OpenZeppelin Security Partnership Proposal for Continuous Audits

Simple Summary

OpenZeppelin proposes a Security Partnership with the Venus protocol for performing security audits on retainer. As Venus’s trusted security partner, we will perform continuous security audits of Venus codebases and provide actionable feedback to help the team improve smart contract security. We offer a total of 24 weeks of security research time to be used over the next 6 months for audits as directed by the Venus protocol team, which includes fix reviews and a high-level analysis of current protocol security. The total cost is $554,400 to be paid in USDC on a quarterly schedule from the Venus treasury, starting with $277,200 at the start of Q3 2023 followed by the same amount at the start of Q4.

About OpenZeppelin

About OpenZeppelin

OpenZeppelin is a leading blockchain infrastructure security firm that performs security audits and provides developer tools for decentralized systems that power multimillion-dollar economies. OpenZeppelin has set industry standards for building secure, decentralized systems and has gained the trust of industry leaders including Coinbase, the Ethereum Foundation, Matter Labs, and the original Compound protocol. OpenZeppelin built and maintains the world’s leading Open Source library for smart contract development with more than twenty millions downloads and 200 contributors.

OpenZeppelin has already seen success in security partnerships with DAOs including Compound, which forms the backbone of the Venus Protocol codebase. We have already leveraged our existing expertise in lending protocol security to audit the SwapRouter and Oracles codebases for Venus in which we reported 25 total security issues. We see this proposal as the next step in growing our relationship with the Venus community and further improving overall security with a more continuous security model.

Partnership Offerings

Our Security partnership consists of the following.

Continuous Security Audits on Retainer

As Venus’s trusted security partner, we will do a continuous security audit of your codebases. Unlike individual audit engagements, our security researchers will be assigned to work on your project for the duration of this engagement. This provides scheduling flexibility, enhances auditor knowledge of your codebase and builds a more collaborative client-auditor relationship to produce better results. In addition to formal auditing, our team can offer security advisory on Web3 best practices to improve secure code development going forward.

We are offering a total of 24 security researchers weeks along with 12 days of fix review time to be used over the next 6 months starting on June 28th until the end of the 2023 year. Audit time will be utilized in coordination with the Venus protocol team, with a minimum of 45 days notice required for scheduling new audits. In order to effectively use the booked slots, we will need a preliminary version of the codebase 3 weeks in advance and the commit hash 1 week before the starting date. This is necessary to define the scope in advance. If by the end of the engagement Venus has remaining weeks, and Venus protocol doesn’t have anything to review, the weeks will not be rescheduled for the future, and the weeks will be deducted from the package, even if it has not been used (this term is required in order to book our time in advance).

Our currently planned list of audit priorities are listed below. Please note that these might be subject to change as we continue to coordinate priorities set by the Venus protocol team:

  1. New Liquidator contract
  2. Diamond Comptroller
  3. Automatic allocation of income and Prime contract
  4. Collecting needed tokens and Shortfall handling

System Security Analysis

OpenZeppelin will perform an overall review of your existing smart contract design, security infrastructure and processes to help improve the overall security of your currently deployed system. Upon completion we will deliver a detailed report that provides feedback on your system design, access control, and team processes with recommendations to make improvements and address potential security shortcomings. This offering is recommended as a prerequisite for other long-term engagement offerings to give our team the opportunity to understand your security needs and system architecture best and maximize the value you receive from our subsequent audits.

We are offering our System Security Analysis service without additional charge, estimated at 2 additional security researcher weeks.

Payment Structure

OpenZeppelin will charge $554,400 in total for the security services provided above. This will be paid in two quarterly installments of $277,200 in USDC from the Venus Treasury, with the first to be paid at the start of July 2023. This will follow the same format as the prior proposal payment issued through VIP-120.

Terms & Conditions

By approving this proposal and proceeding to make payment of the fees to OpenZeppelin, Venus agrees to our DAO Terms of Service.


When some action to drive the price of XVS instead of slurping the treasury.? rather see a buy for 554,4k XVS and add it to vault rewards.? Isn’t mighty Gaunlet all of a sudden not sufficient enough?

1 Like

Expensive not sure we need this considering all the money we’ve already spent on audits. Security is important though, this is something I trust the team to handle and let the community know what they believe to be best for the protocol.

Gauntlet does markets Risk management for Venus! What does this has to do with Auditing smart contracts for the upcoming products?

1 Like

Looking at the dates it all seems all already agreed on.

What happened to the party who did audits before, why there is a gap suddenly that needs to be filled asap.

أتمنى التوفيق لنا وللجميع بهذا البروتوكول العظيم ونتمنى كثير من التطوير والتقدم

Well, Devs would need to submit the code to be audited and request a quote and timelines if new products are ready to be released and audits need to be done before releasing them right?

Remember that multiple Audits are done for every new product being released. This is mandatory for security. Have a look at all the recent VIP’s, Venus is actually working with all of the best.

  • OpenZeppelin
  • Peckshield
  • FairyProof
  • Code4rena
  • QuantStamp
1 Like

Venus is a sweet cake. Food everyone can enjoys. If I were a developer, I would have had a delicious bite haha