The security of the Compound protocol is our highest priority; our development team, alongside third-party auditors and consultants, has invested considerable effort to create a protocol that we believe is safe and dependable. All contract code and balances are publicly verifiable, and security researchers are eligible for a bug bounty for reporting undiscovered vulnerabilities.
We believe that size, visibility, and time are the true test for the security of a smart contract; please exercise caution, and make your own determination of security and suitability.
The Compound protocol was developed with a specifications of security principles, and formally verified by Certora using Certora ASA (Accurate Static Analysis), which is integrated into Compound’s continuous integration system.
01 Certora Verification Summary
Gauntlet has constructed a simulation-based market stress-testing platform to evaluate the economic security of the Compound protocol, as it scales supported assets and volume.
01 Gauntlet Market Risk Assessment
Security is core to our values, and we value the input of hackers acting in good faith to help us maintain the highest standard for the security and safety of the Ethereum ecosystem. The Compound protocol, while it has gone through professional audits and formal verification, depends on new technology that may contain undiscovered vulnerabilities.
Compound encourages the community to audit our contracts and security; we also encourage the responsible disclosure of any issues. This program is intended to recognize the value of working with the community of independent security researchers, and sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
Compound offers substantial rewards for discoveries that can prevent the loss of assets, the freezing of assets, or harm to a user, commensurate with the severity and exploitability of the vulnerability. Compound will pay a reward of $500 to $150,000 for eligible discoveries according to the terms and conditions provided below.
The primary scope of the bug bounty program is for vulnerabilities affecting the on-chain Compound Protocol, deployed to the Ethereum Mainnet, for contract addresses listed in this developer documentation.
This list may change as new contracts are deployed, or as existing contracts are removed from usage. Vulnerabilities in contracts built on top of the Protocol by third-party developers (such as smart contract wallets) are not in-scope, nor are vulnerabilities that require ownership of an admin key.
The secondary scope of the bug bounty program is for vulnerabilities affecting the Compound Interface hosted at app.compound.finance that could conceivably result in exploitation of user accounts.
Finally, test contracts (Rinkeby and other testnets) and staging servers are out of scope, unless the discovered vulnerability also affects the Compound Protocol or Interface, or could otherwise be exploited in a way that risks user funds.
Submit all bug bounty disclosures to [email protected]. The disclosure must include clear and concise steps to reproduce the discovered vulnerability in either written or video format. Compound will follow up promptly with acknowledgement of the disclosure.
To be eligible for bug bounty reward consideration, you must:
To encourage vulnerability research and to avoid any confusion between good-faith hacking and malicious attack, we require that you:
When working with us according to this program, you can expect us to:
All reward determinations, including eligibility and payment amount, are made at Compound’s sole discretion. Compound reserves the right to reject submissions and alter the terms and conditions of this program.