Compound Finance is a permissionless lending protocol that “enables supplying of crypto assets as collateral in order to borrow the base asset” while allowing accounts to “earn interest by supplying the base asset to the protocol”. Compound is governed by a DAO in which COMP token holders vote on upgrades to the protocol, including security enhancements and partners. In September 2021, COMP had a market cap value of ~$2.3 billion.
Challenge
In September 2021, Compound was the victim of an exploit that resulted in a loss of ~$50 million worth of COMP. And so the challenges were clear:
- Improve the protocol’s security in order to regain user and community trust.
- Set a new standard for managing security processes within a DAO structure to reinforce Compound’s leading position and reputation
Solution
Compound voted to select OpenZeppelin as its lead external security partner in December 2021. The proposal contained five industry-leading initiatives aimed at regaining and maintaining user trust.
Regaining Trust through Secure Code
The first three initiatives centered on ensuring that deployed code was rigorously tested and secured to a well-defined standard. Each is now an industry-standard security best practice.
- Improve the overall process of community-proposed upgrades to the Compound Protocol to ensure their security
- Provide continuous audits and dedicated resources to respond rapidly to all community-proposed upgrades and changes
- Coordinate the creation of documented security checklists and requirements that can be shared with all proposal authors
Next, the community wanted a layer of security beyond audits and process improvement. The challenge was: “How can we respond if the protocol is under a potentially successful attack?”
Maintaining Trust in Real-Time: Building and Operating an Incident Response Program
With the fourth and fifth initiatives, Compound would be among the first to set standards in post-deployment security.
- Implement an open security monitoring and security dashboard solution that will allow the community to validate security
- Integrate, support, and analyze other possible future important security program components such as formal verification, bug bounties, and white hat monitoring approved by the DAO.
Compound’s Incident Response Program
We focused on four primary areas: incident preparation policies, monitoring, technical response mechanisms, and simulations as shown in the process flow below.
Preparation: Security Policies
OpenZeppelin guided Compound during the creation of comprehensive security policies which document the various roles and responsibilities of Compound’s security stakeholders during any incident. These policies dictate how the incident response process is conducted and serve as a reference document for the multisig members to use when preparing for and responding to incidents.
Monitoring, Alerts, Automation
With guidance from OpenZeppelin, Compound deployed a robust monitoring suite that monitors for a variety of security, activity, and protocol health factors. Compound’s community receives instantaneous notification of any security events in the ecosystem via the Compound Discord. OpenZeppelin Defender is used for the monitoring, automation, and alerting infrastructure.
Left: Compound Discord monitoring channels | Right: Example alert from Compound security monitoring
Response Mechanisms
Compound has two primary response mechanisms that it can use during an incident. The first is function level pausing which allows the Pause Guardian to implement pauses on specific functionality, such as borrowing, to limit damage done to the protocol and halt functionality until a fix can be applied. The second mechanism is modifying protocol configurations such as borrow limits to limit damage to the protocol. These limits can only be updated through a governance proposal as a proactive or reactive (subject to 7-day waiting period) measure and provide limited support at the time of the incident.
Simulations
To test incident response processes and capabilities the SEAL Chaos Team conducted incident simulations with the Compound multisig members and their security partners. Simulations are critical for two reasons. First, response (technical) capabilities are stressed under realistic conditions identified during threat modeling exercises. Second, drilling under realistic circumstances identifies areas for improvement. Net-net, if a real incident occurs, tested systems are in place, and the team’s various roles, responsibilities, and processes are clear. A more descriptive description and analysis of the exercise can be found here.
Results: No Loss of Funds since 2021
Today, both the Compound protocol and user assets are more secure. Compound has the knowledge, capabilities, and processes in place to minimize or even prevent loss of user funds.
- Processes, roles and responsibilities for Compound’s multisig members are in place
- Security Monitoring is always on.
- Appropriate mechanisms are available for an on-chain response
- Systems are tested and improved
Compound is a model for the DeFi industry to follow. OpenZeppelin is proud to be Compound’s primary security partner. Valuable resources and more information about OpenZeppellin’s Incident Response services are on our website.