidentiality and professional ethics as non-negotiable pillars of our practice, enabling us to serve multiple industry leaders without compromising trust.

4d) Transition and Offboarding Plan:
Hexens commits to export all open findings, fuzzing and testing tooling and tests, FV invariants, and any custom tooling within 10 business days of termination. We acknowledge DAO’s 60-day notice right and are open to helping with the onboarding of a new service provider. This includes passing all the tests, fuzzing, or any other harnesses or tools we have developed.

Section 5: Service Level Expectations (SLA)

5a) Incident Response:
Our vSOC operates with the following SLAs to ensure prompt and effective response:

  • Acknowledgment: Less than 15 minutes
  • Incident Guidance: Less than 3 hours
  • Incident Resolution: No guaranteed timeframe due to variable factors such as data availability and third-party dependencies.

The process for incidents can be initiated through several different paths that we implement (automated through system alerts on the tech stack, through the alert / monitoring system chosen that is customized, through Slack or Telegram channels, or other). All of those alerts then are fed into our PagerDuty system and handled accordingly. We have over 24 people who have different skill sets to help manage the incident response depending on the attack vector. These responders/investigators are spread across all three major time regions (Americas, EMEA, APAC).

When there are critical incidents, we use all means of comms to update your team or escalate as needed (i.e. system needing to be paused, access revoked for compromised user, etc.).

In handling the case/investigation, our team also handles these cases 24/7 to make sure all movements are tracked and updated in real-time to have the optimal chance for freezing/recovery.

We use our industry wide relationships to trace, block and freeze any assets that we can and we use all industry tools for tracing as well as our own demixing scripts and tech where applicable.

Further, we have extensive connections with both law enforcement and legal counsel around the world, so no matter where in the world the incident takes place we will be able to provide the best support possible for asset seizure.

5b) vCISO Support:

Hexens vCISO will be available for on-demand advisory support within one business day and will do weekly check-ins.
Kasper Zwijsen is the primary contact, and Vahe Karapetyan is the fallback contact.

5c) Governance Proposal Reviews:
Our reviews of governance proposals will take no more than the mentioned time (48 hours) but often much quicker. As a security provider, we have 24/7 operations, and we can triage any urgent requests within hours, while keeping a direct line of communication between the team and the responsible security researchers. After immediate disclosure of any critical findings, the findings will be simultaneously communicated to any major delegator that we are in contact with, the core team and the broader public via comp.xyz.

As history has shown us, malicious governance proposals can be a dangerous vector of attack if diligent reviews of proposals are not performed. Any proposal should be reviewed and approved by multiple security experts before major stakeholders can vote, as proposals can sometimes hide their true intention. Our security reviews are always done from a holistic perspective, which gives us the power to catch critical issues in the bigger picture and catch malicious proposals before any damage is done.

5d) Code Audits:

In the case of an annual engagement, Hexens guarantees slot provision within 2 weeks after the receipt of notice for scopes longer than 1 week, and a fast-track band by reviewing scopes with less than 300 SLoC within 10 calendar days. While the audit time estimations depend on the exact scope, a general rule of thumb is 1 week required for 1000 SLoC review on average. In terms of team allocation, it is always within the methodology described in previous sections.
Hexens’ report can be delivered in different formats, such as a Markdown file, a PDF report or any other preferred format.
The report itself includes an executive summary, a table of contents, and a detailed description of each issue, including the suggested remediation approach, severity, and any PoC if applicable.

An example of the latest report examples can be seen in our GitHub repository: Smart-Contract-Review-Public-Reports/ufarm-may-25(Final).pdf at main · Hexens/Smart-Contract-Review-Public-Reports · GitHub

Final Considerations

Hexens is a team of hardcore security researchers who are obsessed with breaking code. We are not checklist auditors that report 100 informational issues for a larger page count, but instead we focus on vulnerabilities with true impact. We take our work very seriously, and we do not compromise quality for quantity by scaling unnecessarily. Quality above all.

Hexens still keeps an ideal track record of no hacks on audited scopes.

Our team consists of highly skilled individuals, each with a track record of audits, CTFs, and bug bounties. This experience and unique vision bring greatness to our audits. For example, our team has multiple members who are ranked at the top of the bug bounty leaderboard with millions of dollars in bounties.

The list of our public reports can be found in the GitHub repository: GitHub - Hexens/Smart-Contract-Review-Public-Reports: List of the public smart contract audit reports and security reviews performed by Hexens.

A list of some notable findings can be found in the [Highlights] section of the webpage: https://hexens.io/audit-reports

Some of the technical content that we generate can be found on our blog: https://hexens.io/blog

Our approach to the security review is a holistic and rigorous manual review combined with funnelling that knowledge to static and dynamic (fuzzers) analysis toolings.

With its best-in-class security reviews, combined with the leading Formal Verification provider, Runtime Verification, and the renowned Incident Response/Monitoring team, zeroShadow will provide the Compound team, its users, and its governance members with the best 360-security coverage in the face of constantly emerging cyber threats and sophisticated APTs:

  • Smart contract security
  • Web/Off-chain penetration testing, code review
  • Governance proposals
  • vCISO, Incident Response and monitoring
1 Like
26

Company Name: QuillAudits

POC: Sarika (Telegram @volantxs), Head of Partnerships

Team Background

At QuillAudits, we go beyond code analysis. We partner with you to protect your protocol, reputation, and users. We’ve audited 1400+ projects across 25+ blockchains, securing $3B+ in TVL with zero critical post-audit exploits. Trusted by industry leaders like Optimism, BrahmaFi, Starkware, Huddle01, Magpie, Unichain, BabyDoge, Soneium, Alliance, Gameloft, Plume, Taiko, Metis and many more.

We’ve been early innovators in Web3, developing distributed NFT standards on EOS as early as 2017, well before NFTs went mainstream, and later evolving into QuillAudits in 2019 to cover smart contract security across major blockchain ecosystems.

Our core team brings together 25+ years of combined Web3 security experience, having conducted over 100+ audits across 10+ blockchain ecosystems, including EVM, Move, and Rust-based chains. Collectively, they have uncovered 650+ of critical vulnerabilities, and helped secure $3B+ in on-chain TVL. The team’s expertise spans threat modeling, formal verification, fuzzing, static and dynamic analysis. They’ve been active contributors on platforms like Code4rena, Sherlock, and Codehawks, and also play an educational role, conducting internal and external workshops for developers and founders. Their combined offensive and protocol-level knowledge ensures security is built into every layer of a project’s architecture.

Existing Relationship with Compound

While we have not directly audited the Compound protocol, our team holds deep technical familiarity with Compound V2 and V3 architectures through extensive independent research and real-world audits of multiple Compound forks, including Blastway, Fringe Finance, NetWave Finance and more. These audits involved analyzing and validating modifications to key components such as the Comptroller, cToken contracts, liquidation logic, oracle mechanisms, and interest rate models. This background allows us to anticipate critical edge cases, such as re-entrancy in liquidation paths, oracle-driven manipulation, and collateral accounting inaccuracies—areas where Compound’s architecture demands rigorous scrutiny.

Beyond direct code-level expertise, we’ve published a detailed technical framework on lending and borrowing protocol audits, outlining core vulnerability patterns and advanced mitigation strategies (report). With this combination of protocol-specific insight and practical audit experience, we’re well-prepared to deliver a security review aligned with the sophistication and scale of the Compound ecosystem.

Relevant Security Partnerships or Clients

Client/Partner Description
Reactive Bridge Lending pool for miners enabling pTokens with interest, borrowing, and liquidation, similar to Compound.
Noma Protocol AMM + lending without liquidations using Uniswap V3-style liquidity layering, intrinsic value-based loans, staking, and rebasing.
ZynkProtocol Lending to whitelisted partners using unique order IDs, validator-signed repayments, ideal for DAO credit systems.
Cybro AI-powered multichain yield aggregator that reallocates funds and manages vaults across chains.
Beam Protocol Modular DeFi infrastructure using ZetaChain for cross-chain messaging, supporting governance, bridging, and tokenomics.
FlyTrade Secure token deployment including staking, reward distribution, and DeFi-integrated tokenomics.
Supra Hypernova Upgradeable multi-contract token bridge with vaults, admin control, role-restricted messaging, and gas relays.
Carbon Bridge (Demex) Proxy upgradeable bridge compatible with Axelar, supporting secure multi-chain operations.
Metis VestingVault Upgradable Merkle-based vesting system using ERC1155 tokens, timelocks, and OpenZeppelin permission controls.
Prime Numbers Cross-chain reward distribution and vesting using LayerZero to sync mainnet and sidechains for PRFI tokens.
Torque Standard lending pool protocol audited for smart contract security.
KYEX Cross-chain DeFi protocol reviewed for interoperability and smart contract security.

Section 1: Scope of Security Work

1a) Scope of Services Overview

QuillAudits will cover complete smart contract security evaluations across new deployments, protocol upgrades, governance proposal reviews, and monitoring.

  • Manual Line-by-Line Review – Focused on business logic, economic flows, state transitions, and privilege access.
  • Functional Testing – Includes path, edge case, and multi-asset interaction testing for supply, borrow, repay, and liquidation functions.
  • Static & Dynamic Analysis – Conducted via proprietary tooling (QuillShield), and Echidna for fuzzing, invariants, and edge-case surface coverage.
  • Governance Proposal Validation – Simulation of calldata execution, ABI correctness, timelock/cancellation logic, and fork-based path analysis.
  • Cross-chain Security – Bridge contract risk modeling, LayerZero-like messaging verification, and chain-specific behavior testing.
  • vCISO – Ongoing security advisory support covering compliance readiness, risk governance, and stakeholder communications.
  • Review of Known CVEs & Security Anti-Patterns – Identification and mitigation of vulnerabilities seen in past DeFi exploits and architectural design flaws.
  • Evaluation of Protocol-Level Architecture – Covers risk surface modeling, privilege separation, upgrade safety, and integration dependencies.
  • Real-Time Monitoring & Incident Response – We offer 24/7 threat detection, on-chain anomaly alerts, and rapid response coordination for live exploits or vulnerabilities.

Note: FailSafe and Chainalysis assist support us in real-time monitoring and incident response as trusted partners, these are not our in-house services.

1b) Multi-Chain Support & Upgrade Expertise

QuillAudits has audited protocols (or similar to) on all currently supported networks where Compound V3 is deployed: Ethereum, Arbitrum, Optimism, Base, Polygon, Mantle, Scroll, Linea, Ronin, and Unichain.

We are regularly engaged on L2 ecosystems through retainer programs and partnerships. Our internal team actively monitors EIPs, OP Stack, zkStack, and Starknet upgrades. For new L2s, we onboard ecosystem-specific specialists within 72 hours as needed. For protocol upgrades, we perform full diffs, state layout audits, storage collision checks, proxy upgrades, and new market validations.

vCISO Engagement
Our dedicated vCISO leads comprehensive oversight of all protocol upgrades, performing thorough security reviews and operational deployment validations to minimize risks. They coordinate emergency incident response with defined SLAs, ensuring critical issues are addressed within 1-3 hours. The vCISO maintains a detailed contract inventory and upgrade registry, enabling full traceability, continuity, and efficient rollback capabilities, reducing downtime and enhancing governance transparency. Regular security posture reports and risk assessments are delivered monthly to keep stakeholders fully informed.

1c) Resource Allocation and Availability

  • 3 -4 full-time senior security engineers + 1 vCISO dedicated to Compound. Additional support auditors are allocated dynamically as needed.
  • All reviews are tracked using internal audit logs and secure platform-based contract registries to avoid knowledge loss.
  • We operate on a 5-day work week with flexible hours to sync with DAO needs. We commit to <24hr turnaround for priority issues or upgrade reviews during governance execution periods.
  • We use rotating review structures and fallback auditors in case of staff absence to ensure no delivery delays.

1d) Additional Services or Tools

  • QuillShield AI – Our proprietary audit assistant used for:

    • Storage layout collision detection
    • Function selector overlap
    • Access control violations
    • Gas profiling & unreachable code mapping

  • Post-Audit Security Extensions

    • Real-time monitoring dashboards for upgrade traces, proposal execution, and market deployment.
    • Economic security audits to enhance capital efficiency and prevent major economic downturns.
    • Brand Monitoring that keeps your brand and community safe from phishing, impersonation, fake domains, and other malicious activity by detecting, blocking, and taking down threats in minutes.

  • Training & Enablement – We conduct bi-weekly syncs with protocol teams, quarterly security workshops for community stewards, and DAO security war games for contributors.

  • Pentest – We conduct black-box and grey-box penetration tests on both frontend and backend systems. Targets include DApp frontends, APIs, RPC endpoints, and cloud infrastructure. We also assess admin panels and private dashboards for vulnerabilities. Our approach follows OWASP standards, focusing on real-world threats.

