Issue #49: B2DAO

It has been an absolute pleasure and a boat load of work writing 30,000 Feet this year. For 50 consecutive weeks (because the first issue took me two weeks to write), I have spent most weeknights, and every Friday and Saturday night writing.

I used to dread writing. After writing every day for a year, I f****** love writing. I look forward to it. It’s a habit I will continue for the rest of my life.

Professionally, it’s been an overwhelming net positive. I’ve researched more topics. I have more opinions. My opinions are stronger and more thoughtful. I’ve also met some amazing people through the newsletter.

Personally, the math isn’t as clear. On the plus side, it’s given me more confidence in my own perspective and a greater sense of purpose. The minus is the impact it’s had on my relationships. My days were full before I started the newsletter, so when I chose to give attention to something new, I had to subtract from somewhere. My partner has been incredibly supportive and understanding, but the newsletter meant less time with her and that choice came at a cost. Over the course of the year, I’ve gotten better at managing my time because I realized that for me to do the newsletter well, the other aspects of my life needed to be in balance.

To all the readers, thank you so much for your support. I hope you’ve learned as much as I have.

Before I sign off for the year, here’s one final issue that incorporates several themes of 2021 - smart contract security, DAOs and governance.

Enjoy.

—-

The B2B market in Web3 has been heating up for months. DAOs, especially in DeFi, need a lot of support, and the core team can’t do everything. They have started engaging third parties for a variety of services including treasury management and core development. The sales and negotiation process are often public, which makes for a fascinating dynamic.

Smart contract security is another area that gets outsourced to specialized service providers. Pre-deployment, teams hire audit firms to review the smart contract code for bugs and vulnerabilities.

But security doesn’t stop once contracts are published on chain. Most protocols evolve over time, and each update introduces new code. New code creates security risk and begs the question “who is responsible for reviewing and auditing the updates?”

Last week, a precedent-setting deal was approved by the Compound token holders naming OpenZeppelin, a leading smart contract audit and security company, Compound’s official security services partner. The total value of the deal could reach $4M over the next year.

This is an important deal for many reasons, and I want to dive in and discuss how it came to be and what I learned.

Full disclosure - Forta (my day job) is part of this deal by virtue of having been incubated inside of OpenZeppelin. However, everything I will share can be found on Compound’s public governance forum.

Let’s zoom in…

The Deal

On September 29th, Compound token holders approved Proposal 62, changing the distribution split of COMP liquidity rewards from 50% suppliers / 50% borrowers to governance-determined ratios.

The update required a new Compound Comptroller contract, which controls the distribution of COMP liquidity rewards. Unfortunately when the new contract was deployed, it contained a bug that allowed users to erroneously claim ~$50M in unearned COMP tokens.

This was an unfortunate event, and it highlighted a reality of decentralized governance that doesn’t get much attention…

When a community member proposes a technical change to a protocol, they are responsible for scheduling and paying for the smart contract audit. Now I think it’s reasonable for the responsibility to fall on the proposer, after all they are the one submitting the proposal. However, it’s inefficient and presents quality control risks.

In the case of Proposal 62, the code change was reviewed by several community members, including Compound, and it was running on Ethereum’s Ropsten testnet for a month before being implemented on mainnet. It did not, however, receive a formal audit.

In the weeks following the exploit, prominent figures in the Compound community recommended that OpenZeppelin and other leading smart contract auditors including Trail of Bits and Consensys Diligence submit proposals for “continuous audit and security services”. The thinking was simple - going forward, the Compound DAO should have a retainer-like relationship with a top tier auditor that can formally review upgrade proposals before they are executed, and avoid a repeat of Proposal 62.

Now for anyone familiar with consulting or enterprise sales, this is what you would call a Request for Proposal, or RFP. It is usually one of the first steps in a formal vendor selection process.

This was the Compound community’s first experience with a public RFP process, and it came together pretty organically and quickly in the wake of the exploit. For those reasons, it did not follow a formal vendor selection process. As a result, the proposal and voting process was disorganized.

Here’s the quick version:

• OpenZeppelin spent a few weeks preparing a comprehensive proposal for continuous audits and other complimentary security services, discussing with key stakeholders and responding to questions from the broader Compound community.

• A few days before COMP token holders were scheduled to vote on the OZ proposal, Trail of Bits joined the discussion and asked token holders to vote against OZ’s proposal if they wanted an opportunity to consider proposals from other security firms.

• COMP holders did vote against OZ’s original proposal to give themselves an opportunity to consider other proposals. Over the subsequent weeks, OZ revised their proposal and fee structure, and additional proposals were received by Trail of Bits and Chainsecurity.

• On December 18, COMP token holders voted a second time and approved OpenZeppelin’s proposal.

At the end of the day, it all worked out. I am extremely happy for OpenZeppelin. They have a world class team and put together a compelling proposal.

I’m also extremely happy for the Compound community. From a security standpoint, they are in a markedly better position now than they were a few months ago.

I can also acknowledge that the vendor selection process wasn’t ideal. You never want the vendors dictating the schedule. My biggest learning from watching this process unfold was the need for a formal selection process, and other DAOs should consider doing the same.

Vendor Selection

This is another case of DAOs making super boring topics interesting. If you told me a year ago I would be writing about the vendor selection process on Christmas Day, I would have said “absolutely not”. In reality, I was looking forward to it!

Companies buy all sorts of products and services from other companies. Selecting who to buy from, especially services, follows a process called vendor selection.

When you’re dealing with large contracts and a pool of potential vendors, having a structured process is helpful to keep things organized, efficient and fair. Here’s a generic, high level vendor selection process from the buyer’s point of view.

If you wanted to, you could unpack each step in the process. For example, it’s common for the Proposal Evaluation to be broken into two parts - first reviewing all written proposals, and then holding oral presentations for finalists.

DAOs can adopt a similar process…

• Consider forming a vendor selection committee. Particularly for specialized and technical issues like smart contract security, having a dedicated group of people with the requisite knowledge and experience making decisions should result in better, more efficient outcomes.

• Define the business requirements (“what do you need?”). Compound’s problem was clear, but the specific requirements and scope for the proposal were not. It takes time to do this well.

• Issue a Request for Proposal (RFP) clearly articulating the business requirements, and laying out timelines for submitting questions, submitting proposals, oral presentations (if necessary) and awarding the grant.

• Respond to questions from prospective vendors. This step already happens effectively today on the governance forums.

• Vendors submit public proposals. Ideally, everyone’s proposal is submitted on the same day so the DAO has the same amount of time to review each proposal, and can easily compare.

• Committee/DAO reviews proposals. If a committee is running the process, they can review proposals privately. If token holders are reviewing, I would expect a similar amount of discourse back and forth that we saw with Compound.

• Oral presentations (if necessary). You can argue the oral presentation component is replaced by public discourse on the governance forums. However, if a vendor selection committee is making the final decision, oral presentations make more sense.

• Negotiate/Award the grant. The committee/DAO make a final decision.

Processes exist for a reason, and the vendor selection process just works. As B2DAO activity picks up in 2022, I expect many DAOs to adopt a formal process/committee. I also expect to see more DAOs negotiate longer-term, incentive-based relationships for smart contract security and audit services.

Parting Thoughts

I’ll be taking next week off because I haven’t had a weekend off in a year, but 30,000 Feet will resume on January 9. Happy New Years everyone!

Thanks for reading.

Andy

—

Not a subscriber? Sign up below to receive a new issue of 30,000 Feet every Sunday.