DeFi

Security and Audit Services for Compound DAO

(c) arnie chou / Unsplash

Introduction

Liam (0xleastwood) shared a post in the Spearbit Discord that OpenZeppelin succesfully extended its audit mandate for the Compound Protocol in Q1 2023 (for the mere sum of... $1,000,000 per quarter 😏)

OpenZeppelin vs Trail of Bits vs ChainSecurity

The extension refers to the original proposal from November 2021, wherein several audit firms were bidding to support Compound (after suffering an exploit, Compound was looking for help to improve their security practices):

A notable post in the thread is where Compound realizes it does not have a proper (if any) vendor selection process (https://www.comp.xyz/t/auditing-compound-protocol/2543/35) . For the mere sum of $75,000😅 a DAO contributor (Reverie) sets this up for Compound DAO. Apparently reaching out to three (oh dear, three!) audit firms and explaining Compound DAO's requirements, is worth quite alot of $$$. But I digress.

Comparing offers

Let us dive into what OpenZeppelin, Trail of Bits and ChainSecurity are actually offering, summarized.

OpenZeppelin

In their final offer, OpenZeppelin (OZ) proposes the following services: 

  • DAO Security Advisory
    • Dedicated security advisor who will:
      • Smooth incorporation of continuous audits in the DAO governance process
      • Documenting and iterating security requirements and best practices
    • Audit Suite & Security Coordination
  • Protocol audits
    • Review new governance proposals and write security reports
  • Security monitoring (based on OZ's Forta)

Interesting tidbits:

  • Pricing: $1M per quarter. OZ doesn't provide a full break down of costs (or provide estimations). So it is not totally transparent. There has been plenty of discussion on the initial pricing model (i.e. performance fee which was removed after community feedback). OZ openly states they charge approx. between $30,000 - $35,000/week for their audit services.
  • Terms of Service (§ dispute resolution): claims cannot be settled in court (before a judge or jury), but only through legally binding arbitration. Not sure, how common this is for blockchain companies, but it sounds like some VC bullshit to me 🤷‍♂️.
  • Scope: setting up a bug bounty program is out-of-scope, as is emergency/security response. OZ's rationale is included the FAQ. The latter I understand, but the former is a bit strange, if you aim to offer all-encompassing security services. Perhaps the bug bounty part would increase the proposed fee too much, I'm not sure (it's already $1M per quarter so...).

ChainSecurity

In their offer, ChainSecurity (CS) proposes the following services: 

  • Training: 2 auditors will be trained to perform a full audit of the Compound protocol and to establish an audit suite (which is composed of all the tests that are run by the auditors)
  • Retainer (note: for these 2 auditors): to review Compound improvement proposals and to improve test suite (24 mandays per month per auditor @ $300,000 per quarter. ~ $20,000/week of $4167/manday)
  • CS also proposed that Compound DAO hires an external service provider as a security program manager (with project management & IT security expertise), compensated for $80,000 per year (or $20,000

Interesting tidbits:

  • Pricing: the proposed fee is substantially lower: approx. $620,000 per quarter (2 x $300,000 auditor salary + $20,000 program manager salary)
  • Overall: content wise it is probably on point, but the proposal seems a bit rough on the edges, especially compared to the competition (maybe due to time constraints?)
  • Review process: CS provides a a nice visual overview of the process they suggest
  • Terms of business: while difficult to find (thank you Google cache!), these terms contain much more usual/common/standard clauses (e.g. Swiss law applies, disputes are to be settled before court in Zurich).

Trail of Bits (ToB)

In their offer, Trail of Bits (ToB) proposes the following services: 

  • Consulting services
    • Maintain a presence on Discord and the Compound forums
    • Provide proposal authors with 1:1 counseling sessions
    • Review and report any identified security issues in the code for proposals
    • Define security properties for proposals
    • Document “Security Considerations” for every proposal
    • Provide our analysis directly to the community
    • Host bi-weekly Office Hours with developers
    • Evaluate new security techniques for adoption by Compound
    • Ad-hoc services sourced from across ToB
  • Security engineering
    • Ensure that Slither, our static analysis framework, and Echidna, our rapid security property tester, always work on Compound code
    • Customize Slither and Echidna to the Compound codebase
    • Customize Slither to evaluate the security of upgrades
    • Develop scaffolding for new proposals with pre-integrated security analyses from Slither, Echidna, Certora, or others, as appropriate
    • Continuously define and evaluate security properties across the Compound codebase with analyses from Slither, Echidna, Certora, or other techniques, as appropriate
  • Establish repeatable processes for:
    • Design a repeatable process for starting a new proposal. 
    • Design a repeatable process for proposal self-assessment
    • Design a repeatable process for risk assessment by the community.
    • Design a repeatable process for evaluating third-party protocol integration risks
    • Design a repeatable process for other protocols to securely integrate with Compound. 
    • Regularly update a “treasure map” for bug hunting in Compound.

Interesting tidbits:

  • Presentation: ToB did a presentation on their proposal during Compound Community Dev Call, it is valuable to hear their arguments. 
  • Pricing: identical to OZ's offering; $1M per quarter (oof...)

Closing thoughts

  • This seems like a messy/chaotic/tumultious/ ... request for proposal process (note: messy is okay! DAO's are still people interacting with each other, over the internet, so misunderstandings are the rule, not the exception). E.g. I have been reading and re-reading OZ's final offer and you can see that the contents of the proposal (significantly) changed during the request for proposal period documented in the forum discussion (note: again, which is fine. That is why you have a request for information & request for proposal process. There is nothing wrong in adapting your proposal to match evolving expectations)
    I am genuinely interested in what exactly they produced for Compound DAO last year and if it (sufficiently) corresponds with what they promised in their final offer. I reckon all should be well, because they won the extension for Q1 2023, but still... I wouldn't be surprised if parties just vote yes and don't have a clue of what is actually going on (note: this 100% speculation on my part)
  • This is one of the articles where I've spent way too much time (too many hours over too many days), so I kind of lost track of the essence of this article ("what point am I trying to make for readers?"), but I decided to go through with it. At the very least, you get a summary of the different offers, and I saved you a couple of clicks so you don't need to comb through each document or forum post 🙃

Photo by arnie chou on Unsplash