IMG_1894 (1)
IMG_1894 (1)3000×1501 493 KB

Section 2: Technical Methodology & Audit Process

2a) Audit Methodology

At QuillAudits, we adopt a multi-layered audit approach grounded in real-world risk modeling, not just code linting. Our security reviews combine manual line-by-line code analysis with advanced tooling such as:

  • Static analyzers (Slither, MythX, etc.)
  • Fuzzers (Echidna, Foundry’s built-in tools)
  • Symbolic execution (Manticore, custom test harnesses)
  • Invariant testing frameworks using Foundry & Hardhat

Each audit begins with threat modeling where we identify assets at risk, map attack surfaces, and enumerate known vectors like oracle manipulation, liquidation races, over-collateralization, governance privilege escalations, and more. We give special emphasis to non-code risks such as:

  • Governance misalignments
  • Oracle dependencies and manipulation
  • Collateral volatility assumptions
  • Token economics that can enable griefing

We apply 100% function and branch coverage targets using automated test suites and invariant tests. All findings are peer-reviewed by a separate internal “Vigilant Squad” for unbiased revalidation.

IMG_1893 (2)
IMG_1893 (2)3840×2160 477 KB

2b) Audit Workflow & Deliverables

Our workflow follows a clear structure:

Stage Task
1. Scoping Define contracts, commit hashes, test coverage expectations, and feature boundaries
2. Manual Review 2–3 senior auditors analyze logic, edge cases, permissions, integrations
3. Testing & Tooling Static scans, fuzzing, invariants, gas analysis
4. Vigilant Squad Independent re-audit by another team, PoC replication
5. Reporting Deliver report with severity classification (Low to Critical), fix guidance, PoCs
6. Revalidation Verify fixes and close findings with updated risk status

Reports are shared with a pre-defined format:

  • Title & Severity (Low / Medium / High / Critical)
  • Issue Summary & Technical Root Cause
  • Exploit Scenario / PoC (if applicable)
  • Remediation Advice
  • Status (Open / Resolved / Partially Resolved)

Turnaround Time:

  • Small codebase (under 300 LOC): 3–7 days
  • Mid-size protocol (300–1000 LOC): 10–15 days
  • Full lending protocol or cross-chain deployment: 18–25 business days

We adjust timelines based on priority. In Compound’s case, we can align with a priority window to avoid delays in proposal execution.

2c) Quality Assurance and Track Record

With over 1,400 audits completed and $3B+ in value secured, our audits have prevented incidents across:

Audit-Prevented Incidents:

  • In the Blastway fork (Compound-based), we identified a liquidation misconfiguration that could’ve led to protocol insolvency.

  • In Fringe Finance, our audit flagged an unchecked asset cap overflow that could’ve allowed unauthorized borrowing.

We regularly publish technical case studies, including:
:link: Lending-Borrowing Audit Framework

Our “second-pass” QA layer (Vigilant Squad) ensures no blind spots. All findings are evaluated through adversarial testing, with revalidation before closure.

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure

At QuillAudits, we take vulnerability management seriously, especially for critical issues in large protocols like Compound. On average, we encounter 1–2 cases annually where a serious bug is missed by us or others, this reflects the evolving and unpredictable nature of attack vectors in Web3.

We have secured over 1400+ projects with no breaches attributable to audit oversight. In one isolated case, a project we audited experienced an exploit due to a mismatch between audited source code and the unverified mainnet bytecode, introduced post-audit by an internal actor. This event has shaped our enhanced approach to post-deployment verification and audit-to-deployment integrity checks, ensuring tighter security accountability going forward.

When a critical vulnerability is discovered during or after the audit:

  • Immediate notification is sent to the protocol team via secure communication (PGP/email/Signal/Telegram)
  • A rapid response team is activated within 2 hours to assess risk and impact
  • We collaborate with your core team to develop a patch or mitigation plan within 24–72 hours, depending on complexity
  • Full root cause analysis is conducted internally
  • Learnings are shared across our audit teams and integrated into our frameworks

We follow a responsible disclosure policy that balances protocol safety with user protection. Vulnerabilities are first reported privately to the core team, with coordinated remediation efforts. Public disclosure is deferred until a fix is deployed. However, if a threat is actively being exploited or poses imminent risk to users, we reserve the right to issue a public alert to prevent harm.

Our prioritization is guided by an internal scoring system inspired by CVSS: critical issues pause all ongoing work, while medium and low-severity issues are addressed in parallel without delays. We also offer remediation support, not just flagging issues, but helping with code-level patching, testing, and retesting post-fix.

3b) Incident Response Support

  • Technical Investigation

    • Deploy a forensic triage team (senior auditors + infra specialists) to replicate the exploit, identify entry points, and assess stolen asset vectors.
    • Utilize static + runtime analysis (e.g., traces, opcode diffs, memory snapshots).

  • External Support via Chainalysis

    • coordinate with Chainalysis Reactor and Chainalysis KYT
    • Track attacker wallets.
    • Flag mixers, exchanges, or bridges used in laundering.
    • Notify affected services to freeze assets.

  • Onchain Defense with FailSafe

    • Trigger automatic or manual failsafe actions: pausing contracts, reverting proposals, blocking malicious actors.
    • If multisig-integrated, we act as escalation leads for fast multisig action.

  • Stakeholder Coordination

    • Work with Compound Labs, whitehat communities, multisig signers, and core devs.
    • Execute rapid upgrades or governance delay patches if applicable.

  • Recovery

    • Assist in safe restart processes (resyncing state, clearing queues).
    • Provide audit validation for recovered or upgraded contracts.

3c) Continuous Monitoring & Threat Detection (FailSafe)

We offer a real-time monitoring and response system designed for high-stakes DeFi and DAO protocols via our trusted partner, Failsafe.

  • Live Monitoring

    • Tracks governance proposal execution, protocol-level interactions, and sensitive admin calls
    • Detects behaviors like whale voting, flash loan manipulations, price oracle tampering, and LayerZero relay spoofing

  • Automated Incident Response

    • Can pause contracts, block attacker actions, or unwind risky positions on-chain
    • Only triggers on high-confidence signals, avoiding false positives

  • DAO-Ready Infra

    • Integrates with Compound’s governance timeline
    • Works with Gnosis Safe multisigs via the FailSafe Co-Signer, which enforces device/IP checks for multisig ops
    • Can nominate a dedicated security lead from our team to Compound’s security council or escalation committee

  • Metrics

    • 99.9% SLA-backed monitoring uptime
    • Detection latency: ~2–5s post-transaction inclusion
    • All current clients are live in production (stablecoin issuers, CEXes, lending protocols)

  • Delivery:

    • Transparent dashboards with Slack/Telegram/webhook alerts
    • Supports Forta + OSINT integrations for wider signal coverage
    • Incident response includes root cause analysis + community postmortems (if required)

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model

We will submit our detailed pricing proposal privately to the Compound Foundation via the designated secure channel as requested. Our 12-month security partnership budget covers a comprehensive retainer model that includes smart contract audits, protocol upgrades, governance reviews, vCISO advisory, real-time monitoring, and incident response support.

4b) Milestones and Performance Metrics

We provide quarterly reporting to clients and DAOs we serve, which include KPIs, incident summaries (if any), and a security recommendations roadmap.

Metric Target
Audit Delivery Time All standard audits delivered within 2–3 weeks of code freeze
Responsiveness SLA Critical issues triaged and responded to within 8 hours
Severity Accuracy <10% reclassification requests per audit
Community Updates Monthly security update delivered in timely manner
Governance Participation Join all major security-focused governance calls
On-Chain Incident Reports Delivered within 24-48 hours of issue detection
Report Quality All reports internally reviewed and pass a 3-layer QA process including manual review, automation checks, and an independent final reviewer

4c) Conflict of Interest Declaration

We do not have any active engagements with direct Compound forks or competing decentralized lending protocols that would conflict with this engagement. In the past, we have worked with DeFi protocols, but no ongoing contracts represent a conflict at the time of submission.

We have strict internal safeguards including:

  • Team-level client firewalls
  • Mandatory NDAs
  • Zero reuse of confidential materials or findings across clients
  • Audit visibility restricted to designated technical teams

4d) Transition and Offboarding Plan

If our services are not renewed, we follow a well-defined transition process to ensure continuity:

  • A final handoff package will be delivered containing all audit artifacts, recommendations, roadmap, and monitoring handover documentation.
  • We will coordinate knowledge transfer sessions (technical and operational) with the incoming vendor or DAO core team within 2-4 weeks.
  • Access to any tools, dashboards, and code repositories will be revoked securely with a proper checklist, and all DAO data retained or archived as per DAO instruction.
  • Our systems will ensure log integrity, data retention, and final report backups remain accessible to the DAO.

Section 5: Service Level Expectations (SLA)

5a) Incident Response

  • We aim to acknowledge and begin triage of critical protocol incidents within 30-45 minutes of detection or notification.

  • 24/7 monitoring availability is offered through the Failsafe system, which includes:

  • Real-time anomaly detection

  • Automated alerting (via Slack, Telegram, or email)

  • Escalation Process

    • Initial triage by the on-call engineer
    • Escalation to senior security researchers within 30 mins
    • Coordination with Chainalysis and response partners for on-chain forensics, if needed

  • Mitigation & Communication

    • We provide a mitigation recommendation within 1–3 hours
    • Incident report within 12 hours
    • Post-mortem summary within 48 hours

5b) vCISO Support

  • On-demand support is provided with a response time of 24 hours (max) for general queries and design advice.

    • Bi-weekly security reviews with DAO contributors

    • Monthly threat landscape updates tailored for Compound’s protocol vertical

    • Quarterly roadmap alignment calls on security priorities

With 8+ years in blockchain, this expert has audited 35+ protocols across Solidity, Rust, Go, and Cadence. They’ve worked on core technologies like EVM, Substrate, Cosmos SDK, IBC, Optimistic & zk rollups, CosmWasm, and bridges. Notable contributions include a deep Filecoin state machine audit, security review of ssz-rs (used in ETH2), and a CosmWasm-based Grandpa light client. They’ve co-developed the ink! eDSL with Substrate core contributors, advancing smart contract tooling. Their strengths span Bitcoin, binary encoding, Cosmos/IBC modules, and L2/L3 security, making them a highly versatile and battle-tested blockchain security specialist.

5c) Governance Proposal Reviews

  • All proposal reviews will be completed within 48 hours of request submission.
  • Critical/last-minute reviews are prioritized with same-day response based on DAO signal.
  • Delivery Format:
    • Formatted Risk assessments
    • Summary shared in Discord or forum thread
    • Attending governance calls to explain risks

5d) Code Audits

  • We require a 1–2 week lead time to slot an audit, depending on team availability.

  • Turnaround time:

    • Small codebase (<1,000 LOC): 1–1.5 weeks
    • Mid-sized (1,000–5,000 LOC): 2–3 weeks
    • Complex systems (>5,000 LOC or cross-chain logic): 3–5 weeks

  • Reporting Standards:

    • Full audit report includes severity classification, PoC (if applicable), fix guidance, and affected modules
    • Up to 10% of revision validation are included post-remediation
    • Final public report shared via GitHub or IPFS with DAO sign-off

Final considerations

At QuillAudits, we operate with a strong bias for execution and transparency. Beyond core audit and advisory services, we bring advanced tooling and real-time security capabilities through strategic partners, enabling continuous security support directly integrated into DAO operations.

Specialized Capabilities

  • Lending Protocol Expertise: We’ve secured major DeFi primitives including lending, governance, vaults, and stablecoin mechanisms. This includes projects with Compound-like architecture.

  • Governance-Aware Tooling: Our partners’ tooling (FailSafe) supports automated logic tailored to DAO governance flows, allowing interventions like pause, block, or unwind (not just alerts)

  • Economic & Runtime Security: We complement static audits with real-time, on-chain incident response options, leveraging Chainalysis where available for tracing and attribution.

Runtime Security (Failsafe)

  • On-chain programmable reactions beyond monitoring (pause, block, unwind).
  • DAO-Governance timeline syncing, proposal execution tracking, and multisig-aware monitoring.
  • Trusted by stablecoin issuers, centralized exchanges, and financial institutions (under NDA).
  • Elite Team:
    • CTO Dr. Ari Medvinsky (Ex-Google, Microsoft, PhD Cryptography, DARPA scholar)
    • CEO Aneirin Flynn (Ex-Singapore Navy SpecOps & Intelligence)
    • President Foo Wui Ngiap (Former Grab CISO)

Supporting Assets

2 Likes
27

Halborn RFP for Compound DAO SSP

Contact info:

Robert John Boyle
robert.boyle@halborn.com
TG: @rjbhalborn

General Overview

Background:

Halborn is an elite blockchain security firm founded in 2019. The firm provides end-to-end security services to top financial institutions and Web3 ecosystem leaders, including Grayscale, UBS, SBI Digital Holdings, Chainlink, and Solana. We have performed upwards of 2500 assessments for over 600 clients with more than 8000 findings, including 5 zero days. Our Co-Founder, Steve Walbroehl, is a world-renowned ethical hacker and technical educator, who authored the 5 Day SANS Course SEC554: Blockchain and Smart Contract Security.

Existing Relationship with Compound:

Halborn has not yet engaged Compound directly, but can quickly ramp up due to our history securing DAOs and DeFi lending protocols, experience with on-chain governance systems and cross-protocol integrations, and proficiency auditing Solidity, Rust and MOVE contracts.

Relevant Security Partnerships or Clients:

Section 1: Scope of Security Work

Scope of Services Overview:

Preventive Security Services

  • Smart Contract Assessments
  • DeFi Protocol Assessments
  • Blockchain Assessments
  • Advanced Penetration Testing
  • Technical Due Diligence
  • Custody Assessments

Consulting Expertise

  • Design, Advisory and Review
  • Risk Assessments
  • Fractional CISO
  • Training and Live Exercises
  • Technical Expert Attestation

Incident Response (IR) is out of scope. We will, however, recommend a named partner.

