hvax.eth

[COMPOUND] Finalize Security Service Provider Engagement (2025)

Voting ended 4 months agoSucceeded

Finalize Security Service Provider Engagement (2025)

Summary

This proposal enacts the outcome of the Compound DAO’s recent Security Service Provider (SSP) Request for Proposal (RFP) process. Following a multi-week evaluation by the Compound Foundation, the DAO has elected to appoint ChainSecurity and Certora as its joint security service providers for a 12-month term beginning August 18, 2025. In parallel, the DAO will also engage ZeroShadow to deliver incident response and monitoring services over the same period.

The total authorized budget is $2,000,000 USD, allocated as follows:

ChainSecurity & Certora: $1,750,000
ZeroShadow: $250,000

This RFP process has allowed the DAO to solicit a multitude of robust proposals, ensuring a smooth transition from the existing relationship with OpenZeppelin, while opening Compound to a near 50% reduction in security-based expenditure without a reduction in service provider quality.

Background

In July 2025, the Compound Foundation, working alongside the Compound Governance Working Group (CGWG), initiated an RFP to identify the DAO’s next security partner(s). The goal was to establish comprehensive protocol security coverage and improve cost efficiency, while ensuring continuous support for governance proposals, protocol upgrades, and any other developments that Compound engages in.

The RFP outlined a 12-month engagement covering smart contract audits, governance proposal review, deployment assessments, incident readiness, monitoring services, and vCISO appointment. Multiple leading security firms submitted proposals; all of their proposals can be viewed in this thread.

After thoroughly evaluating each submission, the Compound Foundation issued a formal recommendation to the DAO. Evaluation of all proposals was based on a six-point framework:

Technical expertise in auditing, testing, and multi-chain support
Audit methodology and deliverable quality
vCISO & advisory capabilities, including personnel, experience, and availability
Compound & DeFi familiarity based on past work and onboarding readiness
Market reputation and engagement history
Pricing & value, measured by overall scope, personnel commitment, and service clarity

Accordingly, the Foundation proposed appointing ChainSecurity and Certora as joint SSPs, along with engaging ZeroShadow for complementary incident response capabilities.

From July 28 to August 4, a Snapshot vote was held to determine the DAO’s preferred SSP. The outcome was as follows:

ChainSecurity & Certora: 425.3k votes (94.38%) — declared the winner
Cyfrin: 25.3k votes (5.62%)

This present onchain vote is the final step to enact the decision made via Snapshot, officially signing ChainSecurity and Certora as Compound DAO’s new SSP team.

Scope of Engagement

Under the terms of the RFP and the Foundation’s recommendation, responsibilities will be divided between two specialized engagements:

1. ChainSecurity and Certora

Acting as the DAO’s SSPs, ChainSecurity and Certora will jointly:

Lead technical assessments of protocol upgrades, governance proposals, and token onboarding efforts. They will provide actionable feedback, verify execution paths, and ensure proposed changes meet Compound’s security standards before being enacted. The review process will be tightly integrated with the governance lifecycle and include formal reporting.
Provide high-touch security advisory services, including a dedicated technical lead to act as Compound’s virtual CISO (vCISO). This CISO will help bridge audits with governance, align protocol improvements with security best practices, and ensure DAO contributors understand and can act on security findings. They will coordinate audit scheduling, delivery, and reporting timelines in alignment with governance proposal windows and DAO expectations. The Foundation will define prioritization when needed.

These security teams were recommended due to:

Deep Compound experience: ChainSecurity has audited prior Compound V3 deployments and governance proposals, bringing firsthand knowledge of the protocol’s architecture and risk profile.
Formal verification leadership: Certora is a pioneer in formal verification tooling, offering advanced techniques for proving correctness of complex smart contract systems.
vCISO support and technical strength: The engagement is led by ChainSecurity’s senior leadership, with multiple engineers available full-time to support audits, governance reviews, and real-time advisory.
Trusted by top protocols: Both firms have secured protocols like Aave, Uniswap, Maker, and Ethereum Foundation, and are widely respected for their focus on correctness and systematic risk reduction.
Long-term alignment: Both teams have demonstrated consistent DAO engagement and the ability to grow with protocols as complexity scales.

