Security

Introduction

The security of the Compound protocol is our highest priority; our development team, alongside third-party auditors and consultants, has invested considerable effort to create a protocol that we believe is safe and dependable. All contract code and balances are publicly verifiable, and security researchers are eligible for a bug bounty for reporting undiscovered vulnerabilities.

We believe that size, visibility, and time are the true test for the security of a smart contract; please exercise caution, and make your own determination of security and suitability.

Audits

The Compound protocol has been reviewed & audited by Trail of Bits and OpenZeppelin.

  1. Trail of Bits - April 2019
  2. OpenZeppelin - August 2019
  3. Trail of Bits - August 2019
  4. OpenZeppelin - Timelock & Pause Guardian
  5. OpenZeppelin - cDAI
  6. OpenZeppelin - COMP & Governance
  7. Trail of Bits - February 2020
  8. OpenZeppelin - Tether
  9. OpenZeppelin - COMP Distribution

Formal Verification

The Compound protocol was developed with a specifications of security principles, and formally verified by Certora using Certora ASA (Accurate Static Analysis), which is integrated into Compound’s continuous integration system.

01 Certora Verification Summary

Economic Security

Gauntlet has constructed a simulation-based market stress-testing platform to evaluate the economic security of the Compound protocol, as it scales supported assets and volume.

01 Gauntlet Market Risk Assessment

Bug Bounty Program

Security is core to our values, and we value the input of hackers acting in good faith to help us maintain the highest standard for the security and safety of the Ethereum ecosystem. The Compound protocol, while it has gone through professional audits and formal verification, depends on new technology that may contain undiscovered vulnerabilities.

The Compound protocol bug bounty program is run entirely by the community with collaboration from Immunefi.

Bug Bounty Dashboard