Multi-Chain Support & Upgrade Expertise:

Halborn brings deep expertise in securing cross-chain deployments and L2 ecosystems, with audit experience spanning Ethereum mainnet, Base, Arbitrum, Optimism, Polygon, and more. Some of the more complex cross-chain deployments we’ve helped secure and conducted in-depth reviews for are deBridge, THORCHAIN, CCTP, Moonwell, and DAMfinance—assessing cross-chain messaging, governance flows, delayed minting mechanisms, and multi-network access controls. Our familiarity with Compound forks and real-world incidents (e.g., Onyx and Sonne exploits) enables us to proactively identify vulnerabilities in upgrades, market deployments, and protocol governance across diverse networks.

To stay ahead of emerging L2s, Halborn actively monitors new rollups and integrates specialists as needed for chain-specific architecture. Our Security Advisor as a Service offering is similar to a vCISO. This full-spectrum approach ensures Compound V3’s integrations are resilient, scalable, and compliant across a growing network landscape.

Resource Allocation and Availability:

Compound will have 4 dedicated FTEs assigned: A Technical Project Manager, a Senior on-chain security lead, a smart contract auditor with Solidity, and DeFi expertise, and a Senior Penetration Tester. Halborn can scale the team up and down as needed with a reasonable turnaround time, depending on the severity of the incident.

Additional Services or Tools:

Proprietary Tools:

  • Security Solutions Center (SSC): AI-empowered, real time platform to manage Compound’s security needs
    • Learn more about the Halborn team members working on engagements
    • Real time visibility into the scope and findings during the engagement
    • Review, collaborate on and publish reports in real time

Blockchain Vulnerability Scoring System (BVSS): Halborn’s scoring system

  • Tailored to provide organizations with an accurate representation of security vulnerabilities in smart contracts
  • Evaluates vulnerabilities based on their potential exploitability and the impact of a successful exploit
  • Inspired by industry-standard CVSS and introduces several metrics that capture the risks specific to Web3

Section 2: Technical Methodology and Audit Process

Audit Methodology:

  • Manual line-by-line review
  • Property-based fuzzing
  • Static analysis and symbolic execution via Slither/Foundry static analysis
  • Differential & invariant testing against integration test-suites
  • Malicious contract creation for delegate attacks
  • Initialization exploits
  • Arithmetic based handling and vulnerabilities
  • Liquidation, interest rate, bond curves, and borrow rates, lend rates, and other financial based use cases handled inside smart contracts
  • Custom scripts for testing interactions in composability (i.e. Furocombo DeFi blocks)
  • Economic attack modelling (i.e. oracle manipulation, liquidation races)
  • Governance path verification

Audit Workflow & Deliverables:

  1. Scoping
  • Time and complexity estimation
  • Initial code review
  • Resource assignment
  • Scheduling & Research
  1. Kickoff
  • Test Plan creation
  • Code walkthrough
  • Security Solutions Center (SSC) access
  • Logistics & Project Management
  1. Testing & Assessment
  • See “Audit Methodology”
  1. Remediation
  • Risk scoring (BVSS)
  • Test validation
  • Findings review
  • Retesting
  1. Final Report
  • Summary report
  • Marketing (if requested)
  • Follow-up actions
  • CSAT survey

Quality Assurance and Track Record:

  • Halborn reviewed leading digital assets custody service providers on the market for Grayscale. With focus on the technology powering the respective services, custody operations, data stored and processed, and people involved in custody operations, Halborn assessed the provided documentation, interviewed vendor staff, and conducted on-site reviews of the data centers used by the vendors. Halborn identified and reported the risks present in all technical solutions, along with the results of threat modeling exercises performed on the vendor’s solutions. The output of this engagement was used by Grayscale when making the determination of the vendor to partner with.
  • UBS and SBI Digital Holdings trusted Halborn to help advise and secure the launch of “Project Guardian”, which tokenized bonds as digital assets on EVM. The EVM contracts in scope implemented a protocol for tokenizing and issuing bonds on Ethereum in compliance with Swiss law. Halborn identified several high-severity vulnerabilities which, when exploited, would lead to securities fraud, privileged access compromise, and incorrect valuation of bond collateral. All findings were communicated to the UBS/SBI team in real time. Halborn proposed a remediation plan and evaluated its implementation to ensure all reported issues were addressed before the contracts were successfully deployed to the blockchain.
  • Halborn has conducted reviews across multiple layers of the Solana ecosystem, including comprehensive assessments of the Layer 1 protocol and SPL programs, as well as evaluations of numerous DApps. Our team assessed the resilience of protocol upgrades, validated core security mechanisms, and identified critical improvements—such as those found in the SPL Token 2022 standard—to help strengthen the overall ecosystem. Through continuous code reviews and iterative assessments, we have ensured that each release adheres to the highest security standards, contributing to long-term trust across the Solana network.

Section 3: Risk Management and Incident Response

Vulnerability Triage & Disclosure:

When we uncover a serious bug or exploit possibility we notify relevant parties through our SOC2 secured and authentication hardened SSC platform. We halt all other work until a patch is designed, merged and reviewed.

Incident Response Support:

Halborn does not offer incident response or monitoring directly. Instead we integrate a named partner for real-time on-chain detection and provide senior engineers for post-incident root-cause analysis within 12 hours.

Continuous Monitoring & Threat Detection:

See “Incidence Response Support” answer

Section 4: Commercial Terms and Commitment

Budget Request and Pricing Model:

Pricing proposal submitted privately

Milestones and Performance Metrics:

Metric Target
Standard audit turnaround ≤ 15 business days
Critical issue TTR ≤ 72 hours
Governance proposal review ≤ 48 hours
Quarterly security update 4/4 delivered
Zero unmitigated high-severity post-deployment exploits 100%

Conflict of Interest Declaration:

Halborn works with many DeFi protocols but avoids simultaneous retainers for direct competitors. No conflicts are anticipated ; any future overlap will be disclosed immediately.

Transition and Offboarding Plan:

To ensure continuity if not renewed, all audit artifacts, threat models and SSC dashboard data would be exported to the DAO with 30-day notice. Also, a knowledge-transfer workshop would be held. We acknowledge the DAO’s right to terminate with 60-day notice

Section 5: Service Level Expectations (SLA)

Incident Response:

Halborn does not offer incident response or monitoring directly. Instead we integrate a named partner for real-time on-chain detection and provide senior engineers for post-incident root-cause analysis within 12 hours.

vCISO Support:

Halborn offers Security Advisor as a Service for long term engagements as well as separate advisory services, for blockchain systems, and processes consulting expertise.

Governance Proposal Reviews:

Findings will be delivered within 48 hours of a proposal request.

Code Audits:

Lead time required for scheduling audit engagements is within 2-4 weeks of a code-freeze. See “Audit Workflow and Deliverables” for report timing and information

Final Considerations

  • 4 of the 10 largest banks in the world are engaged with Halborn to design secure DLT solutions
  • We are experts in 15 languages across Web2 and Web3
  • We’ve uncovered and ethically disclosed 5 zero days, one involving MetaMask
  • We are the creators of and contributors to security standards in Web3: BVSS, ISO/TC 307, C4 and BSSC
2 Likes
28

Proposal - Octane & Groom Lake Security Partnership for Compound DAO (Part 1/3)

1600×202 23.3 KB

Contact Information:
Michael Mullaney
michael@octane.security
TG: mmullaney

Executive Summary

Groom Lake and Octane will provide Compound with the most cost-effective and comprehensive joint security solution to date, combining Octane’s unparalleled AI-enhanced smart contract security with Groom Lake’s real-world incident response capabilities. Octane has protected over $5.8 billion in on-chain value through predeployment security and Groom Lake currently safeguards over $116 billion in value across blue-chip protocols and maintains an established talent pipeline in collaboration with the United States Department of Defense. Together, we offer Compound a vertically integrated security stack, covering code, governance, and infrastructure designed for resilience at scale.

General Overview

Company/Team Name and Background:

About Groom Lake

Founded in 2023, Groom Lake is the premier private military corporation for crypto, focused on cybersecurity and intelligence capabilities to protect crypto protocols, DAOs, and venture capital groups. The firm specializes in web2 security fundamentals, intelligence operations, virtual CISO support and incident response. Groom Lake was created to address the unique threats facing decentralized systems with a combination of ex-military precision, intelligence tradecraft, and elite cybersecurity capabilities.

With over $116 billion in digital assets protected across our client base, Groom Lake is widely trusted for high-risk, high-stakes engagements. Our core team brings together over 50 years of combined experience in military intelligence, cyber defense, and advanced threat operations. Key team members have backgrounds in special operations, counterintelligence, blockchain forensics, and enterprise-level security leadership.

About Octane

Octane is an AI-powered smart contract security company that builds products to autonomously detect critical vulnerabilities in codebases and provides manual security audits augmented with AI tools. The Octane product continuously reviews every pull request for vulnerabilities, using machine learning models that learn the codebase’s patterns and developer preferences to uncover critical bugs that traditional audits might miss. When an issue is detected, Octane can even auto-generate a suggested code fix – providing developers with immediate remediation guidance. All of this is backed by 24/7 on-call security experts, ensuring that every alert is validated, reviewed and addressed by a human professional.

Teams use Octane for continuous, preventative security and thorough coverage with additional manual review. Our product helps teams catch exploits early, prioritize vulnerability remediation, cover large vulnerability surface areas quickly and ultimately establish greater trust in on-chain products. Octane is already trusted and used by industry leaders including Circle, Uniswap, Avalanche, among others. In the few short months since launch, our platform has protected over $5.8B in total value by identifying and helping fix vulnerabilities before they hit production.

The Octane Team: Our strength comes from the synergy of AI and an elite security research team. Octane’s researchers are crypto-security natives with backgrounds at major audit firms and top DeFi projects. Collectively, our core security has captured over $1M in bug bounty and contest payouts. We’ve discovered and responsibly disclosed critical flaws across dozens of protocols. By combining their expertise with Octane’s automated analysis, we bring a modern security force to Compound.

Existing Relationship with Compound (if any):

Octane has not previously worked with the Compound team; however, we are already investing in a deep understanding of Compound’s protocol. We have been proactively studying Compound’s V2 and V3 architecture through public documentation, technical papers, and prior audit reports. Upon engagement, we will accelerate our onboarding with a “Compound onboarding sprint” for our security team and product – reviewing Compound’s codebase in detail and ingesting Compound’s documentation and past security reports into our AI models. This means Octane’s engine will be context-aware from day one, tuned to recognize patterns specific to Compound (e.g. V3 supply‑ and borrow‑cap enforcement, liquidation flow, market exchange‑rates, etc.).

We plan to get up to speed quickly on Compound’s code and risk profile. Octane’s team will effectively feel like an extension of Compound’s own team, leveraging cutting edge products built in-house and years of security expertise.

Groom Lake has deep familiarity with DAO governance frameworks, cross-chain security risks, and lending protocol threat surfaces through work with similar ecosystems. Should this proposal be accepted, here are some ways we will begin with a dedicated onboarding phase focused on:

  • Auditing, hardening, and monitoring environments that play a key role in day to day operations (AWS, GCP, gsuite, Cloudflare, etc.)

  • Participating in community calls and governance discussions regarding current and future security plans as they pertain to the relevant verticals being addressed.

  • Begin securely designing and implementing operational security procedures to decrease the likelihood of a compromise within the organization

  • Aligning our vCISO to Compound’s operational cadence

  • Apply intelligence capabilities on the core team and new hires, to protect from targeted attacks as Compound grows in notoriety

Close collaboration enables us to bring full operational context with the shortest possible runway, given cooperation and access we expect majority integration within 30 days of partnership.

Relevant Security Partnerships or Clients:

While we operate under strict NDAs, our portfolio includes multiple protocols and foundations with governance, treasury, and DeFi primitives similar to Compound. We serve other major ecosystems in crypto as a vCISO and security architecture lead for multiple projects, conducting quarterly physical and network security deployments globally.

Groom Lake provides tailored protection and advisory support to leading DAOs and protocols across the crypto ecosystem, becoming their dedicated security and intelligence apparatus. Groom Lake will bring in additional capabilities from Drosera - an automated response solution aimed at monitoring key state changes important to Compound. So even in the event of a hack, there is a response in place to contain and mitigate further impact. We’ve chosen Drosera based on their key capabilities that are aligned with the ethos of crypto, detailed throughout the proposal.

This creates a complete on and off chain security stack. Particularly those with high complexity such as:

  • Multichain lending protocols

  • DAO governance security concerns

  • Infrastructure security solutions

  • VCs and asset managers with active protocol exposure

Notable Tooling and Capabilities Used with Clients:

  • Reaper: Real-time data exposure monitoring
  • Drosera: Trustless and decentralized on-chain monitoring / automated response solution
    BaitBuster: Proactive phishing site detection and takedown
  • Ponder: DAO sentiment and community health analytics
    Chainalysis-integrated Forensics: Wallet tracking and incident attribution
    Custom VPN Infrastructure and SOC-as-a-Service
  • Robust SEG (Secure Email Gateway): A robust solution to block phishing attacks within Mail-Flow

We will provide relevant redacted case studies or example reports under NDA if requested in private communication.

