The Compound DAO, which oversees the decentralized finance money market of the same name, has picked a security auditor.
OpenZeppelin will take on the unusual role of an on-call security auditor for a decentralized autonomous organization (DAO), available to monitor changes to the smart contracts and to its governance system, following a major bug in Sept. in how Compound distributed its governance token, COMP. The company was selected through a governance vote that ended on Dec. 18, featuring bids from three different security companies. It won the role through an open, public process that may provide a look into how DAOs will do business over time.
In the end, 1.37M COMP were voted to support OpenZeppelin’s bid, with only a few thousand COMP voting against it. It was by far the largest vote for any of the three proposals. The biggest voting pools supporting OpenZeppelin came from Andreessen-Horowitz, Polychain Capital and Bain Capital Ventures. Based on its proposal, OpenZeppelin will be paid a flat fee of $1M in COMP tokens each quarter for one year.
Open Zeppelin competed against Chainsecurity and Trail of Bits. OpenZeppelin had some advantage in the process because it worked with Reverie co-founder, Larry Sukernik, who first proposed hiring an ongoing auditor, with whom the team brainstormed about how a security firm could make an ongoing proposal to a DAO.
“Historically, community members have had to shoulder the burden of arranging an audit for their proposal,” Sukernik wrote in the proposal. “This has resulted in extremely long integration times or improvements never getting implemented at all. That’s no bueno. Process failures like the one we recently had should not be occurring for a protocol of Compound’s size.”
OpenZeppelin’s team believed the DAO’s decisionmakers would be more receptive to a serious conversation about prevention because it had a recent problem with the industry. This made the conversation more attractive to it and other security firms than it might have been absent a recent mistake.
“We’d been talking about the idea that at some point that DAOs are going to need a go-to security auditor,” Steven Gant, of OpenZeppelin’s growth team, told The Defiant. “We saw an opportunity here where we knew that the DAO itself would be very aware and would see the value of having a trusted security advisor.”
Chainsecurity made similar observations, noting that the norm is reviewing specific changes rather than taking an all over view. “Normally we are asked to provide code reading,” Matthias Egli of Chainsecurity, told The Defiant. “We thought hard about how Compound should approach security holistically.”
Compound founder Robert Leshner is optimistic about what having an ongoing auditor will mean for the protocol. “It’s extremely cool that a decentralized group of developers are able to work with an auditing firm on a totally available basis,” Leshner said. “This was a bottom up solution.”
The level of transparency that comes from public bidding is an adjustment for everyone involved.
Once its proposal was out, OpenZeppelin received plenty of feedback. Community members engaged with it in the forums. Normally firms like OpenZeppelin are accustomed to talking through details behind closed doors.
“This is where it’s very different, and you get into a very public process, and this is new for us,” Gant said. “We felt we had a good proposal. For us it was very healthy.”
This could be the beginning of DAOs sorting out how to do this. “We assumed that there was more best practices or processes around how you select a vendor,” Gant said, but it became evident once it started that other firms weren’t accustomed to working this way either. “There aren’t that many examples of actual competition … as i understand it, this part is pretty unique.”
This is the epilogue to this falls bug, which proved expensive but is something that the Compound community views now as very much in the past.
Ultimately, the 200K COMP tokens lost in the bug was not nearly as bad as many feared, in part because so many users returned excess payments, according to Leshner. “The final number was a lot lower than people were afraid of,” he said.
Both the prevention measures and the fix on that mistake came from Compound’s base of supporters, he explained. “The developer who originally wrote the faulty code stepped up the plate and did a huge amount of work to write the patch to correct the mistake,” he said.
The bug caused users to receive excessive COMP when they went to reclaim mining rewards. Compound put out word about the error and many people who received excess payments cooperated with the protocol and sent it back.
As to the COMP in the hands of the attacker, “It’s to the winds. we haven’t actually followed it,” Leshner said.