2. ZeroShadow (Monitoring and Incident Response)

ZeroShadow will deliver continuous operational security coverage by:

Setting up a monitoring solution and tuning detection logic to reduce alert noise, utilizing the latest methodologies including AI
Triaging alerts in real time and coordinating incident response
Responding to governance attacks, smart contract exploits, phishing attempts, and multisig compromise
Running tabletop exercises and improving preparedness of the protocol to proactively respond and resolve security incidents in coordination with the Community Multisig

After ZeroShadow was named as a vendor in two separate SSP proposals, the Foundation included the team as a complement to the above two SSPs. Carving out this incidence response engagement allows Compound to benefit from 24/7/365 coverage with a virtual Security Operations Center (vSOC).

Onchain Vote Execution Details

If passed, this proposal will authorize the creation of two COMP token streams via the Compound Streamer:

Total Budget: $2,000,000

$1,750,000 for ChainSecurity & Certora
$250,000 for ZeroShadow

Both of the above will have their own dedicated stream.

Duration: 12 months starting August 18, 2025

_streamDuration = 31,536,000 seconds (365 days)

Payment Mechanism: Funds will be streamed in COMP tokens through the Compound Streamer. The amount of COMP streamed will be USD-adjusted using Chainlink price feeds to ensure the vendors receive the agreed $2M USD equivalent over the 12-month term. Upon submission of the onchain vote, a 10% buffer will be applied to each stream, meaning a total of ~$2,200,000 of COMP will enter the Streamers upon proposal execution. This is meant to accommodate for COMP volatility. At the time of onchain vote submission, 45,000 COMP approximates the $2.2M total, of which, 39,375 will be deposited in the ChainSecurity & Certora stream, and 5,625 will be allocated to the ZeroShadow stream.

Stream Recipient (_recipient):

ChainSecurity & Certora reception address: 0xa1fa21665daA59f27046110CC2f58218b6343A2B
- Stream address: 0x334791289a906Ac8f96ac0f90E7A91Bf4AaE4A60
ZeroShadow reception address: 0x9FAEaBCeD4C29F030d40A83F1a7822624d67f904
- Stream address: 0xAF9CEE006AE377e88f3BBd668e3d67807F546Bd8

Slippage Amount (_slippage): 1%

Slippage ensures that every time the vendors claim, the Streamer converts the accrued USD amount into COMP using the current Chainlink price feed, with up to a 1% buffer to handle small price fluctuations and keep payments fair.

Claim Cooldown (_claimCooldown): 604,800 seconds (7 days)

This is the minimum time between claims. Once the vendors claim accrued COMP tokens, they can’t claim again for 7 days.

Stream Cancellation Rights:

The DAO retains the authority to cancel the stream if SLAs are not met and/or KPIs materially deviate from the agreed terms.
Any cancellation request must be explicated on the forums by the Compound Foundation, giving the service providers a 60-day notice for pausing the stream (_minimumNoticePeriod = 5,184,000 seconds). An onchain proposal must call the terminateStream() function in order for cancellation to occur.

RFP Process References

RFP Template and Applications Thread:[ Request for Proposal: Compound DAO Security Service Provider (SSP)](https://www.comp.xyz/t/request-for

... please visit link below to view full proposal

https://tally.xyz/gov/compound/proposal/466

Off-Chain Vote

For1 HVAXVC100%

Against0 HVAXVC0%

Abstain0 HVAXVC0%

Quorum: 100%

Download mobile app to vote

Discussion

[COMPOUND] Finalize Security Service Provider Engagement (2025)

Timeline

Aug 09, 2025Proposal created
Aug 10, 2025Proposal vote started
Aug 11, 2025Proposal vote ended
Dec 12, 2025Proposal updated

Loading proposal...

Finalize Security Service Provider Engagement (2025)

Summary

The total authorized budget is $2,000,000 USD, allocated as follows:

ChainSecurity & Certora: $1,750,000
ZeroShadow: $250,000

Background

After thoroughly evaluating each submission, the Compound Foundation issued a formal recommendation to the DAO. Evaluation of all proposals was based on a six-point framework:

Technical expertise in auditing, testing, and multi-chain support
Audit methodology and deliverable quality
vCISO & advisory capabilities, including personnel, experience, and availability
Compound & DeFi familiarity based on past work and onboarding readiness
Market reputation and engagement history
Pricing & value, measured by overall scope, personnel commitment, and service clarity

Accordingly, the Foundation proposed appointing ChainSecurity and Certora as joint SSPs, along with engaging ZeroShadow for complementary incident response capabilities.