Scope of Security Work

Groom Lake provides holistic cybersecurity and intelligence capabilities tailored to the needs of DAOs and DeFi protocols, serving as both a point-in-time testing apparatus AND a retained unit of operatives providing fundamental security and intelligence measures. For Compound, we will provide:

  • Governance Proposal Security Reviews

  • Incident Response & Crisis Coordination (24/7)

  • Post-Mortem & Forensics Investigations

  • Operational Security (OpSec) & Internal Risk Reviews

  • vCISO Support & Strategy

  • Phishing Site Takedowns and Threat Actor Attribution

  • Tooling & Monitoring of Front-End, Discord, Social, Cloud & DevOps Infrastructure

  • Automated Liquidation and Collateralization Safety Nets

  • Counterparty monitoring

Notable Supported Systems:

  • Web apps (AWS, G Suite, GitHub, Discord, Twitter)

  • DAO and contributor infrastructure

  • Monitoring of off-chain systems like Notion, Google Workspace, or internal CRMs

Leveraging Octane’s AI-driven platform alongside our expert auditors, we will deliver robust protocol security. This encompasses continuous smart contract auditing, cross-chain risk mitigation, and on-call incident support. Our approach is to embed security into Compound’s entire development lifecycle – from design to deployment – ensuring that Compound’s protocol and users are safe. Below we outline the specific scope of services and how we will execute them.

1a. Scope of Services – Smart Contract Auditing and Security Reviews:

Octane will provide end-to-end security coverage for Compound’s smart contracts and related systems. Key services include:

  • Continuous Code Scanning & Automated Code Analysis: Every new code commit or pull request to Compound’s repositories will be automatically scanned by Octane’s AI engines within minutes. The manual security team on-staff for Compound and employed by Octane will manually review all findings surfaced and highlight the most critical issues. The security team will then work with the Compound engineers on remediations. This “shift-left” approach catches vulnerabilities before they are merged or deployed. Detected issues come with explanations, enabling developers to address problems early. This covers everything from core protocol contracts to nested dependencies.

  • Manual Smart Contract Audits: For all new code upgrades/deployments, the Octane Security Team will perform in-depth manual audits. We will focus on privileged and non-privileged threat vectors, economic exploits, compliance with Compound’s specifications, and common root causes of vulnerabilities. Our audits follow a rigorous process (detailed in Section 2) and result in a formal report with severity-ranked findings and remediation guidance. We will audit Compound’s Solidity code as well as any relevant off-chain code. Each audit will come with vulnerabilities that include a severity classification (defined by an impact and likelihood matrix) and a code fix recommendation.

  • Governance Proposal Reviews: Every Compound governance proposal will receive a prompt security review by Groomlake and Octane. This includes verifying any on-chain actions or contract changes proposed, validating call data and parameters, and assessing risks introduced by the proposal. We will deliver a clear assessment to the community (e.g., via forum or report) before the voting period ends, so that governance decisions are well-informed from a security standpoint.

  • Cross-Chain and Multi-Protocol Support: Compound’s deployments across multiple chains will all be covered under Octane. Our product and security team support all EVM-compatible chains out-of-the-box. If Compound extends to new chains or interacts with other protocols, we will conduct threat modeling for those integrations.

  • Infrastructure & Tooling Security: Beyond smart contracts, we can audit supporting infrastructure on request. This might include off-chain trusted execution environments, frontend/web UI, and any new developer tools created for Compound. Our aim is to provide holistic security – covering the entire stack as needed so that users and governors have confidence not just in the Solidity code but in everything that interacts with the protocol.

  • Formal Reporting and Advisory: For each engagement (audit or review), we will produce a detailed report. This will enumerate findings categorized by severity (Critical, High, Medium, Low, Informational), with descriptions of impact and reproducibility steps. Uniquely, because Octane’s AI and platform supports code fixes, we often include the exact code changes to resolve an issue and validate them within the platform, which accelerates the remediation process. Additionally, we will provide in manual reports actionable recommendations beyond just fixes – for instance, improvements to testing, documentation, or operational processes that will strengthen Compound’s security long-term.

  • Ongoing Consultation and Support: Security is an ongoing effort. We will be available to Compound’s developers and community for any security-related questions. Whether it’s reviewing a new idea for a feature before it’s coded, advising on security implications of economic changes, or helping draft security communications, Octane will act as a partner and advisor to the core Compound team. This also includes collaborating on best practices (for example, multi-sig security, incident playbooks, bug bounty programs) to continually fortify Compound’s security posture.

1b) Multi-Chain Support & Upgrade Expertise:

Compound’s multi-chain strategy and upgrade cadence require a provider that can keep up with complexity. Octane is built to handle this:

  • Broad Chain Compatibility: Our platform currently supports Ethereum and all EVM-based chains (including Optimism, Arbitrum, Base, Polygon, BNB Chain, Avalanche C-Chain and subnets, etc.). We have experience working with projects on various L1s and L2s, and we remain up-to-date as new rollups or sidechains go live. If Compound deploys on a new chain, we will immediately configure our tools for that environment but we expect the product to run immediately out of the box.

  • Upgrade and Deployment Reviews: Octane will be actively involved whenever Compound prepares a protocol upgrade with specialized checks for upgrades and AI powered detection – for instance, verifying that new implementations don’t cause storage issues during proxy upgrades, upgrade scripts are correctly configured, and that no storage slot collisions or inheritance changes could break existing functionality. We can simulate upgrades on a forked network to confirm.

Groom Lake is experienced with protocols operating across Ethereum, Base, Solana, Arbitrum, Optimism, and Polygon. Our approach includes:

  • Cross-chain threat modeling & attack surface assessment

  • Monitoring Layer 2 & rollup threat vectors

  • Sentiment tracking on governance and token activity

We can leverage intelligence capabilities to stay current with emerging L2s across new deployments, conducting chain-specific intelligence briefs, and working with active builder communities.

Groom Lake and Octane will support Compound during protocol upgrades and deployments by:

  • Reviewing new integrations from an OpSec perspective

  • Assessing contributor roles, access rights, and private key handling

  • Monitoring attack surfaces across Compound’s tech stack

1c) Resource Allocation and Availability - Dedicated Team Accessible at All Times:

Groom Lake will assign the following operatives to protect Compound:

  • 3 Dedicated / Seasoned Security Experts

  • Drosera Risk Engineers: Develop and deploy programmable on-chain monitoring logic that observe smart contract activity, detect abnormal or malicious behavior, and trigger automated security responses.

  • Two of these resources are shared but prioritized during incidents or reviews, and one is senior FTE (vCISO)

  • Our 24/7 incident response hotline ensures full coverage during absences

  • Internal continuity is maintained through:

    • Encrypted knowledge base on Compound-specific context

    • Rotational briefings and shadowing among the internal team

    • Redundant staff on monitoring duties

Octane will assign a focused team to Compound to ensure high-touch service and quick responses:

  • Core Security Team – 1 Full-Time LSR + 2 Full-Time SRs: One of our Lead Security Researchers will be dedicated full-time to Compound’s account along with two Security Researchers. These individuals will be solely focused on Compound’s codebase, configuration, and community. They will essentially operate as Compound’s in-house security engineers - auditing new code, reviewing Octane AI model findings, and communicating with Compound engineers. Over time, they will continue to build deep protocol-specific knowledge, ensuring continuity and context in all our security work.

1d) Additional Services or Tools:

  • Reaper: Data exposure and SIM swap risk detection

  • BaitBuster: Phishing site takedown and impersonation defense

  • Ponder: Governance sentiment tracker for Compound’s community

  • Custom VPN & SOC for DAO infrastructure security

  • Psychological Warfare Intelligence Reporting (optional)

These services enhance resilience, boost DAO culture awareness, and preempt threats before they escalate.

Additional Value-Add – Beyond Core Auditing: Community Engagement, Training, and Tools

  • Governance and Community Engagement: We don’t just secure Compound from the sidelines; we aim to actively participate in Compound’s governance process as security advisors. This means monitoring the Compound governance forums and Discord, and chiming in with insights when security-related topics arise. For instance, if a community member proposes a new feature that has security implications, we might provide an initial risk analysis or cautionary notes in the forum discussion. By being present in the community dialogue, we help bake in security considerations from the outset.

  • Developer Empowerment and Training: Octane’s approach inherently educates developers. Every time our tool flags an issue, it provides information on what the issue is and how to fix it. Over time, Compound’s developers will absorb these patterns, effectively leveling up their own security awareness. We view this as a flywheel: as the dev team writes more secure code, Octane finds fewer issues, allowing focus on more complex analysis. In addition to this on-the-job learning, we can offer focused training sessions or workshops. For example, quarterly security workshops for Compound contributors (and even community devs) covering common DeFi vulnerabilities, recent exploits in the ecosystem, and lessons learned from our work. We can leverage our internal knowledge base (which includes a classification of thousands of smart contract vulnerabilities and how to avoid them) to create tailored educational content for Compound.

  • Security Dashboards & Reporting Tools: We will provide Compound’s stakeholders with clear visibility into the protocol’s security status. This could include a private dashboard that tracks key metrics like number of scans run, issues detected (by severity), and so on. We can integrate this dashboard or periodic reports into Compound’s project management tools or share them via the Octane application. The goal is to give the Compound team a real-time pulse on security – for instance, a project lead can see at a glance if any critical issues are open or if the codebase’s risk level is trending down over time. Furthermore, we can set up automated alerts (through email or Slack) for critical findings or unusual events, ensuring visibility at all levels (developer up to executive).

  • Key Risk Management: While our primary focus is smart contracts, our security expertise extends to operational security as well. The Octane team will advise on secure management of Compound’s deployer keys, multisig wallets, and any operational procedures. Essentially, we’re offering to be security consultants on-call for anything the DAO or Compound Foundation might need, beyond just reviewing code.

Technical Methodology and Audit Process

2a) Audit Methodology:

Octane’s audit methodology uses automated precision and expert manual insight. We leverage our AI platform to perform exhaustive analysis quickly, then apply human expertise to interpret and dig deeper. This blended approach yields a higher coverage and consistency than either method alone. In practice, our audit process is iterative and continuous – more like an ongoing security pipeline than a one-off event – but for clarity we describe it in phases and components below.

2a. Audit Methodology – How We Analyze Code (AI + SRs):

  • Always-On Static & ML Analysis: Octane’s core engine performs static analysis on Solidity code, powered by both rule-based detectors (to catch known patterns like reentrancy, arithmetic overflow, etc.) and machine learning models (to identify anomalies in code logic or structure that deviate from safe patterns). We have trained our models on a dataset of tens of thousands of smart contract vulnerabilities across many projects. This means Octane can often detect subtle issues that have similar traits to past exploits, even if the code is different. The analysis is extremely fast – typically scanning the entire Compound codebase in a few minutes – and can run automatically on every pull request. This gives a first pass where no line of code goes unreviewed. Every result from the tool is documented with the reasoning.

  • Adaptive “Learning” of Compound’s Code: A standout feature of Octane’s methodology is that our AI adapts to the project’s codebase. Initially, we will configure Octane with Compound’s repository and existing tests, allowing it to learn the typical function flows and state changes in Compound. Over time as it finds issues (or confirms no issue in certain areas), the system updates to reduce false positives and focus on likely problem areas. Essentially, the more we work on Compound, the smarter and more fine-tuned the automated analysis becomes. This personalization drastically improves efficiency for long-term engagements: over time, Octane can catch more project-specific edge cases (like something unique to cToken accounting), which a generic scanner might miss.

  • Comprehensive Manual Review: Automation is powerful, but we complement it with deep manual auditing by experts. Our auditors follow a structured process: first, they build a high-level mental model of the Compound system. They then perform a line-by-line code review, informed by results from Octane’s scan. When Octane flags something, the auditor verifies if it’s a true issue, assesses its severity, and often explores if it can be escalated (e.g., a minor bug that could become critical in combination with some other condition). Conversely, our auditors don’t rely solely on the tool – they actively hunt for vulnerabilities on standard code principles, their experience and foundry tests.

  • CI Integration: Octane treats security analysis as an integral part of the development pipeline. We will integrate our tools into Compound’s CI/CD (Continuous Integration/Continuous Deployment) system. For example, when a developer opens a pull request on Compound’s GitHub, Octane’s analysis will run automatically and post results as comments or in the CI report. This makes security feedback immediate and accessible to all contributors.

Groom Lake takes a concierge approach to security, ensuring that relevant threats are triaged and addressed in close coordination with core teams. Groom Lake’s focus begins where most hacks occur; on the operational, infrastructure, and human layer.

Our methodology centers around:

  • Threat Modeling: Based on Key Terrain Cyber (KTC), the areas of highest risk and daily use within a protocol, we build tailored models to identify exploitable vectors.

  • Web2 and Human Attack Surface Reduction: Through phishing simulations, OpSec testing, and internal team counterintelligence, we address the attack surfaces that code audits miss.

  • Layered Monitoring: Unlike traditional audit snapshots, our proprietary Security Operations Center (SOC) enables continuous oversight across your tech stack.

  • Proactive Security Tooling: Utilizing Drosera to enable real-time detection and response to on-chain threats.

