Overview

We live in a new world where more and more DAOs are in control of a project. Ensuring that safe choices are made is a major challenge and DAOs have been exploring different approaches. According to current proposals, Compound would effectively outsource their security to a vendor who would take care of various security-related needs.

We believe that this approach is not the route to take. The chosen audit company would become a critical dependency for the protocol. The suggested solutions with their intransparent, quarterly, lump-sum payment for a mix of services do not focus on the most effective tools. Hence, we would like to suggest a process that can leverage the strength of the security community. The main security challenge for a protocol like Compound is the growing complexity that needs to be taken into account with every change.

• Compound needs to ensure compatibility, failure to do so can have significant consequences.
• Integrations must not be affected by the proposed changes.
• Compound protocol grows and contracts must still interact correctly.

Overall, we conclude that such systems exhibit quadratic complexity growth. To tackle this, we aim for scalability. Furthermore, we believe that the security can best be ensured by a broad base of security providers. This prevents any form of vendor lock-in and conflicts of interest, while allowing to combine the strengths of different providers.

Process in a Nutshell

With this proposal, Compound Governance will allocate the necessary funds to onboard two independent top-tier auditors at current market prices assuming that each one of them provides the capacity to review 150% of the RFPs voted on in 2021, providing in total a capacity of 300% over the needs of 2021.

To ensure that Compound has competent code auditors at their proposal, the following process would be enacted:

• Compound Governance votes in several code reviewers each year to onboard into auditing through a paid training phase.
• Auditors apply to become wardens of Compound by providing:
  • An example of how a code review for the Comptroller and the cToken would be performed, detailing methods and time required.
  • The cost and amount of hours reserved for Compound per quarter, which are if accepted guaranteed to be paid by Compound.
  • The expected compensation for the training phase.
• Onboarding code reviewers can also greatly benefit from the existing audit suite which contains many relevant attack scenarios.
• Any time reserved for Compound not spent on reviewing code or RFPs is used to improve this audit suite.
• Auditors who are selected by Governance and complete the training take shared ownership of the audit suite and collectively improve the coverage.
• Delivering good work in improving the Compound Audit Suite will likely be used to evaluate the quality of the auditor which aligns interests long-term by increasing the likelihood of being voted in again next year.

The following process focuses on prevention and consists of 5 steps to be executed for each RFP:

1. Early feedback during RFP stage with code reviewers adding security consideration paragraphs
2. Perform thorough code review of newly developed code
3. Develop an audit suite
4. Leverage tool-based analysis where efficiently possible
5. Perform the Proposal Verification

Benefits of the Audit Suite

Considering all the benefits explained in detail in the forum post, we believe that the audit suite can provide the necessary scalability by capturing a lot of the growing complexity. It requires an initial investment to build it up, but we consider it worthwhile.

Cost & Next Steps

For the first year, the total cost per auditor is expected to not exceed $1’370’000, which would cover 8 auditor-weeks of initial training ($170’000 one-time) and 24 auditor-days per month (quarterly fee of $300’000). This amount of auditor-days will cover the needs of Compound if 150% the capacity of 2021 will be required. For administration and maintenance of the program, an independent service provider with expertise in project management and IT safety will be chosen by Compound Governance with a compensation of $80’000 / year. To ensure that all of these services can be provided with high quality, ChainSecurity commits to provide an offer as one of the auditors not exceeding the caps mentioned above. We will also source at least one independent provider to maintain the program for consideration by Compound Governance and hand over control over the Gnosis Safe MultiSig to this provider once they are confirmed by Compound Governance. The initial request will cover the initial training for two auditors ($340’000 in COMP) and a streaming grant to cover audit cost at the cap for two auditors and the project maintainer ($620’000 per quarter) at $200 / COMP and 6500 blocks/day. A proposal for adjustment of the streaming grant to align COMP value with the value in USD will be done quarterly. Funds remaining at the end of the year in the MultiSig will be returned to Compound Governance.

Closing words

Our suggestion incentivizes broad participation from small to large security companies. Thereby, it broadens the base of experts in Compound and leverages proven techniques. Using the audit suite, we can aggregate the knowledge and insights from multiple audits (instead of only relying on the last audit) and thereby tackle the growing complexity. We believe that this provides a viable long-term solution. While even a single audit company chosen to shepherd the protocol could write such an audit suite, only by having multiple companies who rely on each other to have covered critical parts of the system enforces that a public, high-quality audit suite gets created. It also allows every security provider to play to their strengths when contributing. Lastly, it allows a decentralized verification of proposals by any community member.

Reference

Forum post with details