Upgrading Compound Governance
At Compound, we practice increasing decentralization; building a platform with the efficiency of a close-knit team, and then removing our authority wherever possible. Today, we are announcing a suite of protocol upgrades aimed at reducing the protocol administrator’s ability to make rapid changes to the protocol.
All Compound protocol contracts have an administrator address, used to configure various aspects of the protocol; across all contracts, the administrator will be replaced with
0x6d903f6003cca6255D85CcA4D3B5E5146dC33925, a Timelock contract that moves the protocol towards a “time-delayed, opt-out” upgrade pattern (rather than the current “instant, forced” upgrade pattern).
The Timelock has a hard-coded minimum delay of 2 days, which is the least amount of notice possible for an admin action. Each proposed action will be published with an
eta which must be at least 2 days in the future from the time of announcement. For instance, major upgrades, such as changing the risk system, may have a 14 day delay.
By adding a Timelock, we also reduce our ability to react to an unforeseen vulnerability. To mitigate this risk, this upgrade introduces the concept of a Pause Guardian into the protocol. Used only in the event of an unforeseen vulnerability, the Pause Guardian has one and only one ability: to disable a select set of functions:
seize (liquidate). The Pause Guardian cannot unpause an action, nor can it ever prevent users from calling
redeem (withdraw) or
repayBorrow to close positions & exit the protocol.
Together with these changes, we are also including some other small upgrades. These include documentation fixes for the Comptroller, and most significantly: ‘enter on borrow’ functionality. From now on, attempts to borrow an asset will automatically enter the caller (borrower) into the market, instead of returning an error when the market has not been entered.
Entering markets is how the comptroller keeps track of which assets should be included in liquidity calculations, and borrowers are required to enter the markets they borrow from. This is still the case, however it is now simply automatic, and not a separately called function.
As part of our normal diligence process, we asked the community to review these changes, as well as hiring formal auditors to discover potential issues.
Open Zeppelin did an excellent job explaining the scope of the changes, which you can read more about:
Join the Conversation
Reducing the potency of the administrator’s retained abilities is just one step as we move towards complete decentralization; we have lots more exciting (and boring) changes planned.
If you have any questions, ideas, or issues, join us in Discord — we’d love to hear from you.