We leverage in-house tools such as:

  • Reaper: Data exposure & SIM swap detection

  • BaitBuster: Phishing domain takedown

  • Chainalysis-integrated wallet tracking

  • And a combination of handpicked open-source tools as needed.

We also assess non-code risks such as:

  • Whale or multisig manipulation in governance

  • Treasury and economic exploit vectors

  • MEV-sensitive activity

  • On-chain behavior of malicious actors (with intelligence-led attribution if required)

Our process reduces blind spots through:

  • Multi-disciplinary reviews (security + intelligence)

  • Ongoing adversarial simulations

  • Insider threat audits

  • Real-time learning across client environments to deploy emerging defenses

1 Like
29

Proposal - Octane & Groom Lake Security Partnership for Compound DAO (Part 2/3)

1600×202 23.3 KB

2b) Audit Workflow & Deliverables:

Octane’s audit and review workflow is highly collaborative and designed for rapid iteration. Below is how we typically conduct an audit engagement for a new piece of functionality, as well as our process for ongoing reviews like governance proposals:

  1. Scoping & Kickoff: We begin by working with Compound to define the scope of the audit or review. This involves identifying which contracts or systems are in scope, the key areas of concern, and any out-of-scope components. We’ll have a kickoff call to align on timeline, context, and to meet the Compound developers (if we haven’t already been working with them via CI/CD). In the case of a Compound upgrade, we’d discuss the architectural changes being introduced. We also set up the necessary technical environment: ensuring we have the latest code, deploying contracts on a local or test environment if needed.

  2. Automated Scan & Triage: An initial Octane scan will be run across the entire codebase. Within minutes, this provides a set of preliminary findings. We treat this as a “first pass.” Our team triages these results immediately. Any invalid findings are fed back to the models to customize the parameters. After that, the CI/CD integration is fully ready to run - this will now execute and produce a set of findings in the Octane Dashboard which the Octane Security Team will review on every pull request.

  3. Deep Manual Audit Iteration: During code changes, our auditors then dive into manual review, contract by contract. They will rely on their expertise to uncover issues the tool might not catch. During this phase, whenever an auditor finds a potential issue, they log it in our internal report draft with details. We often audit in pairs for critical components: two experts reviewing the same code independently and then comparing notes, to maximize coverage and reduce oversight. We also continually run targeted tests – for instance, if we suspect a bug, we might write a quick Hardhat/Foundry test to confirm it. This iterative cycle (review → test → confirm → document) continues until we have covered all parts of the scope comprehensively.

  4. Real-time Feedback Loop: Unlike traditional audits that might go dark for weeks, we believe in giving Compound early and continuous feedback. If we find a critical issue on day 2 of an audit, we will not wait until the final report two weeks later to highlight it – we will notify the Compound team immediately (privately), with our recommended fix. This way, remediation can start in parallel with the ongoing audit, saving time. For less urgent findings, we may batch them and share mid-audit updates. We encourage an open channel (e.g., a private Slack channel) where our team and Compound devs can discuss findings in real time. Often, this leads to discovering even more issues or clarifying intended functionality, which improves the audit outcome. By the time the formal report is delivered, there should be no surprises – Compound will already be aware of major findings and perhaps have fixes underway.

  5. Remediation Assistance: Once we deliver the list of findings (either continuously or at draft report stage), we work closely with Compound’s developers to remediate each issue.

  6. Retesting and Verification: After fixes are implemented, we perform a full rescan and manual re-audit of the changes. This double-checks that (a) the particular vulnerability is indeed fixed, and (b) no new issues have been introduced in the process (this is important – sometimes a rushed fix can inadvertently open another hole, but our process is designed to catch that). We update our report to mark issues as resolved, and note the commit hashes or versions where the fixes reside. If any issue remains unresolved (maybe it’s an edge case the team decides to accept, or it requires a longer-term refactor), we will document it clearly along with the rationale or mitigation plan. The Octane app will automatically note that the findings have been remediated as well and a graph of commits over time will track vulnerabilities fixed vs vulnerabilities acknowledged.

  7. Codebase Review Deliverables: We will compile a comprehensive final report at the conclusion of each audit or major review. This report will typically include:

  • Overview: A summary of the scope, what was covered, who conducted the audit, and an overall assessment of the code’s security (e.g., “no critical issues found, code is well-written with minor areas of improvement in X and Y” or conversely “critical vulnerabilities were found and have been addressed in version Z”).

  • Methodology: A brief description of the techniques used – manual review, automated scans, etc. – to give stakeholders confidence in the thoroughness of the process.

  • Findings Details: Each finding will be listed with a severity rating, a description of the issue, steps to reproduce or an example scenario (if applicable), and the recommended fix. If the issue has been fixed by the time of the report, we will note “Resolved” and describe the solution that was implemented (and perhaps include a diff snippet of the fix). We also include any relevant references (e.g., similar historical vulnerabilities or link to a test case that demonstrates the fix).

  • Additional Observations: If there are areas that were out-of-scope but we still noticed something (for example, we weren’t asked to audit a certain module but happened to see a potential issue there), we will mention it as an observation. We also sometimes provide general code quality or optimization suggestions here – while not security issues per se, they can be valuable improvements (e.g., reducing gas costs, simplifying logic to reduce risk of future bugs, etc.).

  • Appendices: We attach any supporting materials like simplified threat models (outlining the roles, assets, and potential adversaries for Compound, and how the findings relate to those), test results (like outputs of fuzzing or invariant checks showing no failures), and any architecture diagrams we used to understand the system. For example, a diagram of how funds flow in Compound or how the comptroller interacts with cTokens might be included to illustrate our understanding.

  1. The final report can be shared with Compound governance and community (redacting any sensitive exploit details until fixes are deployed, if applicable). We are comfortable presenting the report findings in a community call or answering forum questions about them, to maintain transparency. Over time, these reports will contribute to Compound’s security knowledge base.

  2. Governance Proposal Review Process: In parallel to code audits, our workflow for governance proposals is streamlined for speed:

  • As soon as a new governance proposal is created (or even in draft form if the proposer seeks feedback), our team will retrieve the proposal details (contracts to be executed, parameter changes, etc.). We run those through Octane’s analysis if there are code changes (for instance, if the proposal is deploying a new smart contract or upgrading one).
  • We simulate the proposal actions on a fork of the mainnet state to see their effects. This includes checking that all invoked functions behave as expected and do not hit any error conditions or unexpected outcomes.
  • We then produce a short Governance Security Assessment. This is usually a few paragraphs posted in the proposal’s forum thread or on Compound’s governance site, summarizing what we checked and our conclusions. If we find a vulnerability or concern, we will immediately privately alert the proposer and Compound team, and suggest not executing the proposal until fixed. If everything checks out, our report will say so, giving voters added confidence.
  • We commit to completing this review well within the proposal voting window (typically within 24 hours of proposal submission for normal proposals, and in the same day for urgent ones), so that there is ample time for the community to digest our input.

Groom Lake Workflow:

  1. Align with client on critical milestones and known concerns

  2. Conduct security & intelligence onboarding kickoffs

  3. Initial objectives (e.g., IR plan setup, SOC monitoring, due diligence, counterintelligence, stakeholder audits)

  4. Ongoing refinement and iteration as team structure or protocol evolves

Deliverables:

  • Risk severity classification

  • Remediation guidance (often hands-on implementation)

  • Counterintelligence reports

  • Web2 infrastructure risk breakdown

  • Optional threat actor profiles and attribution

  • All materials are client-owned and private by default, unless otherwise agreed

  • Drosera on-chain monitoring and automations as needed

Audit Turnaround Times:

  • Projects with 10-20 contributors: ~1-3 months for full security alignment

  • Larger protocols (50+ people): ~6+ months depending on complexity

  • Shorter deliverables like phishing reports, governance reviews or intelligence reports may be completed within 1-2 weeks as needed

2c) Quality Assurance and Track Record:

Notable Engagements:

  • Operation Ural Spectre
    Groom Lake identified a North Korean plant who had worked undetected for two years as a lead developer in a high-profile project. The subject was scrubbed from infrastructure at a strategic time, followed by a third-party code audit. No funds were lost and no compromise of critical systems occurred.

  • Operation Hidden Forge
    Groom Lake responded to a live internal exploit by an insider. Within 72 hours of IR activation, our team was deployed physically, worked with law enforcement, and successfully had the perpetrator in custody. Assets were secured and the breach was contained.

References:
Yes, redacted reports and references can be shared privately under NDA.

Octane maintains high standards through multiple safeguards:

  • Multi-Layered Review for Octane Application Findings: Every identified vulnerability goes through at least two layers of verification. First, the automated engine flags a potential issue. Then, a human auditor at Octane reviews the flagged code in context to confirm the vulnerability. If confirmed, a second senior auditor may review particularly critical findings and attempt to exploit them on a testnet or in a sandbox to gauge impact. We err on the side of caution – even minor-seeming issues are analyzed for potential chain reactions (e.g., how a “Low” severity bug might escalate under certain conditions).

  • Continuous Model Improvement: Octane’s machine learning models are continuously retrained with new data. When our team finds a new bug in Compound’s code, we abstract the pattern (if applicable) and update our detectors so that the same class of bug will be caught instantly in the future. Conversely, if something was flagged but turned out not to be a bug (false positive), we tune the model to be more precise. Over time, this process yields an AI that is highly specialized to Compound’s codebase and the evolving DeFi threat landscape.

  • Proven Track Record of Critical Discoveries: Octane may be a newer platform, but it has already demonstrated its effectiveness:

    • In a recent engagement, Octane detected an unrestricted state updating functions which in a similar codebase caused the Rikkei Finance exploit on BNB Chain in 2022 (where an attacker changed the price oracle and stole ~$1.1M). Octane also was ran over this codebase and picked up the vulnerability instantly. Our tool flagged this within seconds of scanning, allowing the team to secure the function before deployment. Octane has also identified critical state variable inconsistencies that would have caused significant loss of funds for all users of the on-chain game. There are many case studies and announcements you can read on our blog and on Gio’s newsletter.

    • Our team’s personal bug-hunting accomplishments also speak to quality: Our researchers have been top performers in competitive audit contests (like Code4rena, Cantina) and have privately disclosed critical bugs to top DeFi protocols including Router Protocol, Optimism and others. In the last year, our product and members of our team uncovered critical-severity vulnerabilities that were missed by top audit firms.

  • Responsible Disclosure and Professionalism: For any vulnerabilities we find (in Compound or even in third-party dependencies), we follow strict responsible disclosure practices. Compound’s core team will always be the first to know, and we never expose details publicly until everything is resolved and users are safe. We also keep a detailed log of our security findings and actions, which Compound can audit. This transparency and diligence are part of our quality commitment – the DAO will always know what work we’ve done and the value we’ve provided.

Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure:

When Groom Lake identifies a critical vulnerability during an audit or through ongoing monitoring, our process begins immediately:

  1. War Room Activation: A secure incident response war room is spun up with Groom Lake operatives and relevant core team members.

  2. Immediate Containment and Mitigation: We triage the risk, work to mitigate potential exploit vectors, and initiate remediation steps.

  3. Full Remediation and Validation: We ensure long-term fixes are implemented, and assess surrounding systems to prevent related fallout.

We adhere to a 72-hour responsible disclosure window: all parties responsible for remediation, containment, and communication are notified within this period. Groom Lake categorizes vulnerabilities using a model similar to CVSS, prioritizing based on:

  • Likelihood of exploitation (e.g., RCE in exposed DMZ vs. an air-gapped system)

  • Impact of the exploit

As for Octane’s obligations on the vulnerability triaging:

Disclosures are handled confidentially via secure channels. We can assist with patch development and remediation guidance, and we often collaborate directly with the core developer or remediation POC during deployment to ensure fixes are implemented precisely and swiftly.

When the team discovers a live vulnerability in Compound, we execute a disciplined triage and disclosure protocol:

  • Immediate Secure Notification: If a critical or high-severity bug is found, we will notify Compound’s designated security contacts immediately through a secure channel. Prior to starting, we will establish with Compound who should be alerted (e.g., specific core devs, the Compound Foundation security lead, etc.) and how (encrypted email, a private keybase/Slack channel, etc.). This ensures no delay between discovery and Compound knowing about it. The initial notification will include our assessment of severity, the affected components, and recommended next steps (often including a suggested fix).

  • Isolation and Reproduction: Upon finding an issue, our team will attempt to reproduce and isolate it in a controlled environment. For example, if it’s a smart contract bug, we’ll write a test or script that demonstrates the vulnerability (like “under condition X, an attacker can drain Y tokens from the protocol”). This will be kept confidential until the issue is patched. This helps confirm the issue and provides a proof-of-concept that can be useful for fixing and for later post-mortem analysis. We conduct this step quickly, as part of triage, to eliminate any doubt about the bug’s validity and impact.

  • Severity Assessment: We classify the issue according to Compound’s risk framework if one exists (or our standard Critical/High/Med/Low scale).

  • Coordinated Remediation: We then work hand-in-hand with Compound’s team to fix the issue. For a severe bug in a deployed contract, this might mean helping draft a governance proposal or emergency patch. If Compound has a security multisig or a pause switch, we may advise using it as an immediate containment if the issue is at risk of being exploited. We treat this phase with the utmost confidentiality – often using out-of-band version control (a private repo) to develop the fix so that it’s not visible until ready.

