Compound DAO uses public tendering process to hire security auditor
The Compound DAO, which oversees the decentralized financial money market of the same name, has chosen a security auditor.
OpenZeppelin will take on the unusual role of on-call security auditor for a Decentralized Autonomous Organization (DAO), available to monitor changes to smart contracts and its governance system, following a major bug in September in the way for which Compound has distributed its governance. token, COMP. The company was selected in a governance vote that ended on December 18, with offers from three different security companies. He won the role through an open public process that can provide insight into how DAOs will do business over time.
In the end, 1.37 million COMP voted to support OpenZeppelin’s offer, with only a few thousand COMP voting against. It was by far the biggest vote for any of the three proposals. The largest vote pools supporting OpenZeppelin came from Andreessen-Horowitz, Polychain Capital and Bain Capital Ventures. Based on its proposal, OpenZeppelin will receive a lump sum of $ 1 million in COMP tokens each quarter for one year.
Open Zeppelin faced off against Chainsecurity and Trail of Bits. OpenZeppelin had some edge in the process as it worked with Reverie co-founder Larry Sukernik, who initially offered to hire a permanent auditor, with whom the team reflected on how a company security could make a continuous offer to a DAO.
“Historically, community members have had to take on the burden of organizing an audit for their proposal,” Sukernik wrote in the proposal. “This resulted in extremely long integration times or improvements that were never implemented at all. It’s not bueno. Process failures like the one we had recently should not happen for a protocol the size of Compound.
The OpenZeppelin team believed DAO decision makers would be more receptive to a serious conversation about prevention, as there was a recent issue with the industry. This made the conversation more engaging to her and other security companies than it could have been in the absence of a recent blunder.
“We were talking about the idea that at some point DAOs will need a benchmark security auditor,” Steven Gant, of the OpenZeppelin growth team, told The Defiant. “We saw an opportunity here where we knew the DAO itself would be very aware and would see the value in having a trusted security advisor.”
Chainsecurity made similar observations, noting that the standard looks at specific changes rather than looking at the big picture. “Normally we are asked to provide a code reading,” Chainsecurity’s Matthias Egli told The Defiant. “We have given a lot of thought to how Compound should approach security in a holistic manner. “
Public call for tenders
Compound founder Robert Leshner is optimistic about what having a permanent auditor will mean for the protocol. “It’s extremely cool that a decentralized group of developers can work with an audit firm on a fully available basis,” Leshner said. “It was a bottom-up solution.”
The level of transparency that results from public tenders is an adjustment for everyone involved.
Once its proposal was released, OpenZeppelin received a lot of feedback. Members of the community engaged with her in forums. Normally, companies like OpenZeppelin are used to discussing details behind closed doors.
“This is where it’s very different, and you get into a very public process, and it’s new to us,” said Gant. “We felt we had a good proposal. For us it was very healthy.
This could be the start of DAOs to figure out how to proceed. “We assumed there were more best practices or processes around how you select a supplier,” Gant said, but it became apparent once he started that other companies weren’t not used to working that way either. “There aren’t many examples of actual competition… if I understand correctly, this part is quite unique.”
This is the epilogue of this fall bug, which turned out to be costly but which the Compound community now considers to be a thing of the past.
Ultimately, the 200,000 COMP tokens lost in the bug weren’t as bad as many feared, in part because so many users returned overpayments, according to Leshner. “The final number was way lower than people feared,” he said.
The prevention measures and the solution to this error came from Compound’s fan base, he explained. “The developer who originally wrote the faulty code stepped up to the plate and did a tremendous job writing the patch to fix the error,” he said.
The bug caused users to receive an excessive COMP when they went to collect mining rewards. Compound reported the error and many people who received overpayments cooperated with the protocol and sent it back.
As for the COMP in the attacker’s hands, “It’s upwind. we didn’t actually follow it, ”Leshner said.
Read the original post on The Defiant.