Strengthening DeFi: OpenZeppelin and Compound's Security Partnership in 2024

TL;DR

In 2024, OpenZeppelin's partnership with Compound Finance demonstrated the critical importance of establishing proactive security measures in a demanding industry like DeFi. Together, we prevented a potential $120,000 loss by identifying and correcting a critical proposal error before execution. Additionally, our team prevented a governance attack that aimed to misappropriate $24 million worth of COMP tokens by detecting unusual voting patterns and mobilizing community action. Through continuous audits, real-time monitoring with Defender, incident response collaboration, governance automation, and educational initiatives, OpenZeppelin significantly enhanced Compound's security infrastructure, protected substantial assets, and strengthened community trust.

Compound Introduction

Compound is a leading lending DeFi protocol with over $2.5 billion in collateral,  that enables users to lend and borrow crypto assets without any intermediary. Users can supply assets to liquidity pools and earn interest, receiving cTokens that represent their balance and accrue interest over time. Borrowers can access liquidity by providing collateral, with loans being over-collateralized to manage risk. Compound’s design has garnered widespread recognition within the DeFi developer community, making it the second most forked protocol, with 139 active projects built on its V2 code.

Governance is decentralized and managed by COMP token holders, who can propose and vote on protocol changes. This community-driven model promotes transparency and ensures the protocol evolves through collective user decisions. However, it also introduces additional layers of risk, which OpenZeppelin has played a key role in addressing and managing.

Key Incidents in 2024

Preventing Financial Loss

In early 2024, OpenZeppelin's security team identified a critical error in a proposal that could have resulted in approximately $120,000 worth of COMP tokens being irretrievably stuck in a bridge contract. The proposal intended to call the depositERC20To function on the Optimism gateway to transfer 2,400 COMP tokens. The remoteToken parameter was incorrectly set to the COMP token address on Base instead of Optimism. Since the COMP token does not implement the OptimismMintableERC20 interface, the StandardBridge contract would not validate the token pair, and the transaction would proceed without failure. This misconfiguration would have caused the tokens to become permanently inaccessible.

OpenZeppelin's Solution:

• Early Detection: Detected the error during a routine proposal review.
• Incident Response: Immediately alerted proposal sponsor, leading to the immediate cancellation of the flawed proposal.
• Outcome: Prevented the loss of $120,000 in COMP tokens by ensuring the error was corrected before execution.

Governance Attack Prevention

In July 2024, Compound faced a significant governance challenge with Proposal 289, which aimed to allocate $24 million worth of COMP tokens to a yield-bearing strategy under suspicious circumstances. Unusual voting patterns suggested potential manipulation and a risk of asset misappropriation. The proposal lacked transparency and posed a high risk to the protocol's integrity.

OpenZeppelin's Solution:

• Early Detection: Michael Lewellen, Head of Information Security at OpenZeppelin, identified the irregularities and raised the alarm within the community.
• Real-time Monitoring: Leveraged Defender platform to track governance activities as they unfolded.
• Community Engagement: Provided expert analysis and recommendations, supporting the community in navigating the threat.
• Outcome: Although the proposal passed by a narrow margin (51%), the proposer agreed to cancel it immediately after. In exchange, the protocol introduced fee sharing for COMP holders, effectively safeguarding $24 million in assets.

Ongoing Security Enhancements

Throughout 2024, OpenZeppelin continued to strengthen Compound's security infrastructure:

Audits

• Conducted 12 comprehensive audits, including in-depth reviews of Compound V2 and V3 protocols.
• Audited 7 governance proposals to identify and mitigate potential vulnerabilities.

Monitoring

• Automated monitoring of protocol activities using OpenZeppelin Defender. You can find more information about how Compound enhanced DAO operations with Defender in this blog post.
• Set up alerts for price anomalies to quickly identify potential issues.
• Monitored multi-signature wallet activities to detect unauthorized transactions.
• Provided real-time insights into market activities, enabling swift responses to security threats and enhancing protocol resilience.

Incident Response

• Collaborated with the Pause Guardian Multisig to enhance incident response strategies and readiness.
• Participated in strategic discussions to refine incident response procedures with key stakeholders.

Governance Automation

• Used Defender Relayers to bundle voting transactions on comp.vote, optimizing gas usage and making governance participation more cost-effective.
• Ensured that automated actions were executed efficiently and reliably through Defender's secure transaction execution. 

• Leveraged Defender's actions to automatically announce when proposals became available for voting, keeping the community informed.

Educational Initiatives

• Hosted educational sessions on Compound V3 security considerations.
• Provided guidance on best practices for proposal submissions and protocol interactions.

Results and Impact

OpenZeppelin's partnership with Compound has yielded significant benefits:

• Asset Protection: Prevented potential losses exceeding $24 million through proactive security measures.
• Hardened Security Standards: Strengthened the overall security framework of Compound via continuous auditing, monitoring and defining incident response strategies.
• Community Trust: Increased user confidence through transparent and effective security practices.
• Operational Efficiency: Improved governance processes and reduced operational overhead.
• Education and Awareness: Enhanced the community's understanding of security best practices.

Conclusion

The events of 2024 highlight the challenging nature of DeFi security vulnerabilities and the importance of a proactive security approach. OpenZeppelin's partnership with Compound continues to evolve, focusing on implementing  security measures that cover the entire lifecycle of protocol development and operation. By combining deep technical expertise with real-time monitoring and community engagement, we're proud to help building a more secure and resilient DeFi ecosystem.