  • Testing the Fix: Once a patch is ready, we test it rigorously (similar to our audit process) to ensure it indeed resolves the issue and doesn’t introduce side effects. We may run differential tests (comparing behavior pre- and post-patch) and, if feasible, simulate the exploit scenario again to confirm it’s no longer possible.

  • Deployment and Confirmation: We support Compound through deploying the fix – whether that’s via governance upgrade or an emergency action. Our team can assist in drafting any necessary communication for the community (to explain why an urgent fix is needed without revealing exploit details prematurely). After deployment, we monitor the protocol closely to confirm the vulnerability is closed and no strange activities occur.

  • Disclosure and Learnings: Post-remediation, we believe in transparency with the community. We will help prepare a post-mortem report or blog that outlines the vulnerability, how it was discovered, and how it was fixed – all in plain language to educate the community and other developers. Importantly, we do not publish any details until users are fully protected. If a bug is found internally and fixed before any exploit, this post-mortem serves as a preventive lesson rather than a reaction to a public incident. Our aim is to bolster community trust by showing that even vulnerabilities are handled responsibly and proactively.

In summary, the moment Octane finds a vulnerability, Compound will effectively gain an extension of its team working to neutralize that threat as quickly as possible, with clear communication.

1 Like
30

Proposal - Octane & Groom Lake Security Partnership for Compound DAO (Part 3/3)

1600×202 23.3 KB

3b) Incident Response Support:

Groom Lake provides full-spectrum incident response support, both remote and on-site. During live exploits or compromises, our actions include:

  • Technical investigation and compromise containment
  • Coordination with exchanges, law enforcement, legal counsel, and whitehats
  • Direct negotiation with attackers (ransomware or extortion situations)
  • Crisis management, public communication support and narrative strategy
  • Off chain intelligence capabilities to triage cases to the furthest extent possible

We treat these as high-priority campaigns, with the option for physical deployments globally based on the nature and sensitivity of the incident.

Case Examples:

  • Operation Hidden Forge: IR team was physically deployed after an insider-executed protocol exploit. The target was in custody within 72 hours of Groom Lake activation.

  • High-Sensitivity Personnel Protection: In redacted engagements, we’ve investigated and neutralized threats to team members and families under physical surveillance by unknown actors.

All post-mortem reports, IR summaries, or coordinated statements are made available to the DAO for publication or internal use.

3c) Continuous Monitoring & Threat Detection:

Our threat monitoring and anomaly detection program uses a proprietary, Security Operations Center (SOC) integrated with custom alert logic and external tooling. Systems monitored typically include but are not limited to:

  • GitHub

  • GSuite

  • AWS

  • Twitter

  • Email systems

We flag:

  • Privilege escalation attempts

  • Suspicious logins

  • Abnormal multisig or governance behavior

  • Unusual token transfers or liquidity pool movements

All signals are aligned with the MITRE ATT&CK framework.

Alerts are routed to specific Groom Lake operatives and designated protocol contacts using secure notification methods defined and tested during the onboarding phase. Escalation protocols are tailored to the DAO’s governance structure and incident severity.

Commercial Terms and Commitment

4a) Budget Request and Pricing Model:

Will be shared privately and disclosed after reviewing with the Compound representatives.

4b) Milestones and Performance Metrics:

Groom Lake -

Key performance metrics and milestones may include:

  • Advisory report delivery: within 14 days of scope readiness

  • Critical issue triage & escalation: within 2 hours of detection

  • 0 external facing vulnerabilities in production (target outcome)

  • 12/12 months of monthly or quarterly updates (client preference)

  • Participation in 100% of governance or contributor calls with security content

All performance tracking is transparent and will be reported based on the DAO’s desired cadence. Monthly, quarterly, or milestone-based.

Octane -

We believe in accountability and clear success criteria. As part of the engagement, Octane will commit to certain milestones and Key Performance Indicators (KPIs) to transparently measure our effectiveness. These include:

  • Onboarding Milestone (Month 1): Within the first month of engagement, Octane will complete integration and an initial baseline audit:

    • Octane’s CICD integration is live on Compound’s repos.

    • First comprehensive audit report delivered (covering either an existing module of Compound or confirming that the current deployed code has no undiscovered critical issues).

    • Joint review meeting with Compound’s team to go over any findings and ensure comfort with the tooling.

    • Success criteria: Compound’s developers are actively using Octane on PRs and at least one critical or several minor issues have been identified and fixed, demonstrating immediate value.

  • Ongoing Vulnerability Metrics: We will track and report the number of vulnerabilities found (by severity) and resolved each quarter. If we notice recurring categories of issues, we set goals to eliminate that category via training or pattern enforcement.

  • Response Time Metrics: Key SLA-related metrics (details in Section 5) will be reported, such as:

    • Average time from code push to Octane analysis completion (we expect this to be under 10-15 minutes).

    • Average time to human review for critical findings (target under 6 hours).

    • Governance proposal review turnaround (target 100% of standard proposals within 48h, emergency ones < 12h).

    • Incident response activation time (target < 15 minutes acknowledgment).
      We will report our performance against these targets. If there’s any miss, we’ll include an explanation and improvement plan.

  • Community Satisfaction: Though harder to quantify, we’ll keep an eye on community feedback – e.g., are Compound stakeholders expressing confidence in security, has our involvement reduced anxiety around proposals, etc. We might solicit a DAO survey or feedback at 6 months to gauge satisfaction and address any concerns.

We will compile these metrics into a quarterly report delivered to the community (or more frequently if the DAO prefers). This level of transparency is relatively unique, but we want Compound to tangibly see the value we’re providing. If any metric is not meeting expectations, we will proactively discuss why and how to improve.

4c) Conflict of Interest Declaration:

Groom Lake currently works with TrueFi*, which operates in the broader decentralized lending space and may be considered a parallel ecosystem to Compound.

However, Groom Lake maintains strict operational firewalls and does not conduct cross-client intelligence, surveillance, or analysis. Confidentiality, compartmentalization, and discretion are fundamental to our engagements. We do not share resources, reports, or personnel across clients.

*consent given to disclose relationship

Octane is fully committed to acting in Compound’s best interest, and we acknowledge the importance of avoiding any conflicts or appearances of conflict:

  • No Conflicting Engagements: Octane does not currently provide security services to any direct competitor or fork of Compound. If we are approached by such projects, we will transparently decline citing our commitment to Compound.

  • Data Security and Privacy: Any sensitive information we gain from working with Compound (such as non-public code, vulnerability details, keys or access given for infrastructure, etc.) will be kept strictly confidential. We have robust internal security controls: private repositories with limited access, encrypted communications, and a culture of need-to-know access. We will not share Compound’s data with other clients or use it for any purpose outside of improving Compound’s security.

  • Transparency to DAO: We will disclose to Compound any potential conflict that might arise. As of now, we have no such entanglements – we are singularly focused on our clients’ security.

In summary, Compound can trust that Octane will act with integrity, safeguard confidential information, and dedicate our efforts solely to Compound’s benefit in the DeFi ecosystem.

4d) Transition and Offboarding Plan:

In the event that Groom Lake and Octane are not renewed, we will coordinate a full knowledge and access handover to ensure uninterrupted protection of the DAO. This includes:

  • Secure transfer of any documentation, intelligence briefs, or SOC configurations

  • Final incident summaries or system status reports

  • Live or asynchronous transition briefings with the incoming team

  • 60-day transition support window

We agree to a 60 - day termination clause, giving the DAO flexibility while ensuring a responsible offboarding process.

Service Level Expectations (SLA)

5a) Incident Response:

Groom Lake operates a global 24/7 incident response capability supported by live operatives, dedicated tooling, and war room infrastructure. For any declared incident:

  • Target Response Time: Less than 20 minutes once a war room is activated.

  • Monitoring Coverage: Groom Lake provides year-round, 24/7 monitoring of key infrastructure and systems.

  • Primary Communication Channels: Secure Telegram groups, custom incident Signal lines, and real-time war room video calls are used to coordinate.

This capability is continuously active for protocols enrolled in our IR and monitoring program, with emergency escalation procedures tested during onboarding.

5b) vCISO Support:

  • Advisory Response Time: Strategic or vCISO-level advisory requests are handled within 2 business days or less.

  • Check-in Cadence: Most clients engage in reviews every 1 - 4 weeks, depending on operational tempo and current initiatives; cadence is fully flexible.

  • Primary Points of Contact:

    • Neptune_GL – Head of Operations (Primary)

    • Atlas_GL – Operations Specialist (Backup)

    • Hercules_GL – Head of Security (Elevated)

These leads coordinate to ensure total availability and situational coverage.

5c) Governance Security Reviews:

Groom Lake -

  • Turnaround Time: Groom Lake is available for security review within 24 - 48 hours of request.

  • Urgency Support: We are available for urgent or last-minute proposal reviews as needed.

  • Findings Communication: Review outcomes are delivered via written reports (Markdown or PDF), direct team briefings, and/or inline comments, depending on proposal type and DAO preference. We also provide advisory input during governance calls when appropriate.

Octane -

  • Standard Proposals: For typical governance proposals (e.g., adding a new collateral with known code, adjusting parameters), we will complete a review and deliver feedback within 48 hours of proposal submission (often faster, as many reviews can be done in under a day). This includes writing a short report or forum reply detailing our findings.

  • Urgent/Emergency Proposals: If a proposal is expedited or security-critical (for instance, a fast-track patch), we will treat it with top priority. Within 12-24 hours (depending on urgency) we will finish the review. We can adjust our schedule to be even faster if needed – given our automated assistance, even a complex proposal could potentially be analyzed in just a few hours – but we state 12-24h to be safe and thorough.

  • Pre-Proposal Support: If Compound’s team is crafting a proposal and wants a pre-check before formal submission, we will accommodate that as part of our workflow. This can prevent issues from ever making it on-chain. Turnaround for these “prechecks” can be as quick as a few hours for minor changes, since we can work directly with the proposer.

5d) Code Audits:

Octane -

  • Scheduling: Upon request of an audit (for a new component or major code change), we will begin the audit within 2 business days of scope finalization. We will allocate our team dynamically to prioritize Compound. (In practice, since we’re continuously engaged, we might start looking at it the same day it’s requested. The 2-day is a max guarantee to cover any logistical setup.)

  • Audit Turnaround Time: The duration of audits will vary by size:

    • Small changes (a few contracts, say under 500 lines of new logic): ~3-5 days from start to report. This includes time for fixing iterations.

    • Medium projects (several contracts or moderate complexity, 500-2000 lines): ~2 weeks from start to final report, including remediation.

    • Large upgrades (e.g., a new version of Compound with thousands of lines changed): 4-5 weeks to be safe, though we’ll try to do faster by parallelizing work. We will communicate an exact timeline after scoping, and hit that deadline.

    • We also can accommodate urgent mini-audits (like a last-minute change or patch) on a 48-hour turnaround if needed, utilizing our whole team for the review. This ensures that even hotfixes get at least two pairs of eyes before going live.

  • Remediation Verification: We SLA that any re-audit of fixes will happen within 3 days of the fixes being submitted. Often we do it in 1-2 days or real-time.

  • Quality of Deliverables: Every audit report will meet a high standard of clarity and thoroughness. If Compound or the community ever finds a report unclear or insufficient, we will amend it promptly. Essentially, we guarantee professional, useful deliverables every time. Part of quality is also accessibility – we are willing to hop on a call to walk through any report with the community or address any follow-up questions at no extra cost.

  • Continuous Reviews: For code that is being developed continuously (e.g., a long-running feature branch), we can provide interim updates. Our SLA is that even outside of formal audit reports, any critical issue found will be communicated immediately, and any medium issues will be communicated within a week (if not fixed by then). You will never wait until an official report to hear about something important.

In summary, our service levels are designed to be high-speed and high-touch. Compound will always get quick responses, rapid turnarounds, and top-quality output from Octane. We treat Compound as a priority client (indeed, during our engagement it will be the priority), and our SLA commitments reflect that dedication.

Groom Lake -

  • Post-Deployment Code Monitoring: Ongoing surveillance of deployed contracts using Drosera, allowing us to detect logic flaws, misuse patterns, or emerging vulnerabilities as they surface in live environments

Final Considerations

A New Era of Security for Compound: Octane and Groom Lake

Compound is not just another DeFi protocol; it’s one of the fundamental pillars of decentralized finance. It requires and deserves a security partner that is equally innovative, reliable, and community-aligned. Octane aims to be that partner by delivering a modern, proactive, and comprehensive security service that elevates Compound’s safety to the highest standard. At the same time, Groom Lake brings a level of operational intensity, intelligence expertise, and real-world readiness that redefines what protocol security can mean in the current threat landscape.

Octane introduces a new standard in security by shifting away from the traditional, static audit approach. Rather than relying on one-off snapshots, we offer continuous assurance — like having a security co-pilot embedded in every developer’s workflow. This means Compound can move fast and launch new features with confidence, knowing security is happening in real time, not just at the end of a development cycle. Our AI-driven tooling has already proven capable of identifying critical vulnerabilities in seconds, but we emphasize that it’s the pairing of automated detection with deep expert review that makes our process uniquely effective. This dual approach leads to more comprehensive coverage and fewer missed issues — all without slowing Compound down.

