Summary
The most critical subjects covered in our audit are access control, signature handling, functionalcorrectness, gas griefing and front-running. Security regarding all the aforementioned subjects issatisfactory.
The general subjects covered are code complexity, trustworthiness, documentation and gas efficiency.The codebase is generally well written and includes inline comments that improve the readability of code.Contracts in scope are not upgradable and do no have privileged roles, hence providing a high level oftrustworthiness.
The system offers flexibility and new features can be plugged in by scripts. We would like to emphasizethat developers should carefully assess new scripts to avoid introducing vulnerabilities that can exploituser's wallets. Users should also carefully evaluate scripts and their parameters. Interacting with amalicious script or passing wrong parameters to a verified script could be enough to exploit a wallet.
In summary, we find that the codebase provides a satisfactory level of security.
It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. Theycomplement but don't replace other vital measures to secure a project.
About Compound Quark Smart Contracts
Compound implements Quark Wallets which is a system for account abstraction based on walletcontracts that can run arbitrary code (scripts), deployed by a special contract CodeJar. Users can thentrigger actions from their wallets by executing scripts directly or signing messages according to EIP-712format.
---
“Compound is a protocol on the Ethereum blockchain that establishes money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand for the asset. Suppliers (and borrowers) of an asset interact directly with the protocol, earning (and paying) a floating interest rate, without having to negotiate terms such as maturity, interest rate, or collateral with a peer or counterparty
Each money market is unique to an Ethereum asset (such as Ether, an ERC-20 stablecoin such as Dai, or an ERC-20 utility token such as Augur), and contains a transparent and publicly-inspectable ledger, with a record of all transactions and historical interest rates.”
#Source
ChainSecurity has been an outstanding security partner who has earned our admiration and respect based purely on their technical competence and skill. They always go above and beyond to ensure their auditing is of the highest quality, and they are consistently excellent over the many projects we have done together.
Jared Flatow, VP of engineering