Compound Finance is a permissionless lending protocol that “enables supplying of crypto assets as collateral in order to borrow the base asset” while allowing accounts to “earn interest by supplying the base asset to the protocol”. Compound is governed by a DAO in which COMP token holders vote on upgrades to the protocol, including security enhancements and partners. In September 2021, COMP had a market cap value of ~$2.3 billion.
Challenge
In September 2021, Compound was the victim of an exploit that resulted in a loss of ~$50 million worth of COMP. And so the challenges were clear:
Solution
Compound voted to select OpenZeppelin as its lead external security partner in December 2021. The proposal contained five industry-leading initiatives aimed at regaining and maintaining user trust.
Regaining Trust through Secure Code
The first three initiatives centered on ensuring that deployed code was rigorously tested and secured to a well-defined standard. Each is now an industry-standard security best practice.
Next, the community wanted a layer of security beyond audits and process improvement. The challenge was: “How can we respond if the protocol is under a potentially successful attack?”
Maintaining Trust in Real-Time: Building and Operating an Incident Response Program
With the fourth and fifth initiatives, Compound would be among the first to set standards in post-deployment security.
We focused on four primary areas: incident preparation policies, monitoring, technical response mechanisms, and simulations as shown in the process flow below.
OpenZeppelin guided Compound during the creation of comprehensive security policies which document the various roles and responsibilities of Compound’s security stakeholders during any incident. These policies dictate how the incident response process is conducted and serve as a reference document for the multisig members to use when preparing for and responding to incidents.
With guidance from OpenZeppelin, Compound deployed a robust monitoring suite that monitors for a variety of security, activity, and protocol health factors. Compound’s community receives instantaneous notification of any security events in the ecosystem via the Compound Discord. OpenZeppelin Defender is used for the monitoring, automation, and alerting infrastructure.
Compound has two primary response mechanisms that it can use during an incident. The first is function level pausing which allows the Pause Guardian to implement pauses on specific functionality, such as borrowing, to limit damage done to the protocol and halt functionality until a fix can be applied. The second mechanism is modifying protocol configurations such as borrow limits to limit damage to the protocol. These limits can only be updated through a governance proposal as a proactive or reactive (subject to 7-day waiting period) measure and provide limited support at the time of the incident.
To test incident response processes and capabilities the SEAL Chaos Team conducted incident simulations with the Compound multisig members and their security partners. Simulations are critical for two reasons. First, response (technical) capabilities are stressed under realistic conditions identified during threat modeling exercises. Second, drilling under realistic circumstances identifies areas for improvement. Net-net, if a real incident occurs, tested systems are in place, and the team’s various roles, responsibilities, and processes are clear. A more descriptive description and analysis of the exercise can be found here.
Results: No Loss of Funds since 2021
Today, both the Compound protocol and user assets are more secure. Compound has the knowledge, capabilities, and processes in place to minimize or even prevent loss of user funds.
Compound is a model for the DeFi industry to follow. OpenZeppelin is proud to be Compound’s primary security partner. Valuable resources and more information about OpenZeppellin’s Incident Response services are on our website.