While Octane secures the code and development flow, Groom Lake addresses the broader security reality that most firms overlook. Groom Lake is more than a cybersecurity provider — it is a mission-driven force operating at the intersection of elite intelligence, private military precision, and crypto-native security needs. Our role is not just to secure smart contracts, but to neutralize adversaries before they act and to create operational resilience across the entire DAO. This includes active on-chain monitoring, off-chain intelligence gathering, live response coordination with exchanges and global law enforcement, and the ability to deploy physical teams when necessary.

Our proprietary platforms — including Reaper for leak and SIM swap detection, BaitBuster for phishing takedowns, and Ponder for governance sentiment analysis — are designed to protect protocols like Compound that sit at the center of DeFi’s infrastructure. Groom Lake also brings human-centric protection to the forefront. We harden the elements that attackers increasingly target: communication channels, contributor devices, governance processes, and multisig operations. By testing, red-teaming, and continuously improving the operational posture of those who run Compound, we close the gaps no audit ever will.

Both Octane and Groom Lake are committed to collaboration. Security is most effective when integrated closely with the teams and communities it serves. That’s why Octane doesn’t operate as an external vendor, but as an embedded extension of Compound’s team. We aim to contribute regularly to governance discussions, share insights and vulnerabilities transparently, and help strengthen the security mindset of every contributor. Groom Lake shares this DAO-native orientation. We believe security providers must be accountable to the communities they serve. We will participate in governance calls, publish redacted postmortems when appropriate, and continue to build tools that benefit the broader ecosystem — not just our clients.

We also recognize the specific needs of Compound’s architecture and mission. Groom Lake has deep experience working with lending protocols, including TrueFi, and across Layer 1s, bridges, and DAOs. We understand the threat models that target lending ecosystems — from oracle exploits to governance manipulation and adversarial economic behaviors. Our team, made up of cyber warfighters, HUMINT and SIGINT veterans, and intelligence analysts, now brings that same level of strategic and tactical rigor to defending open-source protocols. We apply real-world intelligence techniques to predict and prevent the attacks others only react to.

Through Octane’s continuous code assurance and Groom Lake’s layered, sovereign defense infrastructure — including the deployment of Drosera, our programmable, gasless detection and mitigation framework — Compound gains a security system that adapts as it grows. This isn’t theoretical. Octane has already identified multi-million dollar bugs before they caused harm, accelerated timelines for leading protocols, and set new benchmarks for AI-assisted security. Groom Lake has responded to live threats, disrupted phishing campaigns, and protected contributors through coordinated, cross-jurisdictional operations.

Together, we offer a full-spectrum security partnership that understands what’s at stake. Compound’s TVL, its reputation, and its governance all rely on trust — and trust begins with security. Every member of our teams, from founders to engineers, takes that responsibility personally. If selected, we will be transparent in our reporting, accountable through measurable outcomes, and adaptive to the Compound community’s evolving needs.

In closing, we respectfully ask the Compound community to consider the unique and complementary value Octane and Groom Lake bring. We are confident in our combined approach — a challenger to outdated security models and a collaborative ally to the protocol’s core contributors. AI-powered security is not speculative; it’s here and it works. Sovereign defense is not aspirational; it’s operational. By selecting Octane and Groom Lake, Compound will secure its present, strengthen its future, and remain a beacon of excellence in decentralized finance.

We’re ready to hit the ground running. Together, let’s set a new standard for DeFi security — one worthy of Compound’s place in the ecosystem.

1600×202 23.3 KB

Additional resources can be found here:

  1. GLPMC Website: https://www.groomla.ke
  2. GLPMC Solutions Deck: bit.ly/groomlakeintro
  3. GLPMC Twitter: https://x.com/0xGroomLake
  4. Octane Website: https://www.octane.security/
  5. Octane Solutions Deck: DocSend
  6. Octane Twitter: https://x.com/octane_security
1 Like
31

blockful Application – Compound SSP: Calldata and Proposal Review and Governance Alert System for Compound

Overview

About us

Blockful works at the intersection of governance and security across multiple DAOs. We operate as delegates and service providers, with a track record of identifying and mitigating governance vulnerabilities before they are exploited.

Here is a research we published during the Humpy incident: Anatomy and antidote for Compound War

Our team has contributed to ENS since 2022, and in 2024 uncovered a critical vulnerability that could have allowed an attacker to drain over $150 million in liquid treasury using a $30 million proposal. This led to the creation of the ENS Security Council, which we supported both technically and strategically.

[EP 5.23] [Executable] Governance Security Bounty

Since then, we’ve evolved into a team focused on governance security—combining smart contract analysis, governance modeling, and live monitoring to anticipate structural risks. In 2024, we were selected as ENS Service Providers for the first time, and again in 2025 with expanded responsibilities, including CallData and Proposal Review and the Notification System now proposed here.

We also conducted a full governance risk assessment for Uniswap DAO, delivering a comprehensive research report highlighting potential vulnerabilities, attack vectors, and areas for improvement in governance.

Announcing $110,000 Grant to Blockful for the Uniswap Foundation…

Our contributions vary across DAOs but remain centered on proactive governance security.

Blockful is also building Anticapture, an independent governance risk assessor for DAOs. Designed to surface structural vulnerabilities before they can be exploited.

We operate as a fully bootstrapped and independent company, currently focused entirely on governance security. In earlier stages, our team also explored areas such as AI governance and decentralized reputation systems, adding to our depth in understanding complex sociotechnical dynamics in DAOs.

We aim to support Compound by applying our governance security expertise through Calldata and Proposal reviews, complemented by a real-time governance notification system across Telegram and other channels—enabling timely risk mitigation and activating relevant stakeholders when necessary.

Our team

Blockful is a team of 11 individuals working on different internal products for supporting protocols and governance. The squad for executing this proposal will be:

Name Role Description
Alex Executive Director & Researcher ENS/Uniswap delegate. Background in ML and smart contracts. Co-founder of Blockful.
Leonardo Software Engineer Specialized on blockchain, backend and smart-contracts.
Lucas Senior blockchain engineer Open sourcerer, blockchain engineer, tech lead
Zeugh Research Lead Specialist in incentive design and governance systems. Formerly at Juicebox.

Scope of Security Work

1. CallData and Proposal Review

Goal: Governance Security

Impact: Provide critical security validation for executable proposals to prevent unintended outcomes or malicious execution.

Review Process:

  • Initial SLA response: Timeline defined within 2 business days
  • Review window: Between 1 day and 2 weeks, depending on calldata complexity
  • Two-stage review:
    • Stage 1: When proposal is posted on forum (with calldata)
    • Stage 2: Final check when proposal is queued on-chain
  • Review includes functional simulation to confirm effects of execution
  • Technical summary provided if not submitted by proposer, supporting non-technical delegates

Reference implementation:

Our work with ENS DAO followed this same approach and received strong delegate feedback.

Here’s the repository where we simulate all DAO proposals and review the calldata:

dao-proposals/src/ens/proposals at main · blockful/dao-proposals

Here’s a very recent reference:

https://x.com/ENS_DAO/status/1943329995369087053

Quarter (after approval) – KPIs

Quarter (after approval) KPI
Q1 Respond to 100% of tagged proposals within SLA
Q2 Respond to 100% of tagged proposals within SLA
Q3 Respond to 100% of tagged proposals within SLA
Q4 Respond to 100% of tagged proposals within SLA

2. Reliable Notification System

Goal: Governance Security

Impact: Develop a reliable, multi-platform alert infrastructure to ensure no stakeholder misses critical governance actions.

Key Features:

  • Notifications for voting/delegation concentration (eg.: Tracking new Humpy wallets)
  • Multi-platform support: Email, Telegram, Slack, Discord
  • Real-time alerts for token holders when their delegate is inactive
  • Voting reminders for delegates
  • Vote confirmation and status feedback
  • Support for onchain and offchain votes
  • Capture cost changed
Quarter (after approval) KPI
Q1 Telegram integration for onchain voting reminders and inactivity alerts for token holders
Q2 Integration with email, Discord, and Slack
Q3 Support for offchain votes; system uptime of 99%
Q4 Anticapture-triggered security alerts; system uptime of 99%

3. Anticapture integration and governance audit

Integrating into a complete monitoring system to prevent governance attacks based on research.

  • Actions for security improvements need to be data-driven recommendations, if not, this can cost us resources, time, and ultimately a governance attack
  • Simplify understanding for delegates about risks, redelegations, historical data. Visualizations and data you don’t get anywhere else in today tools.
  • This is specific and valuable data, that you would need to attack the DAO or, to understand how to defend as well. Here, we wanna give the importance needed to make sure Compound defends first.

1b) Multi-Chain Support & Upgrade Expertise:

We have the technical capabilities to support Compound’s multi-network deployments through governance-focused reviews, contract-level analysis, and integration of monitoring infrastructure across L2 environments. We were selected by ENS to build their governance L2 contracts.

1c) Resource Allocation and Availability:

We will allocate 2 FTEs to Compound-related work. These team members will be primarily focused on Compound and may assist with other internal initiatives only when no immediate Compound demands are pending.

To ensure continuous coverage:

  • At least one FTE will always be on call, guaranteeing uninterrupted availability.
  • Scheduling will prevent simultaneous absences between the two team members.
  • As our team is fully focused on governance security, additional support is available when needed to ensure continuity and timely response.

This structure allows us to maintain consistent delivery, avoid delays, and provide dependable support for Compound across all engagement phases.

1d) Additional Services or Tools:

No, we’ll be integrating all tools we have.

Section 2: Technical Methodology and Audit Process

2a) Audit Methodology:

Note: We do not perform traditional audits of new smart contract code.

We focus on governance security—such as economic attacks, governance execution errors, and structural vulnerabilities within DAO systems.

Our Scope: Governance Execution & Security Risk Reviews

Blockful’s methodology is built specifically for security at the governance layer:

  • Validation of executable Calldata
  • Analysis of governance behaviors and configuration
  • Identification of systemic vulnerabilities and capture conditions
  • Verification of execution outcomes and unintended state changes

Calldata Review Process

We’ve developed a dedicated internal workflow for validating onchain proposal execution. The process includes:

Stage Description
Calldata Extraction Pull calldata directly from forum posts or proposals
Simulation & Testing Run tests in a controlled environment to simulate state changes after execution
Functional Analysis Confirm that proposed calldata aligns with the intended behavior of the proposal
Risk Reporting Deliver analysis and plain-language summaries, especially when not provided by proposer

Our reviews are tracked and managed through a public repository, where we document the lifecycle and output of each proposal review:

GitHub - blockful/dao-proposals

This helps preserve transparency, traceability, and ease of handoff between contributors and the broader DAO ecosystem.

Governance Attack Research Foundation

This methodology is grounded in our study of over 30 past governance and economic attacks. This body of work led to the creation of the Anticapture framework, which is used to assess and expose DAO-level risk factors.

Focus Area Description
Anticapture Framework A methodology for analyzing vulnerabilities in DAO governance structures
Attack Archive Analysis of real-world cases: Aragon, Mango, and others
Risk Signals Tracking economic conditions, permission structures, voting anomalies, and resilience stages

We aim to bring this preventive, research-backed methodology to Compound, enabling a more secure and legible governance process.

Summary Table

Area Methodology Highlights
Governance Attack Surfaces Based on Anticapture research and study of 30+ past DAO governance failures
Calldata and Proposal Reviews Manual and automated testing, simulation, and execution verification
Technical Summaries & Reports Clear documentation for delegates and contributors, especially in high-risk proposals

By default, all Calldata and Proposal Reviews are published publicly on the Compound governance forum, allowing the community to audit, discuss, and learn from the process.

If a proposal contains sensitive risks or an issue that could be exploited if disclosed too early, we coordinate directly with the relevant teams or proposers through appropriate private channels. Public disclosure follows once the issue is mitigated or clarified.

We believe that combining technical diligence with open governance communication is essential to strengthen protocol resilience.

This workflow has already been applied in ENS DAO, where our public reports helped inform delegates and prevent execution risks.

We also intend to demonstrate our approach in practice by reviewing one of the currently active proposals on Compound as part of this application, showing how our review process works in a real governance context.

2b) Audit Workflow & Deliverables:

Workflow

Our process follows a two-stage review: forum-phase and onchain-phase analysis, using internal tests to simulate calldata execution and confirm expected outcomes. Reports are posted publicly on the governance forum unless sensitive, and include clear risk flags and technical summaries. Turnaround time ranges from 1 day to 2 weeks, based on complexity.

Deliverables

Reliable Notification System – Deliverables

Deliverable Description
Telegram Integration Onchain voting reminders and delegate inactivity alerts for token holders
Multi-Channel Support Extension of alerts to Email, Slack, and Discord
Offchain Vote Notifications Monitoring and alerting for Snapshot or other offchain governance events
Vote Confirmation Alerts Real-time feedback confirming vote submissions and outcomes
Anticapture Security Alerts Notifications triggered by high-risk governance conditions surfaced by Anticapture

CallData & Proposal Review – Deliverables

Deliverable Description
Initial Assessment Response Confirmation of review timeline within 3 business days after proposal is tagged
Stage 1 Review Report First-stage analysis when proposal is posted on the forum, including simulation and functional check
Stage 2 Final Verification Final check and confirmation once the proposal is queued on-chain
Technical Summary (if missing) Summary of calldata behavior written in plain terms for non-technical delegates
Functional Simulation Results Execution and validation of calldata effects to confirm intended state changes

2c) Quality Assurance and Track Record:

Our team has a proven record of identifying and mitigating governance risks before they result in harm.

