OpenZeppelin and Compound DAO: a Year of DAO Security Best Practices - OpenZeppelin blog

OpenZeppelin, the leader in blockchain security solutions, entered into a first-of-its-kind partnership with Compound DAO, a leading DeFi protocol with over $2 billion of TVL, starting in December of 2021. The ongoing security partnership was sparked due to a vulnerability introduced via a smart contract upgrade as part of a community governance proposal. Compound DAO tokenholders voted to partner with OpenZeppelin with an overwhelming approval of 99%.

Compound DAO trusts OpenZeppelin for the highest standard in Web3 continuous security including Security Audits, Advisory Services, and real-time Monitoring. Over the last year OpenZeppelin has supported the Compound DAO and its community as its continuous blockchain security partner, delivering support across all phases of the development lifecycle, including audits, advisory services on monitoring and security best practices as well as actively providing guidance for the decentralized community on governance upgrades. Security has never been more important to Web3 developers and communities, and OpenZeppelin continues to set industry standards for Web3 security best practices. 

When decentralized protocols are responsible for millions or billions worth of assets as in the case of Compound, security can never be an afterthought. Here are a few highlights on how Compound DAO’s security posture was strengthened with OpenZeppelin as its Security Partner:

Auditing

Our continuous auditing services have greatly increased the coverage of security audits to support all Compound changes over the last 12 months. The continuous support has reduced the time for governance proposal upgrades to receive audits prior to submission, enabling the DAO to make more, safer upgrades to the protocol. Highlights include:

• Completed 12 audits in total that included comprehensive protocol audits of both Compound V2 and V3.
• Audited protocol changes that were passed in 7 governance proposals.
• Coordinated the resolution of an integration bug with TUSD that threatened a $88 million market and published a post-mortem.
• Conducted a security review of the asset listing process and published a process for assessing the technical risk of adding new token markets.
• Supported the community-led resolution of the cETH price incident and published a post-mortem that includes security recommendations to avoid future incidents.

Advisory

Our security advisory has filled a key leading role in the coordination of protocol security initiatives that include identifying areas of security improvements and providing guidance on how security should be considered in a decentralized community’s decision-making. Highlights include:

• Coordinated the scheduling of audits and security support for the Compound community with regular participation in biweekly community calls and forum updates.
• Participated in discussions with the Pause Guardian Multisig members for incident response preparedness and strategy.
• Signed up to be a Domain Allocator for Security Grants in the new Grant Proposal by Questbook (currently pending adoption).
• Drafted and proposed a Compound Improvement Proposal (CIP) process to improve coordination of off-chain processes including new security recommendations. Currently pending a Snapshot approval.
• Used OpenZeppelin Defender to automate the queuing and executing of governance proposals to improve UX and reduce the wait time for passing proposals.

Monitoring

Our security monitoring solution provides greater visibility and alerting of protocol activity, governance and potential security issues that greatly enhance the protocol’s ability to identify and respond to threats. Highlights include:

• Reviewed potential security threats to both Compound V2 and V3 to draft security monitoring recommendations for community review and discussion.
• Implemented a decentralized monitoring solution for Compound using 13 Forta bots that monitor Compound markets, governance, access control, listed assets, oracle feeds and specific attack vectors.
• Integrated monitoring feeds into Discord channels and a public Datadog dashboard for easy consumption by community members using OpenZeppelin Defender. We added specific alerts for proposal votes and quorum thresholds to improve governance participation.
• Supported the response to the cETH price incident with custom monitoring for watching protocol risks while markets remained frozen.
• Currently building out support for monitoring to support multiple Compound V3 instances for assets across different EVM networks.

Moving forward, the Compound DAO & OpenZeppelin’s security relationship will continue to deliver increasingly robust security solutions, advising services, monitoring, and incident response. The focus is to continue to enable all Compound contributions to follow a multi-layered, defender-in-depth quality assurance process starting in the early stages of development all the way up to auditing, deployment, and post-deployment monitoring and threat response capabilities. With Compound’s community support, OpenZeppelin will continue to lead these efforts to make Compound as secure as possible while remaining a robustly decentralized community.

While some exploited smart contracts are unaudited, it’s also true that for many projects, a single-pass security audit is not sufficient to ensure long-term security for Web3 users and investors. OpenZeppelin and its partners like Compound DAO aim to bring a trusted set of voices in the ever-changing space of Web3 by investing in comprehensive security processes and long-lasting relationships that continue to advance best practices in the space.

Currently up for a vote is the proposal to renew the partnership between OpenZeppelin and Compound DAO on a quarterly basis. Compound’s community has been trusting OpenZeppelin for continuous security solutions since December of 2021. Details of the current proposal to continue to provide industry-leading security services from the DAO can be viewed here.

With these and other security partnerships across L1s, L2s, DeFi protocols, NFT projects, DAOs, gaming & metaverse platforms and more, OpenZeppelin continues to set Web3 security standards for the ever-expanding decentralized ecosystem. Since its inception in 2015, OpenZeppelin has secured and supported the builders throughout many shifts in the ecosystem. Beyond OpenZeppelin’s premier security solutions, OpenZeppelin open source smart contract libraries are the golden standard for Web3 development, with over 11.8 million downloads this year and 88% penetration among the top 50 DeFi and NFT projects. 

Explore the world of secure blockchain development tools and services and begin your journey building Web3 solutions today. To partner with OpenZeppelin on blockchain security services for your community or project, fill out our request form today.