ChainSecurity smart contract audit of leading DeFi project Compound

Compound SUPTB

Security Audit

Download Audit Report
Summary

The most critical subjects covered in our audit are functional correctness, access control and standard compliance. Security regarding standard compliance is high. Security regarding access control has been improved since the first iteration of this report (see permission can be bypassed in transferFrom()). Additionally, a critical issue allowing users to spend encumbrance of other users in certain cases has been disclosed and fixed by Compound after the first iteration of this report: Encumbered balances can be transferred. Functional correctness is now extensive.

The general subjects covered are code complexity and quality of specification documentation. Some inconsistency has been identified in the specifications, see Incorrect specs, which was corrected.

In summary, we find that the codebase provides a high level of security.

It is important to note that security audits are time-boxed and cannot uncover all vulnerabilities. They complement but don’t replace other vital measures to secure a project.

About Compound SUPTB

Compound implements an EIP-7246 (under review) compliant token SUPTB (Superstate short-term U.S. government bonds) and a permission list contract. It introduces a new feature: Encumbrance on top of ERC-20 to separate the ownership of tokens from the right to transfer them.

“Compound is a protocol on the Ethereum blockchain that establishes money markets, which are pools of assets with algorithmically derived interest rates, based on the supply and demand for the asset. Suppliers (and borrowers) of an asset interact directly with the protocol, earning (and paying) a floating interest rate, without having to negotiate terms such as maturity, interest rate, or collateral with a peer or counterparty

Each money market is unique to an Ethereum asset (such as Ether, an ERC-20 stablecoin such as Dai, or an ERC-20 utility token such as Augur), and contains a transparent and publicly-inspectable ledger, with a record of all transactions and historical interest rates.”

 

Source: Compound Whitepaper (2019) https://compound.finance/documents/Compound.Whitepaper.pdf

ChainSecurity has been an outstanding security partner who has earned our admiration and respect based purely on their technical competence and skill. They always go above and beyond to ensure their auditing is of the highest quality, and they are consistently excellent over the many projects we have done together.
Jared Flatow, VP of engineering