Compound

Summary

We propose to seek implementation of the community multisig to be used as a guardian for Compound Governance. The goal of this Proposal Guardian is to act as a last defense against any malicious governance votes in the future. Additionally, we propose a few future changes to the Compound Governor contract to be more robust in the future.

Proposal Guardian

The Proposal Guardian would initially consist of the Community Multi-sig (0xbbf3f1421D886E9b2c5D716B5192aC998af2012c), a 4/8 multi-sig composed of trusted Compound DAO community members (here) which has been functioning as the Pause Guardian for the majority of Compound’s existence. This Proposal Guardian role should only be able to veto a proposal that has passed a majority vote and is awaiting execution. We have established this set of rules for when the Proposal Guardian is able to choose to move forward with a veto:

1. Users’ funds deposited into the protocol might be infringed or at risk by a proposal passing
2. If a vote has been controlled by a single entity or a proposal will result in a single entity taking effective control of the DAO
3. When necessary to coordinate pausing protocol functionality during urgent security emergencies to protect the protocol and user funds.
4. Serious considerations will be made when votes having received at least 400K “NO” votes still pass. Update: Based on community feedback, the Proposal Guardian role will automatically expire to ensure that the Community Multi-sig cannot use its veto power to remain in-place indefinitely. The initial expiration period will be set to 6 months and require another governance proposal to renew. The additional changes are currently underway and will be ready to share and include in the on-chain proposal and forum post by this Friday.

Technical Implementation

@Arr00 has completed technical work and OpenZeppelin has reviewed the changes to implement the Guardian changes in PR16. It introduces a new proposalGuardian role that can call the cancel function on any proposal and a _setProposalGuardian function to set the role. The PR also includes simulation tests to ensure the changes work as expected on-chain. Please note that the compound-governance repo being used as the base for this upgrade was previously audited by OpenZeppelin as a new source for Compound governance with dedicated testing and coverage. It also introduces the ability to vote with reason and propose by signature.

Timeline

Given the nature and sensitivity of this proposal, we will be moving forward in an accelerated timeline. The proposal will be discussed on the Community Call this week on Aug 7th and shared privately with all major identified delegates to collect final feedback. The proposal will then be published on the forums and submitted on-chain Friday, Aug 9th so that voting can begin early next week.

Future

A full “Constitution” regarding when to get involved in veto votes will be drafted in the near future. Coupled with a concurrent new delegate race to get more Compound delegated and active in governance to trusted members of the DAO, this should set a new foundation for a more secure and active Compound governance! Additionally, we propose exploring additional changes to Compound Governance to improve security and coordination in the future:

• Upgrade Compound Governor Bravo to use OpenZeppelin Governor that has more gas efficiency, security features and optional extensions. There is already a CGP grant by ScopeLift working on delivering this.
• Late Quorum Voting Period: If last minute votes change the outcome of a vote, additional time will be added on to the voting period to allow for more delegates to review and finalize decisions. A Late Qurum Prevention extension is already available in OpenZeppelin Governor.
• Adaptable Voting Quorum: Quorum can increase based on the amount of delegated COMP once a proposal shifts from “review --> voting”. If not technically feasible to automate on-chain, this could also be achieved by regularly adjusting the quorum threshold based on the current number of delegated COMP.
• Delegation Rights for COMP Staking Product: Ensure that the Compound Staking Product proposed by the Compound Growth Program preserves delegation rights and helps to further align COMP token holder incentives with responsible governance participation. This is already referenced as a requirement in the recent Staked COMP Design forum post.

Compound Governance Proposal Guardian Audit

OpenZeppelin, in its role as Security Partner to the Compound DAO, audited the changes to include a Proposal Guardian into the Governance contracts proposed by @PGov and developed by @arr00.

Summary:

Aug 7th - Aug 9, 2024 Total Issues: 2 (1 resolved) Notes & Additional Information: 1 (1 resolved)

Scope

We audited the compound-governance repository at commit e3b36ad with a focus on the differences since our last audit. After the initial report, we were asked to also audit the updates to the repository at commit 84dff8d, introducing expiration for the proposalGuardian. In scope were the following files:

contracts
├── GovernorBravoDelegate.sol
└── GovernorBravoInterfaces.sol

System Overview

Compound Governance is the main protocol used by holders and delegates of COMP to govern Compound II and III. It gives them the power to propose, vote, and implement changes to both active Compound protocols. The governance system has control over several systems across the protocol such as each proxy, the Configurator, Comet factory, and Comet. When a proposal to update any system parameters succeeds, the Timelock will call all of the relevant methods on the Configurator contract. For Compound III this process is followed by invoking the deployAndUpgradeTo method on the CometProxyAdmin contract, which then points to the new implementation upon execution. In this audit, we focused on the new role of the proposalGuardian and the modifications made to the logic of the cancel function. The holder of this role will be allowed to cancel any proposal as if they were the proposer themselves. Apart from this update, no other no other significant alterations were made to the cancel function that would impact its execution. In the second part of the audit, our focus remained on the proposalGuardian role, specifically examining the new logic introduced in the _setProposalGuardian function. This modification allows the guardian’s role to have an expiration, enabling a time-limited tenure for this position.

Security Model and Trust Assumptions

The addition of a proposalGuardian with the power to cancel any proposal that has not yet been executed introduces important security considerations and trust assumptions that must be addressed to maintain the integrity of Compound’s governance. To prevent misuse of this veto power and ensure the robustness of the protocol, the proposalGuardian must be a trusted entity without centralized control. It is assumed that the proposalGuardian will be a reputable and accountable entity managed by a multisig of trusted community members, to distribute veto power and reduce the risk of malicious actions, such as canceling proposals beneficial to Compound, not vetoing dangerous proposals for the protocol, or vetoing proposals to change the proposalGuardian. Ensuring the proposalGuardian is correctly configured during deployment, regularly monitored, and assigned a strict expiration is crucial for maintaining its effectiveness. Active community engagement and oversight are essential to ensure that the proposalGuardian aligns with the DAO’s goals and acts in the community’s best interests. This engagement allows the community to flag any misuse of power, enabling the DAO to propose replacing the proposalGuardian if necessary. It is worth noting that proposals to transfer the role to another account, while the current role is still active, can be vetoed by the current proposalGuardian.