From July 28 to August 4, a Snapshot vote was held to determine the DAO’s preferred SSP. The outcome was as follows:

ChainSecurity & Certora: 425.3k votes (94.38%) — declared the winner
Cyfrin: 25.3k votes (5.62%)

This present onchain vote is the final step to enact the decision made via Snapshot, officially signing ChainSecurity and Certora as Compound DAO’s new SSP team.

Scope of Engagement

Under the terms of the RFP and the Foundation’s recommendation, responsibilities will be divided between two specialized engagements:

1. ChainSecurity and Certora

Acting as the DAO’s SSPs, ChainSecurity and Certora will jointly:

Lead technical assessments of protocol upgrades, governance proposals, and token onboarding efforts. They will provide actionable feedback, verify execution paths, and ensure proposed changes meet Compound’s security standards before being enacted. The review process will be tightly integrated with the governance lifecycle and include formal reporting.
Provide high-touch security advisory services, including a dedicated technical lead to act as Compound’s virtual CISO (vCISO). This CISO will help bridge audits with governance, align protocol improvements with security best practices, and ensure DAO contributors understand and can act on security findings. They will coordinate audit scheduling, delivery, and reporting timelines in alignment with governance proposal windows and DAO expectations. The Foundation will define prioritization when needed.

These security teams were recommended due to:

Deep Compound experience: ChainSecurity has audited prior Compound V3 deployments and governance proposals, bringing firsthand knowledge of the protocol’s architecture and risk profile.
Formal verification leadership: Certora is a pioneer in formal verification tooling, offering advanced techniques for proving correctness of complex smart contract systems.
vCISO support and technical strength: The engagement is led by ChainSecurity’s senior leadership, with multiple engineers available full-time to support audits, governance reviews, and real-time advisory.
Trusted by top protocols: Both firms have secured protocols like Aave, Uniswap, Maker, and Ethereum Foundation, and are widely respected for their focus on correctness and systematic risk reduction.
Long-term alignment: Both teams have demonstrated consistent DAO engagement and the ability to grow with protocols as complexity scales.

2. ZeroShadow (Monitoring and Incident Response)

ZeroShadow will deliver continuous operational security coverage by:

Setting up a monitoring solution and tuning detection logic to reduce alert noise, utilizing the latest methodologies including AI
Triaging alerts in real time and coordinating incident response
Responding to governance attacks, smart contract exploits, phishing attempts, and multisig compromise
Running tabletop exercises and improving preparedness of the protocol to proactively respond and resolve security incidents in coordination with the Community Multisig

Onchain Vote Execution Details

If passed, this proposal will authorize the creation of two COMP token streams via the Compound Streamer:

Total Budget: $2,000,000

$1,750,000 for ChainSecurity & Certora
$250,000 for ZeroShadow

Both of the above will have their own dedicated stream.

Duration: 12 months starting August 18, 2025

_streamDuration = 31,536,000 seconds (365 days)

Stream Recipient (_recipient):

ChainSecurity & Certora reception address: 0xa1fa21665daA59f27046110CC2f58218b6343A2B
- Stream address: 0x334791289a906Ac8f96ac0f90E7A91Bf4AaE4A60
ZeroShadow reception address: 0x9FAEaBCeD4C29F030d40A83F1a7822624d67f904
- Stream address: 0xAF9CEE006AE377e88f3BBd668e3d67807F546Bd8

Slippage Amount (_slippage): 1%

Slippage ensures that every time the vendors claim, the Streamer converts the accrued USD amount into COMP using the current Chainlink price feed, with up to a 1% buffer to handle small price fluctuations and keep payments fair.

Claim Cooldown (_claimCooldown): 604,800 seconds (7 days)

This is the minimum time between claims. Once the vendors claim accrued COMP tokens, they can’t claim again for 7 days.

Stream Cancellation Rights:

The DAO retains the authority to cancel the stream if SLAs are not met and/or KPIs materially deviate from the agreed terms.
Any cancellation request must be explicated on the forums by the Compound Foundation, giving the service providers a 60-day notice for pausing the stream (_minimumNoticePeriod = 5,184,000 seconds). An onchain proposal must call the terminateStream() function in order for cancellation to occur.

RFP Process References

RFP Template and Applications Thread:[ Request for Proposal: Compound DAO Security Service Provider (SSP)](https://www.comp.xyz/t/request-for

... please visit link below to view full proposal

https://tally.xyz/gov/compound/proposal/466