[Ethereum] Compound v2 - Security Rating 4

Please note the rating has been upgraded to 4 as shown in the reply below.

Security Rating Level: 5
Evaluation Date: Mar 31st, 2021

1. History & Team (Weight 20%; Score 80)

1.1 Project age (8%; 100)
Launched on mainnet from 2018 July, alive for 33 months.
1.2 Past exploits (8%; 50)
Was Attacked 1 time in 2020 Nov (~$90mil liquidation)
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CTO and founder, Geoffrey Hayes, experience of programming started from 2008

2. Exposure (Weight 25%; Score 89.5)

2.1 Historical TVL (17.5%; 100)
Average market share in the past 4Q: 12.0%, 11.3%, 12.8%, 13.2%
Data collected from Compound | Stats, Charts and Guide | DeFi Pulse
2.2 Industry segment (5%; 85)
Compound is a lending protocol (no flashloan allowed)
2.3 Infrastructure (2.5%; 25)
Use Coinbase pro to feed price (single centralized oracle), plus sanity check using Uniswap price data (price monitor exists)

3. Audit (Weight 35%; Score 100)

Audit report available on: Compound | Docs - Security
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by Trail of bits and OpenZeppelin, Tier 1 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 10)
Core smart contracts audited by multiple firms, Formal verification done

4. Code quality (Weight 15%; Score 95)

Repository on github: GitHub - compound-finance/compound-protocol: The Compound On-Chain Protocol
4.1 Documentation
Excellent documentation.
4.2 Test
Comprehensive test done, with code coverage 44%

5. Developer community (Weight 5%; Score 90)

5.1 Bug bounty program (3.5%; 90)
Exists. Reward up to $150,000
5.2 Issues raised on Github (1.5%; 90)
11 issues raised on github repository. Score = 90.

The N-SCOSS for Compound is 92.125, level 5

Compound v2 is rated at security level 4 after re-evaluation as of 2021 December 20th.

The downgrade is mainly a consequence of 2 exploits happened to Compound in September and October. According to Slowmist hack zone, the loss are resulted from initial wrong setting of the token distribution rate and contract vulnerability, which fall under our policy coverage. Therefore, the score of pillar 1 dropped by 20. Compound’s market share also decreased from ~12% to ~8%, leading to a negative impact to its rating.

Below are the details of updated rating for Compound based on data up to 2021 December 20th.


Security Rating Level: 4
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 60)

1.1 Project age (8%; 100)
Launched on mainnet from 2019 May, alive for 32 months.
(Note that in the first post I mistakenly took the launch month as 2018 July, which was Compound v1 launch month. This error made the final score 1.6 points higher than it should have been, but resulted no impact on the security level, i.e. the rating would still be at level 5 if the correct project age was adopted)
1.2 Past exploits (8%; 0)
In the past 12 months, Compound was attacked twice, happened in 2021 September and October (~$80mil and ~$68.8mil loss respectively)
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
CTO and founder, Geoffrey Hayes, experience of programming started from 2008

2. Exposure (Weight 25%; Score 79.7)

2.1 Historical TVL (17.5%; 86)
Average market share in the past 4Q: 7.4%, 8.5%, 9.3%, 9.7%
Data collected from Compound Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 85)
Compound is a lending protocol (no flashloan allowed)
2.3 Infrastructure (2.5%; 25)
Use Coinbase pro to feed price (single centralized oracle), plus sanity check using Uniswap price data (price monitor exists)

3. Audit (Weight 35%; Score 100)

Audit report available on: Compound | Docs - Security
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 100)
Audited by Trail of bits and OpenZeppelin, Tier 1 audit firm
3.3 Audit findings (10.5%; 80)
No critical issues found in audit
3.4 Other credits (up to additive 5.25%; 10)
Core smart contracts audited by multiple firms, Formal verification done

4. Code quality (Weight 15%; Score 95)

Repository on github: GitHub - compound-finance/compound-protocol: The Compound On-Chain Protocol
4.1 Documentation
Excellent documentation.
4.2 Test
Comprehensive test done, with code coverage 44%

5. Developer community (Weight 5%; Score 90)

5.1 Bug bounty program (3.5%; 90)
Exists. Reward up to $150,000
5.2 Issues raised on Github (1.5%; 90)
47 issues raised on github repository.
(Note that the count of number of issues was different from last evaluation, changing from counting open issues only to open+closed issues. Such adjustment is to better reflect all historical discussion in github repository and hence a more precise measure of the developer activity)

The N-SCOSS for Compound is 85.675, level 4