Compound – cToken (unredacted) Security Audit

Download Audit Report
[UPDATE March 21st 2022: we upload the original unredacted report, which contained a live critical vulnerability. The vulnerability was redacted until it could be patched. Find more details in our blog article.]

Compound offers money markets for supplying and borrowing different assets on the Ethereum blockchain.

Users can supply assets to the market, earning interest on their deposits. They can also use their deposited assets as collateral in order to borrow assets from other markets. The borrowed assets accrue interest over time, which is shared between the suppliers and the protocol. If a borrower’s account balance falls below a certain threshold, due to the value of their collateral falling or the value of the borrowed assets increasing, their position can be liquidated. The liquidator pays back the borrowed assets and in return they earn a portion of the borrower’s collateral.

Users interact with the cToken contracts. These are ERC-20 tokens that represent the assets a user has supplied to the market. As the market accrues interest, the value of the cToken compared to the underlying asset increases. The cToken itself receives a portion of the interest as reserves.

About Compound – cToken (unredacted)

“Compound is a protocol on the Ethereum blockchain that establishes money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand for the asset. Suppliers (and borrowers) of an asset interact directly with the protocol, earning (and paying) a floating interest rate, without having to negotiate terms such as maturity, interest rate, or collateral with a peer or counterparty

Each money market is unique to an Ethereum asset (such as Ether, an ERC-20 stablecoin such as Dai, or an ERC-20 utility token such as Augur), and contains a transparent and publicly-inspectable ledger, with a record of all transactions and historical interest rates.”


Source: Compound Whitepaper (2019)