About the Compound System
Compound’s contracts implement an algorithmic, autonomous money market protocol that has been innovating in the lending space since its inception. The smart contract Solidity codebase is written in a clean and sophisticated way. From our experience, the Compound team invests a massive effort in proper system design before the code is even written, using a security-first approach. The R&D team includes some of the best engineers in the space
About Compound Security
The Compound team deploys several complementary techniques to improve code security:
- Various techniques for scenario-based testing and fuzzing have been implemented.
- The protocol engages with top auditing firms to review each code change.
- Starting in 2018, the Compound team has been working with Certora on formally verifying the code before it is deployed. Formal verification techniques have been used to secure hardware and safety-critical systems across various industries. The Certora Prover plugs into your normal development pipeline, and the formal verification process itself is useful for bug finding before and after manual auditing. In the process, Compound and the Certora teams wrote formal specifications of the code and used the Certora Prover to prove the rules mathematically. When the property does not hold, the Certora Prover generates a test case indicating a scenario in which the property is violated. This test case indicates a bug in the code or the property.
The theme of this proposal is making the tool available to the whole Compound community, including limited access to the source code. We want to allow everybody to have the same access to Prover as the Compound internal team and the Aave community.
By their very nature, complex systems are susceptible to bugs, and this remains true even of carefully planned and executed protocols like those authored by Compound. Bugs in Compound code and governance proposals have been a source of vulnerability for the protocol. For example, a bug in proposal 62 resulted in the distribution of extra COMP awards, and a bug in proposal 117 introduced a buggy oracle, causing the ETH markets to be paused.
Certora has developed a unique domain-specific language, the Certora Verification Language (CVL), for expressing high-level DeFi properties. Certora has also developed a unique product, the Certora Prover, which statically proves that smart contracts obey properties written in CVL. The Prover is integrated into CI/CD pipelines and allows a developer to ensure that changes to the code do not violate the specified properties. Notably, the Prover can perform these checks with every change to the code, both before and after manual audits. A whitepaper of the technology is available here.
We have been working with the Compound team almost since its inception. Originally, we formally verified the first Price Oracle implementation. Using the Certora Prover tool, we found a subtle bug after a third party audited the contract. The part that we did not verify, the MoneyMarket contract, was later found to contain a serious vulnerability in the liquidation function, potentially breaking the protocol’s solvency, allowing an attacker to steal money from the contract. Compound then asked us to help formally verify a sophisticated bugfix, which aimed to block potential exploits. We have written rules for that purpose, showing that no code paths can trigger the exploit.
Ten engineers wrote a total of 80 CVL rules for Compound Code. The rules are available in the following repos: CompoundV2, CompoundV2 Open Oracle and CompoundV3.
Since 2018, the tool has revealed critical issues in Compound Finance, allowing them to be addressed and preventing potential discovery and exploitation in the wild. These bugs are really hard to detect by humans. The Full reports of our past verification projects and findings are available for CompoundV3 and CompoundV2.
We propose to improve the security and agility of the Compound protocol in three ways:
(1) By granting access to the Certora Prover to anybody checking the Compound code. This includes accessing the Certora Prover’s source code under NDA.
(2) By allocating a team of 3 Certora security engineers for 12 weeks per annum to review code changes and propose new correctness rules.
(3) By creating a community of security researchers to review code changes and propose new correctness rules.
Every code change and governance proposal will be reviewed by both internal and external teams using the Certora prover to prevent bugs when the code is upgraded.
A similar service is currently active with Aave: twenty external researchers have contributed 380 rules defining security properties for Aave smart contracts. We prevented six critical bugs and wrote over 500 correctness rules.
Read more about the Aave verification community in the Secureum articles - Aave-Certora-Secureum: A DeFi Security Collaboration part 1 and part 2.
About Certora
Our technical team of over 90 employees comprises formal verification and static analysis experts, security engineers, and security researchers. Many have PhDs in their fields, decades of security experience, and a strong history of significantly increasing the security of the most significant protocols in DeFi, such as Aave, Balancer, Bancor, Compound, Euler, MakerDAO, OpenZeppelin, TrueFi, and others.
Services Provided by Certora
If this proposal is accepted, Certora will provide the following services:
- We will create a two-week online course on writing rules for the Compound Protocol. The course will be recorded and available to all developers.
- We will hold weekly office hours via Zoom for users working on Compound verification.
- We will release a tool for converting CVL rules to Foundry tests. This will allow using the CVL rules for unit testing and fuzzing with Foundry. The first version will support CVL invariants.
- We will engage with ChainSecurity, Code4rena, Sherlock, Macro, OpenZeppelin, Secureum, SigmaPrime and Spearbit to create a community of security researchers who will review changes to the Compound code and propose new rules. Certora will pay for the engagement with the community a total of $200,000 from the Certora budget.
- The Certora team will create a mirror git repository for the source code for the Certora Prover. Anybody in the Compound Community can get limited and revocable access to the repository, provided they sign the appropriate NDA. This addresses Compound’s concern about the availability of the Certora Prover code.
- We will allocate as many keys as needed to security researchers working on Compound. Certora will cover cloud computation time.
- We will allocate a team of three Certora security engineers to write rules for up to 12 weeks. Compound’s community will determine weeks. This team will review the code and community rules and suggest new rules.
- One of the challenges in formal verification is coming up with a good formal specification; therefore, we released an open-source tool called Gambit for mutation testing in Solidity code. This tool will be used to review specifications written by the community. We will apply this tool to check the coverage of the rules developed by the community and the Certora team.
Pricing
The proposed price for the project is $1.5M per annum. A termination of the agreement will be available through governance voting given a 30 days notice.
Payment method:
$1.0M USD/USDC vested linearly over one year, and $0.5M worth of COMP vested linearly over one year, with a 1-year cliff to show our long-term alignment with the community.
Price Breakdown:
Regular price for SaaS customers of the Certora Prover is $2M per year; The weekly price for professional services is $80K per week; therefore, the total price for such engagement would normally be $2.960M. We are giving a discount of $1.46M on this proposal. In addition, Certora will allocate $200K to incentivise independent security researchers to review contracts and write specifications. The incentive model for this program can be found here.