Streamlining Security Processes for Proposal Deployments

Simple Summary

OpenZeppelin proposes a new streamlined process to set clear expectations for the level of scrutiny that different proposals and deployments receive to improve turnaround time and maintain clear security processes.

Our recent audits over the past six months have been very exhaustive to assist in the onboarding of new development firms managed by Alpha Growth but the extra time being spent is now less necessary given that these teams, especially WOOF!, have now performed several successful market deployments and have a stronger understanding of the Compound protocol.

We’ll be reprioritizing our audit backlog to focus primarily on New code and New chain deployments. We will be deprioritizing New market deployments on existing chains and new collateral listings that we believe do NOT require a review by OpenZeppelin to proceed to an on-chain vote. We will continue to monitor the on-chain proposals for issues to the best of our ability but will otherwise avoid being a blocker to any proposals that do not introduce new code or new chains. We will also increase our overall audit capacity if the audit backlog remains extended beyond a month.

Background

For over the last two years, OpenZeppelin has been the primary auditor for Compound DAO proposals. Our primary audit focus has always been to review new smart contract code introduced to upgrade or change the protocol, although we would occasionally step in to provide reviews of unorthodox assets, oracle providers and prescribe processes to improve overall security. Much of our work here was done in coordination with Compound Labs, the CGP committee and occasional third-party developers such as Arr00. Our backlog was typically not longer than 1-2 months with upgrades that were often non-urgent.

Starting in December of 2023, the Alpha Growth team was selected by the DAO to grow protocol TVL through a variety of activities that include new market deployments and asset listings. To accomplish this goal, they began working with third-party development firms including both WOOF! and Franklin DAO. Given the fact that these development firms were new to Compound and prior market deployments had only ever been performed by Compound Labs, we worked closely with their teams to provide security feedback and scrutinize everything related to the deployment, including the migration scripts and on-chain proposals.

While this level of scrutiny has led to the successful deployment of several new markets on Base, Optimism and Scroll, it has also meant long lead times to complete audits and a longer backlog as the number of deployments has increased overall compared to the prior pace of new markets. Alpha Growth has recently raised concerns with the impact this has on their timelines to achieve their metrics, following the proposal to extend their work for a 12-month period. We understand their concerns and so have proposed the following process to accelerate deployment timelines while maintaining a high-level of security assurance.

New Streamlined Process for Deployments

The types of proposal deployments that OpenZeppelin reviews can fall into the following categories:

  1. Smart contract upgrades and new code -New Solidity code written that will be used to upgrade the Compound protocol or otherwise introduce a production-level change to the protocol. This is our highest priority given that new bugs could be introduced through code changes.
  2. New chain deployments - The deployment of Compound to a new EVM chain. This often includes reviewing bridge adapters, deploying a new governance timelock and other contracts alongside an initial market deployment. Our security checks here focus on assessing EVM compatibility concerns on the new network, auditing any new code needed for the bridge integration and ensuring everything needed to operate Compound on a new chain is set up properly.
  3. New market deployments - A new Comet market deployment typically does not require any new code changes (except in specific cases such as USDT) but rather the deployment of a new Comet market with the right configurations and initial risk parameters.
  4. New collateral Listing - A new collateral asset may be listed on any Comet market through a proposal after receiving a review from Gauntlet who will prescribe initial risk parameters if the asset is not considered too risky. We have previously drafted a checklist for assessing the technical risks of integrating with new assets but we consider security reviews of new assets to be optional and only recommended in cases where an asset type is new to Compound such as the first initial LST/LRTs.

For the past six months, we’ve been reviewing the majority of deployments generated by Alpha Growth’s development partners to ensure they will perform as expected and introduce no security issues. For example, we posted a review of the migration scripts for the new WETH market on Arbitrum and later reviewed the on-chain proposal to confirm it matched and simulated it to ensure it would execute successfully. We even raised some minor configuration issues for ENS that can be addressed in future proposals. However, as we recently discussed, this process is time consuming and can hold up new deployments.

Going forward, we’ll be reprioritizing our audit backlog to focus primarily on New code and New chain deployments. This removes over half of the current items in our audit backlog and allows us to prioritize the more critical changes occurring on the protocol.

New market deployments on existing chains and new collateral listings will NOT require a review by the OpenZeppelin team to proceed to an on-chain vote. It’s important to note that this was never a firm requirement set by either OpenZeppelin or the DAO, but had become the effective operating policy during the onboarding process of these new development teams to Compound in early 2024. Given that these teams have now performed multiple successful market deployments, there is not as strong a need for OpenZeppelin to exhaustively review their deployments if they are not introducing new code or deploying to new chains. However, we will still be happy to review deployments upon request if Alpha Growth, WOOF!, or the community feel it holds a higher risk than normal deployments.

Despite these changes, OpenZeppelin will still do its best to review the payload of every proposal that is submitted on-chain to check for potential security issues. This is a process that we’ve become especially efficient at while we have also worked to provide more proposal QA tooling through our participation with grant projects such as Seatbelt that allow community members to better scrutinize proposal payloads for themselves. We expect that the proposal authors will assume the primary responsibility of ensuring their parameters and configuration steps are correct while we continue to do our best to monitor for potential issues and raise them as early as possible.

Additional Audit Capacity

With the implementation of this new streamlined process, we expect that the wait times for projects that still require an audit will be considerably reduced. However, if wait times for audit-ready projects remain backlogged beyond a month, OpenZeppelin will assign additional security researchers to supplement our existing audit team which has been working full-time since the beginning of our partnership so that two teams can audit multiple projects in parallel.

Our Request to the Community

As usual, we’d like to ask the community to always feel welcome to get involved and provide feedback. We ask for the following:

  1. Please weigh in on this new streamlined process and whether you agree with the new audit priorities we have set.
  2. Please vote in support of our upcoming compensation proposal to keep us working with the Compound community for the next year. We still have several audits planned for July and August and so ensuring a successful renewal will avoid disruptions to these deployment plans.
  3. Keep us informed of any protocol changes we might need to audit in the future and weigh in on our current priorities in the backlog.

As usual, feel free to share your feedback below or reach out directly to me on Discord, Telegram, or email:

4 Likes

OpenZepplin, thank you for this. Your team has never failed Compound (or the entire industry in which we operate) and your innovative contributions continue to carry us all forward. As always, much appreciated.

1 Like