In early 2024, we uncovered a critical vulnerability in ENS DAO that could have allowed an attacker to drain over $150M in liquid treasury through a $30M governance proposal. This discovery led to the creation of the ENS Security Council, a governance safeguard we helped design.

During our term as ENS Service Providers, we conducted structured Calldata and Proposal Reviews on executable proposals. In one instance, we flagged an error that would have led to unintended behavior had the proposal been executed. The issue was corrected in time.

Examples:

Our approach emphasizes reproducibility, transparency, and communication with delegates. The positive feedback from ENS delegates reinforced the value of structured governance review and inspired the model we’re now bringing to Compound.

We also published a governance risk report for Uniswap DAO using the Anticapture maturity model, which surfaced potential vulnerabilities. One of the primary blockers identified was related to DNS configuration, and Tally has since begun implementing improvements to address this issue.

Our work focuses not only on detecting risks but also on delivering actionable guidance. The improvements adopted by teams like ENS, Uniswap, and Optimism reflect how these findings lead to real changes in DAO security practices.

Section 3: Risk Management and Incident Response

3a) Vulnerability Triage & Disclosure:

Our approach to vulnerability triage follows a clear and pragmatic sequence based on our past experience, including with the ENS Security Council:

  1. Immediate Disclosure to Core Contributors

    Upon identifying a critical vulnerability — whether during audits or ongoing monitoring — we immediately notify the relevant core contributors (typically the core development team) through a secure channel (e.g., Slack or Telegram). The message includes a clear description of the issue, its potential impact, and a proposed fix or mitigation strategy.

  2. Coordination with Governance Stewards

    Once the technical team is aware and engaged, we also notify governance stewards or protocol leadership to coordinate a structured response plan.

  3. Execution and Postmortem

    We support or lead the execution of the response plan, help implement fixes, and coordinate public disclosure once the vulnerability is mitigated. A postmortem is shared with the community along with forward-looking recommendations to prevent recurrence.

  4. Proactive Follow-up

    Beyond immediate remediation, we propose additional improvements when relevant, addressing broader governance security gaps or systemic weaknesses exposed by the vulnerability.

Prioritization & Timelines

Critical issues are treated with the highest urgency — all other work is deprioritized until the vulnerability is triaged, contained, and addressed. We aim to initiate a remediation plan within 24 hours of discovery for high-severity findings.

Communication Channels

While we currently use Slack and Telegram for secure disclosures, we are open to adopting any preferred or more secure channels requested by the Compound team and community.

3b) Incident Response Support:

We have direct experience supporting DAOs during live or imminent governance-related threats. Our team acts quickly and discreetly to contain, coordinate, and resolve high-severity incidents.

In the ENS governance vulnerability case, we assisted the ENS Security Council by analyzing the issue, proposing mitigation steps, coordinating with governance stewards, and contributing to both the public disclosure and the postmortem process. While not formalized as a written incident response plan, the sequence of actions followed a logical and effective path that can serve as a baseline for similar situations.

We also acted as whitehat researchers in a Uniswap DAO governance-related incident. In that case, we were the ones who identified and disclosed the issue, then collaborated with relevant contributors to support triage and resolution.

We typically work closely with protocol foundations, core contributors, governance stewards, and other whitehat researchers when coordination is required. Our goal is to minimize protocol risk through timely investigation, clear communication, and practical remediation support.

Example:

3c) Continuous Monitoring & Threat Detection:

Our monitoring infrastructure is focused exclusively on governance-related signals. It does not include oracle or protocol-level anomaly detection. Instead, we monitor and surface unusual or risky patterns in voting, delegation, and proposal activity.

We have developed and currently maintain a dedicated stack that includes:

  • A backend engine for ingesting and analyzing governance data in real time
  • A dashboard to surface metrics, behavioral baselines, and anomalies
  • Alerting infrastructure integrated with Telegram (and soon Slack)

Below is a summary of our detection and alert system:

Component Function
Backend Engine Ingests governance data, tracks activity, and flags anomalies
Governance Dashboard Displays metrics and highlights suspicious behaviors or changes
Notification Bot Sends real-time alerts via Telegram; Slack integration in progress
Custom Alert Rules Flags whale voting, unusual delegation changes, high-impact proposals
Private Alert Option Supports confidential workflows for critical alerts to pre-defined contacts

We monitor for:

  • Whale voting or rapid shifts in delegation power
  • Abnormal proposal patterns (e.g., high-impact changes introduced in quiet periods)
  • Sudden changes to governance parameters or roles

For critical alerts, we are able to set up private workflows to notify key Compound stakeholders directly. We are open to working with the Compound community to define appropriate escalation contacts and preferred channels.

Section 4: Commercial Terms and Commitment

4a) Budget Request and Pricing Model:

This proposal has been formally submitted to the Compound Foundation via email. We remain available for any follow-up and are committed to supporting Compound with high-quality governance security work.

For additional information, please contact:

Alex Netto, ED | Email: alex@blockful.io | Telegram: @alextnetto

4b) Milestones and Performance Metrics:

We apply a structured service-level agreement (SLA) model for governance security reviews, with a focus on validating executable proposals to prevent execution errors or malicious actions. Our reviews ensure that calldata matches the intent of the proposal and executes as expected, helping delegates vote with greater confidence.

SLA Commitments

  • Initial response: Timeline for review delivery is defined within 3 business days of proposal tagging
  • Review timeline: Between 1 business day and 2 weeks, depending on the complexity of the calldata and familiarity with the underlying contracts
  • Two-stage review process:
    • Stage 1: When the executable proposal is posted to the governance forum
    • Stage 2: Final verification once the proposal goes on-chain, serving as a critical checkpoint
  • Output:
    • Functional validation through simulated execution
    • Clear technical summaries to support non-technical stakeholders in understanding what will be executed

KPIs

KPI Target
Executable proposals reviewed within SLA 100% per quarter
Governance call participation 100% of calls involving active proposals or risk topics
Quarterly governance security updates 1 report per quarter
Public analysis of proposal calldata All tagged proposals with calldata provided or supplemented
Outcome-based goal Zero critical execution errors post-verification

These metrics are designed to provide measurable value to the Compound community by supporting safe, transparent, and error-free execution of governance decisions.

4c) Conflict of Interest Declaration:

At blockful, we are committed to transparency and integrity in all our actions. While we actively participate in various ecosystems, we currently see no conflicts of interest that impact our work. We remain vigilant and will disclose any potential conflicts should they arise. Our priority is to ensure that our contributions align with the best interests of the Web3 community and the ecosystems we support.

4d) Transition and Offboarding Plan:

We acknowledge the DAO’s right to terminate the agreement with a 60-day notice and will fully cooperate in any offboarding process.

To ensure continuity and ease of transition to a new provider, we commit to:

  • Open documentation of all internal processes related to CallData review and notification logic
  • Sharing review history (public reports, tags, and summaries) in a clear and organized format
  • Maintaining all tooling and infrastructure in accessible repositories (where possible, open source or under DAO control)
  • Providing a structured handoff document detailing ongoing efforts, pending reviews, and key system dependencies
  • Offering a live walkthrough with the incoming team, if requested, to explain workflows and operational practices

Our goal is to preserve institutional memory and minimize disruption to Compound’s governance security processes, even in the event of a provider change.

Section 5: Service Level Expectations (SLA)

5a) Incident Response:

We provide incident response specifically for governance-related risks, such as calldata manipulation, abnormal delegation shifts, or proposal anomalies. Alerts are triggered by our monitoring stack and relayed via Telegram (Slack coming soon). Response time for critical alerts is typically within 15–30 minutes during working hours. For executable proposals, our calldata review acts as a final checkpoint before on-chain execution.

We do not respond to protocol-level incidents or perform smart contract code audits. Our scope is strictly limited to governance-related monitoring, analysis, and response.

5b) vCISO Support:

We offer on-demand advisory support for governance-related matters, with a response time of within one business day. This includes strategic input on proposal design and governance risk assessment.

We are available for monthly check-ins or briefings, and can adjust cadence based on DAO preferences. Primary and backup contacts can be designated in coordination with the Compound team during onboarding.

5c) Governance Proposal Reviews:

This is our core service.

  • Initial response: within 3 business days of tagging

  • Review delivery: 1 business day to 2 weeks, based on complexity

  • Urgent proposals: can be prioritized

  • Output: technical calldata review, simulation results, and delegate-facing summaries

    We follow a two-stage review process: forum-level and final on-chain check.

5d) Code Audits:

N/A

Final Considerations

Compound has already experienced how real and dangerous a governance attack is. This is an extremely specific knowledge and tools to properly address this risk. Which we have experience and track record.

3 Likes
33

zeroShadow Monitoring & Incident Response

zeroShadow will deliver 24/7/365 security operations and Incident Response for Compound—fully embedded within any monitoring platform’s detection layer to turn alerts into immediate, expert-driven action. We don’t just monitor; we investigate, triage, and respond in real time.

From smart contract exploits and governance attacks to phishing and multisig compromises, our team has helped recover over $250M across major incidents. With zeroShadow, Compound gains a deeply integrated vSOC and a round-the-clock response team built specifically for high-stakes security.

As Compound enters a new era for decentralized finance, zeroShadow is committed to providing the expertise and operational support necessary to strengthen security, manage risk, and enable confident growth. We continuously adapt our services to evolving threats, ensuring your security operations keep pace with Compound’s innovation and scale.

Virtual Security Operations Center

zeroShadow’s Virtual Security Operations Center (vSOC) is deeply embedded within any monitoring detection platform—not just consuming alerts, but we’ll be actively shaping, customizing, and tuning them to Compound’s specific architecture.
We don’t just leverage a monitoring platform—we operate within it – with full access to your environment and the agility to continuously evolve detection logic and alerting rules as Compound’s needs grow and change. We’ll:

  • Configure and optimize all detection logic
  • Validate alerts in real time, decompile them, and reduce noise
  • Script invariant checks and monitoring rules
  • Integrate external RPCs and data sources to improve signal fidelity
  • Rapidly incorporate new attack vectors as they emerge

This model ensures every alert is meaningful, actionable, and escalated correctly—forming a closed-loop system that connects detection with expert-driven response.

By embedding directly within your monitoring stack, zeroShadow delivers high-impact security operations without requiring the Compound DAO to build or staff a dedicated internal team. This approach provides a more cost-effective, battle-tested alternative to building and managing these capabilities in-house—while maintaining flexibility, customization, and deep protocol context.

Example Use Cases:

  • Liquidation Invariant Enforcement: Detect if actual liquidation proceeds deviate from the configured incentive (e.g., 5-8%), or if the incentive is modified unexpectedly

  • Governance Concentration: Monitor for abnormal delegation spikes or consolidation of governance power

  • Protocol Health: Track TVL volatility, interest rate parameter shifts, or liquidity outliers across cToken pools

  • Context-aware Correlation: Monitor off-chain events (e.g., fiat instability, exchange halts, depegs) that may cause sudden on-chain behavior shifts within Compound, helping to pre-empt liquidity or governance risk

Incident Response

zeroShadow’s 24/7/365 incident response team is battle-tested, having helped recover over $250 million in stolen funds across major events and clients like ByBit and WazirX.

Our incident response approach is grounded in a rigorous risk management framework that ensures critical issues receive immediate, focused attention while lower-severity findings are appropriately managed without disrupting ongoing operations.

We prioritize rapid triage and classification to assess the scope, severity, and potential impact of each alert or event. This enables us to quickly decide when to escalate and temporarily pause other activities to address high-risk threats—such as active exploits or governance takeovers—while continuing routine monitoring for less urgent concerns.

Throughout this process, we will closely collaborate with Compound’s team to ensure alignment on priorities and risk tolerance. Our response team brings access to specialized expertise as needed, supporting the design and implementation of tailored mitigation strategies that balance security, operational continuity, and governance requirements.

This adaptive prioritization model helps Compound maintain robust security without unnecessary disruptions—delivering the right focus at the right time.

Included Services

  • Global team of elite blockchain investigators with rapid 24/7/365 support for:
    • Smart contract exploits, Frontend phishing and impersonation, Governance takeovers, Compromised multisigs, Suspicious transactions and more.
  • Our vSOC and Incident Response guarantees a 15-minute acknowledgment SLA, with actionable guidance typically provided well within our 3-hour response window. Alerts trigger immediate notifications via PagerDuty, Slack, Telegram, and email—ensuring no time is lost in mobilizing the right response.

Proactive Preparedness and Cost Efficiency

Beyond rapid response, zeroShadow runs tabletop exercises with your team—simulated attacks that test and improve your incident management plan. These drills boost readiness, coordination, and speed during real incidents.

Security breaches can be costly financially and reputationally. Having a crisis management framework and expert investigators on call to respond and trace funds in real time is far more cost-effective than reacting after an incident or building an in-house team under pressure.

This proactive approach helps Compound minimize losses, reduce downtime, and maintain stakeholder trust.

Total Cost: $250K / YR

4 Likes