The Compound grants program, totaling over $1M in potential distributions for 2023, provides funding to those who are working to make improvements to the Compound Finance protocol. As a part of OpenZeppelin’s ongoing security partnership with Compound (which recently received unanimous community approval for renewal), the leading blockchain security company has been delegated the role of approving security-focused grant distributions on behalf of the DAO. This is a first for the Compound DAO to rely on their security partner to support their community of developers to build further security infrastructure.
Bounty submissions should consider that the security grants program includes building on top of existing platforms that OpenZeppelin offers the DAO such as Defender (a secure smart contract automation platform for developers) and Forta (a decentralized Web3 monitoring solution powered by machine learning).
Full details on this initiative can be found below.
Compound Grants 2.0 – Security
Domain allocator: Michael Lewellen
- Preferred contact method for questions: @cyloncat on telegram
- Email: michael@openzeppelin.com
- @cyloncat on Compound Forums (comp.xyz)
- @LewellenMichael on Twitter
Introduction
This domain seeks ideas and proposals to improve Compound’s security through initiatives that include but are not limited to security tooling, bug bounty programs, and protocol refactors focused on security.
Since December of 2021, OpenZeppelin has been Compound’s dedicated security partner focusing on audits, advisory and monitoring services. However, protocol security is a far more expansive domain than any one partnership can cover and community participation in security enhancements is still incredibly important. With Compound’s current focus to expand V3 markets on Mainnet and other EVM networks, a defense-in-depth approach to protocol security is more important than ever.
Community priorities in the context of security include:
- Enhancements to the CI/CD pipeline of the Comet codebase such as better security analysis tooling, change management automation and community reporting of quality assurance steps. See existing pipeline workflows here.
- Bug bounty programs and other incentives to encourage white hackers to report issues that could lead to a loss of funds or disruption of protocol operations
- Additional monitoring capabilities that build on the existing monitoring suite created by OpenZeppelin using Defender and Forta that provide early detection of security threats.
- Protocol security enhancements which may include refactors from unresolved issues raised in prior audit reports as well as improved incident response capabilities for the Pause Guardian and Governance
What makes a good proposal?
- Clear Goals and Objectives: The proposal has clearly outlined the goals and objectives in an informative manner. We should be able to understand how your proposal adds value to the Compound Ecosystem.
- Team: The proposal mentions the core team members, their role in the project, and a history of their experience in other projects.
- Milestones: Briefly describe the milestones in your project. We are more likely to provide grants with milestones.
- Explanations for Amount Requested: Provide a granular explanation of the amount requested so we can understand where the funds are being distributed.
- Effective and efficient distribution of funds: Ensure that the funds are distributed effectively.
- Compound Domain Knowledge: Proposals and proposers that demonstrate depth of understanding of the Compound community will be at an inherent advantage due to the greater likelihood of alignment of project outcomes with community values, all other things being equal.
Ideas for Inspiration
- GitHub integrations for verifying that protocol upgrades were tested and that on-chain bytecode matches the audited source code in the repository.
- Protocol enhancements to allow for the instant, temporary rollback of governance-approved upgrades. More details here.
- More configurable governance powers to support delegations of certain permissions. This was brought up as part of the Risk Management Council proposal but would also be useful for delegating faster incident response capabilities.
- Integrations with OpenZeppelin Defender tooling for enhancing deployment security, incident response, monitoring, and access control
- Note: Other tools may still be proposed but Defender would be preferred if it already supports the necessary capabilities for the grant project as a premium Defender subscription is already included in Compound’s partnership deal.
Would you like to have a cap on the grant size etc?
Roughly $25k, but if a project has a compelling reason, we can go higher.
Resources
- Compound Security Page including prior audit reports
- OpenZeppelin’s Security Update Posts: https://www.comp.xyz/tag/audit
- cETH Price Incident Post-mortem: https://www.comp.xyz/t/ceth-price-feed-incident-post-mortem/3578/5
- Compound’s Forta Monitoring Bots: https://app.forta.network/agents/compound
- Compound Improvement Proposal framework (recommended format for grants and community decision-making): https://www.comp.xyz/t/compound-improvement-proposals-cip/3722/24