If you notice some outdated information please let us know!
PASS
The final review score is indicated as a percentage. The percentage is calculated as Achieved Points due to MAX Possible Points. For each element the answer can be either Yes/No or a percentage. For a detailed breakdown of the individual weights of each question, please consult this document.
Very simply, the review looks for the following declarations from the developer's site. With these declarations, it is reasonable to trust the smart contracts.
This report is for informational purposes only and does not constitute investment advice of any kind, nor does it constitute an offer to provide investment advisory or other services. Nothing in this report shall be considered a solicitation or offer to buy or sell any security, token, future, option or other financial instrument or to offer or provide any investment advice or service to any person in any jurisdiction. Nothing contained in this report constitutes investment advice or offers any opinion with respect to the suitability of any security, and the views expressed in this report should not be taken as advice to buy, sell or hold any security. The information in this report should not be relied upon for the purpose of investing. In preparing the information contained in this report, we have not taken into account the investment needs, objectives and financial circumstances of any particular investor. This information has no regard to the specific investment objectives, financial situation and particular needs of any specific recipient of this information and investments discussed may not be suitable for all investors.
Any views expressed in this report by us were prepared based upon the information available to us at the time such views were written. The views expressed within this report are limited to DeFiSafety and the author and do not reflect those of any additional or third party and are strictly based upon DeFiSafety, its authors, interpretations and evaluation of relevant data. Changed or additional information could cause such views to change. All information is subject to possible correction. Information may quickly become unreliable for various reasons, including changes in market conditions or economic circumstances.
This completed report is copyright (c) DeFiSafety 2023. Permission is given to copy in whole, retaining this copyright label.
This section looks at the code deployed on the relevant chains and team aspects. The document explaining these questions is here.
1. Are the smart contract addresses easy to find? (%)
2. Does the protocol have a public software repository? (Y/N)
Yes, the repository is indicated in the footer of the website.
3. Is the team public (not anonymous)?
As per the GitHub, there are many public devs.
4. How responsive are the devs when we present our initial report?
Team responded very fast via Discord.
This section looks at the software documentation. The document explaining these questions is here.
5. Is there a whitepaper? (Y/N)
Location:https://compound.finance/documents/Compound.Whitepaper.v04.pdf
6. Is the protocol's software architecture documented? (%)
In the GitHub readme there is a list and description of the contracts for Compound III or comet. We could not find other software architecture for the latest version of Compound. Given this, we cannot give a score higher than 40%.
7. Does the software documentation fully cover the deployed contracts' source code? (%)
In the GitHub readme there is a list and description of the contracts for Compound III or comet. Within the code there is good but not extensive commenting. This gives a score of 50%.
8. Is it possible to trace the documented software to its implementation in the protocol's source code? (%)
In-line commenting in the code does not count towards traceability. Given that the only documentation outside of the code is the list of functions, with links to the software a score of 40% is given, asked for guidance.
9. Is the documentation organized to ensure information availability and clarity? (%)
Code documentation is quite minimal. It is clearly organized. This brings a score of 50%.
This section covers the testing process of the protocol’s smart contract code previous to its deployment on the mainnet. The document explaining these questions is here.
10. Has the protocol tested their deployed code? (%)
Test to Code is 37007 / 6402 = 578% which drives a 100% score ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── JavaScript 54 6402 896 2363 3143 517 ─────────────────────────────────────────────────────────────────────────────── Total 54 6402 896 2363 3143 517 ─────────────────────────────────────────────────────────────────────────────── Estimated Cost to Develop $89,909 Estimated Schedule Effort 5.506310 months Estimated People Required 1.450648 ─────────────────────────────────────────────────────────────────────────────── Processed 262911 bytes, 0.263 megabytes (SI) ─────────────────────────────────────────────────────────────────────────────── Language Files Lines Blanks Comments Code Complexity ─────────────────────────────────────────────────────────────────────────────── TypeScript 69 16692 1974 538 14180 454 JavaScript 19 1367 212 164 991 65 YAML 2 81 11 0 70 0 JSON 1 18867 0 0 18867 0 ─────────────────────────────────────────────────────────────────────────────── Total 91 37007 2197 702 34108 519 ───────────────────────────────────────────────────────────────────────────────
11. How covered is the protocol's code? (%)
We could not find any code coverage documentation,, though clearly the code is designed to measure code coverage. As for guidance, a score of 50% is given.
12. Is there a detailed report of the protocol's test results?(%)
No detailed test report was found.
13. Has the protocol undergone Formal Verification? (Y/N)
While Compound V2 has undergone formal verification, there is no evidencethat Compound III has the same coverage, therefore No.
This section looks at the 3rd party software audits done. It is explained in this document.
14. Is the protocol sufficiently audited? (%)
The Compound protocol has undergone multiple audits conducted pre-deployment by reputable firms such as OpenZeppelin, ChainSecurity, and Trail of Bits, as indicated by the provided documentation. This includes audits of specific aspects such as the cDAI, COMP & Governance, and Tether. In addition, the protocol was also formally verified by Certora. Furthermore, Compound has a bug bounty program in place, emphasizing its commitment to security and the identification of potential vulnerabilities. These actions demonstrate a high level of diligence in ensuring the quality and security of the protocol.
