Zokyo Ongoing Comprehensive Audit and Security Services 3-months Plan

Summary

The security of the Compound requires an extensive and continuous approach to ensure the implementation of the security solutions to protect the protocol.

Zokyo will perform an ongoing comprehensive security service for Compound focusing primarily on the deep manual analysis and reviewing the code for syntactical, semantic, and logical errors. Following the manual and static analysis against Zokyo’s proprietary set of known issues and vulnerabilities, Zokyo team will include pentesting to Compound frontend and smart contract audit with fuzz testing.

Zokyo will dedicate the team of 3 (three) Senior Security Engineers, including the Senior Lead CyberSecurity Engineer. Zokyo will ensure smooth communication provided by the Project Manager and Senior Lead CyberSecurity Engineer at each stage of the implementation of security solutions. Zokyo will provide marketing support, involving the in-house Marketing Manager to manage the expectations of the Compound community.

Some of the focus areas of the Zokyo security team, aimed at improving the overall process and ensuring the security of the Compound protocol may include but not limited to the following:

  • Review of Economic Risks: assessment of the protocol’s economic model to identify and mitigate any financial risks that could impact the protocol’s stability and security.
  • Proof of Correctness for Complex Math: rigorous proof of correctness for complex mathematical functions and algorithms to ensure they operate as intended and are free of errors.
  • Reviewing all available documentation and business logic of the Compound protocol infrastructure.
  • Performing manual code reviews for syntactical, semantic, and logical errors.
  • Conducting static analysis to identify known issues and vulnerabilities.
  • Performing unit testing using a suite of tools that include both open-source and closed-source solutions.
  • Writing and executing new tests to verify the desired behavior of the code.
  • Conducting fuzz testing to uncover unknown issues or vulnerabilities.
  • Developing a comprehensive suite of unit tests from scratch to achieve over 95% coverage of testable code.
  • Providing recommendations for suggested modifications to be implemented.
  • Reviewing remediated and implemented changes.
  • Preparing detailed reports.
  • Conducting re-audits, re-running tests, and reviewing updated code reviews.
  • Completing the penetration testing to Compound frontend.
  • Consulting on auditors’ recommendations.

The proposed continuous collaboration of Zokyo team with Compound team will result in a reduction of potential security risks, further enhancing the protocol’s trusted reputation.

Timeline: 3 months
Proposed commencement date: Immediate

The Services are provided for a total fixed fee of 375,000 USD (United States Dollars Three Hundred Seventy-Five Thousand). This fee covers all services defined in the proposal.

Payment plan: the equivalent of 375,000 USD (United States Dollars Three Hundred Seventy-Five Thousand) is paid in COMP tokens before the start of provision of services by Zokyo.

Full Zokyo Ongoing Comprehensive Audit and Security Services 3-months Plan

The world’s leading founders and developers trust Zokyo to keep their smart contracts and digital systems secure and reliable. Zokyo team has ensured safety of many notable web3 projects and protocols, including LayerZero, Filecoin, LimitBreak, Shido, 1inch and more by leveraging white-hat hacking and cryptography to secure over $200 billion in digital assets.

Zokyo is delighted to collaborate with Compound on strengthening the security system of the protocol.

1 Like

Thanks for sharing your proposal! One practical feedback item I would raise is that the auto-renewal for 9 months in this plan is unenforceable as part of the on-chain proposal and would also represent a significant departure from how Compound has historically engaged with new service providers. I imagine it would be difficult for this kind of proposal to pass without a fixed-term trial period that does not carry an expectation of auto-renewal with it. I would encourage Zokyo to consider revising the terms accordingly.

Thank you for the suggestion @allthecolors Makes a lot of sense. We have reviewed and updated the terms in the full proposal accordingly by setting a 3-months fixed-term trial period with no auto-renewal. That’s exactly what the summary of the proposal refers to.