Summary:

Goal

Implement Security Solutions to prevent and mitigate loss of funds resulting from security risks introduced by community-proposed upgrades to the Compound protocol.

Problem

As evidenced in recent market events and specifically Proposal 62, governance upgrades can introduce new security risk vectors which could result in reputational damage to the protocol and possible loss of user funds. Security is a continuous effort and should therefore be seen and addressed from a holistic, continuous perspective.

Background

For the past two years, OpenZeppelin has worked formally and informally with Compound to perform 10+ security audits, develop a standardized version of GovernorAlpha and GovernorBravo contracts, introduce security best practices for safer governance systems, and develop bespoke threat detection agent scripts monitoring Compound.

As the community assumes greater responsibility for the protocol and the stakes become higher, Compound’s decentralized phase of growth demands comprehensive and continuous security processes to thrive.

Contributor grant

OpenZeppelin is requesting a streaming grant for the Security Solutions retainer fee to begin implementation of a comprehensive set of best-in-class Security Solutions throughout all stages of the Compound governance proposal lifecycle, the elements of which include:

• Protocol Security Officer to provide advisory services and recommendations on improvements to the governance process (specifically in the area of incident and emergency response)
• Security Training and tailored community support specifically designed to educate the community to security best practices and threats in the DeFi space related to the Compound protocol
• Continuous Audits of all new code introduced by governance proposals
• Continuous Threat Monitoring of the Compound Protocol

See full proposal and forum discussion

Starting March 30, 2022, and after further feedback from the Community, OpenZeppelin, will create an additional proposal to cover the performance fee payment in accordance with the formula outlined in the full proposal.

References

• Forum Discussion on reviewing large code changes: https://www.comp.xyz/t/more-rigorous-process-on-reviewing-large-code-changes-re-comp-bug-9-29-21/2326/2

• Patch for Proposal 63: https://www.comp.xyz/t/compound-proposal-63-temporary-patch-for-comp-distribution-bug-9-29-21/2327