15. Is there a matrix of audit applicability on deployed code (%)? Please refer to the example doc for reference.
With just two audits, both applicable to the deployed software, this list fulfills the requirements and get 100%.
16. Is the bug bounty value acceptably high (%)
Compound offers a bug bounty program with rewards ranging from $500 to $150,000 for eligible discoveries. The value of these rewards, as well as the active nature of the program, suggests a commitment to security and code testing. However, given the scoring guidelines, the bounty score is 60% because the bounty is $100k or more. Compound offers an inactive bug bounty of up to $150k.
17. Is there documented protocol monitoring (%)?
Under Economic Security section of the Security page Compound mentions their affiliation with Gauntlet. This effectively gives a sophisticated level of protocol monitoring. It includes incident response. Based on this, a score of 80% is given. 60% for a general protocol monitoring and 20% for incident response. What is not indicated is protocol monitoring for security events (hack detection).
18. Is there documented protocol front-end monitoring (%)?
The provided documentations from Compound Finance mention the use of Cloudflare for email protection which is a form of DDOS Protection. There are no explicit references to DNS steps to protect the domain, intrusion detection protection on the front end, or unwanted front-end modification detection in the provided documents.
This section covers the documentation of special access controls for a DeFi protocol. The admin access controls are the contracts that allow updating contracts or coefficients in the protocol. Since these contracts can allow the protocol admins to "change the rules", complete disclosure of capabilities is vital for user's transparency. It is explained in this document.
19. Is the protocol code immutable or upgradeable? (%)
In the introduction to the Governance section, it is clearly dedicated that software is updatable via a time lock. This gives a score of 80%.
20. Is the protocol's code upgradeability clearly explained in non technical terms? (%)
The codes upgrade path is clearly explained in the introduction to the governance section. Score of 100%.
21. Are the admin addresses, roles and capabilities clearly explained? (%)
Based on the information provided, there are no admin addresses. All government decisions take place through DOA voting. The processes and capabilities are very well explained in the governance page. There is a community MultiSig that at the moment controls the Pause Guardian.
22. Are the signers of the admin addresses clearly listed and provably distinct humans? (%)
The protocol's documentation does not list the signers of the admin addresses, nor does it provide any evidence or arguments to support the claim that these signers are separate, distinct individuals.
23. Is there a robust documented transaction signing policy? Please refer to the Example doc for reference.(%)
Given that virtually all governance decisions take place through DAO voting, there is little need for a transaction signing policy. It would be required for the signers of the community MultiSig. However they can only pause the protocol. Given this, a score of 70% is given.
This section goes over the documentation that a protocol may or may not supply about their Oracle usage. Oracles are a fundamental part of DeFi as they are responsible for relaying tons of price data information to thousands of protocols using blockchain technology. Not only are they important for price feeds, but they are also an essential component of transaction verification and security. These questions are explained in this document.
24. Are Oracles relevant? (Y/N)
The protocol in question uses price feed oracles. The Compound Protocol uses a View contract (“Price Feedâ€) which verifies that reported prices fall within an acceptable bound of the time-weighted average price of the token/ETH pair on Uniswap v2. This is a sanity check referred to as the Anchor price. Prices are updated by Chainlink Price Feeds. The protocol's Comptroller contract uses it as a source of truth for prices. The ValidatorProxy contract calls validate on the UniswapAnchoredView. This queries Uniswap v2 to check if a new price is within the Uniswap v2 TWAP anchor. If valid, the UniswapAnchoredView is updated with the asset’s price. If invalid, the price data is not stored.
25. Is the protocol's Oracle sufficiently documented? (%)
The protocol's Oracle, the Open Price Feed, is comprehensively documented. The documentation explains how it accounts for price data for the Compound protocol and that the protocol's Comptroller contract uses it as a source of truth for prices. The documentation also details that prices are updated by Chainlink Price Feeds. Furthermore, it provides insight into how the Open Price Feed works, explaining that it uses a View contract ("Price Feed") which verifies that reported prices fall within an acceptable bound of the time-weighted average price of the token/ETH pair on Uniswap v2. The documentation also provides the Github link for the Open Price Feed's codebase.
26. Can flashloan attacks be applied to the protocol, and if so, are those flashloan attack risks mitigated? (Y/N)
The Compound protocol has implemented several measures to protect against potential flashloan attacks. The protocol has a supplyCap on markets, which limits the protocol's risk exposure to collateral assets. It also uses separate and higher liquidation collateral factors than borrow collateral factors to ensure a price buffer for all new positions. Additionally, the protocol has gone through professional audits and formal verification by Certora using Certora ASA (Accurate Static Analysis), which is integrated into Compound’s continuous integration system. Gauntlet has constructed a simulation-based market stress-testing platform to evaluate the economic security of the Compound protocol, as it scales supported assets and volume.