[COMPOUND] Security Service Provider RFP

Following the Compound Foundation’s recommendations around the DAO’s next Security Service Provider (SSP), the CGWG is coordinating next steps to facilitate the election of Compound’s new SSP.

• This 7-day Snapshot vote to determine the DAO’s preferred SSP will run from Monday, July 28 at 3pm ET until Monday, August 4 at 3PM ET.
• Immediately after the conclusion of the Snapshot vote, an onchain vote will be conducted to ratify the SSP selected from the Snapshot vote.

Voting Options

For this Snapshot, delegates will be able to vote between the following vendors:

• ChainSecurity & Certora (view their full proposal here)
  • Two of the industry’s most established formal verification and audit firms, known for deep expertise in protocol correctness and secure smart contract development.
  • Prior Compound V3 audit and governance proposal experience.
  • Strong formal verification tooling and track record.
  • ChainSecurity vCISO will lead the engagement on behalf of both vendors.
• Cyfrin (view their full proposal here)
  • A security firm founded by prominent auditors and educators, combining hands-on technical depth with a strong focus on DAO governance, tooling and education.
  • Includes Patrick Collins as vCISO with researcher support.
  • Dedicated team available continuously for audits, reviews, and advisory.
  • Also includes OSS security tooling and education resources.

Note that the final voting pool consists solely of the above two vendors. The Foundation narrowed the initial pool of 16 RFPs down to a shortlist of 5 proposals. Correspondingly, the Foundation has publicly voiced their primary vendor recommendation, advocating the DAO to adopt ChainSecurity & Certora as the new SSP team. Due to this endorsement, 3/5 shortlisted vendors—including Cantina, Immunefi Magnus, and OpenZeppelin—opted to not partake in the Snapshot election as to not disclose further details around commercials. However, Cyfrin has chosen to fully disclose their pricing, making them eligible for the Snapshot vote.

Cost to Compound

Both of the above vendors have submitted 12-month engagement proposals with similar cost structures: Cyfrin at $1.5M and ChainSecurity & Certora at $1.75M. This RFP process has allowed the DAO to solicit a multitude of robust proposals, ensuring a smooth transition from the existing relationship with OpenZeppelin, while opening Compound to a near 50% reduction in security-based expenditure without a reduction in quality.

ZeroShadow will be included by default in the overall security engagement, regardless of which SSP is selected by the DAO. Their inclusion will support continuous monitoring and incident response capabilities, complementing the chosen SSP’s services. A total of $250k will be allocated to ZeroShadow; their proposal can be reviewed here.

Therefore, the total cost of the engagement will amount to:

• $1.75M + $250k = $2M if ChainSecurity & Certora are selected

• $1.5M + $250k = $1.75M if Cyfrin is selected

All funds will be streamed linearly over the duration of the engagement.

Voting Logistics

This Snapshot vote will be considered valid as long as quorum (total number of votes submitted) reaches the onchain threshold of 400k COMP. Once quorum is reached, the winner will be determined by a simple majority.

“Weighted Voting” will be utilized, where each delegate has the ability to spread their voting power across any number of choices. This voting system allows delegates to select between multiple options—or simply allocate their entire voting power to a single vendor.

Additionally, to ensure that Snapshot votes aren’t altered last-minute, we are implementing a quorum cut-off period for the votes between 12pm - 3pm ET on August 4th. The Snapshot will technically end at 7:59pm ET on the 4th, however, to mimic the nature of onchain votes, the final vote will be counted at 3pm ET—unless a vote flips in the 12pm - 3pm period, at which point, the Snapshot vote will be extended from 3pm - 7:59pm ET.

Thank you to all vendors who participated and to the Compound community for helping guide this process forward.

https://snapshot.org/#/comp-vote.eth/proposal/0x29f34f6cae855cb2605b81d490db7a13565be448a72b5f7a3d121db4b1a0cc49