You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem.
This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows and other described tasks. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.
This request also will detail an overview of the team's goals and objectives for the period.
Note that this budget request includes no revenue share.
Collected feedback from multiple contributors and implemented some improvements internally.
Improved our communication giving updates every 3-4 weeks.
Implemented an active improvement process, asking for feedback to different contributors and retest the results periodically.
General Security
Created a new streamlined Due Diligence template for evaluating new protocols used in yearn strategies to improve the accuracy of the new risk scores.
Created a checklist document with common potential security issues and security patterns in v3 strategies to help the strategists to improve the development.
Made multiple security reviews including updates/new v2/v3 strategies.
Updated the Github Issue Template (v3 strategies) to improve the speed and accuracy of the security process.
Followed up on the actions discussed in the war room, retros, and similar calls.
Lead of the Single Process security-wise for the v3 vaults.
Be part of the Vyper security group.
Coordinated any external audit with external audit firms.
Managed a new discussion with Chain Security about updating our old retainer agreement. We could get a new deal.
Tracked expenses in audits, contests, and bounties and shared it monthly.
Analyzed external security reviews as revenue stream. To get the flywheel going, we will review them free of charge the first months, and define a cost depending on the demand and availability without impacting the internal tasks.
On-chain Risk Framework
Reviewed and redefined new risk scores for v3 strategies.
Already integrated risk score metadata for V3 strategies. UI will display the risk category for each vault soon, improving the UX and allowing users make much better risk/rewards decisions.
Tested the new scores in the v3 strategies and redefine some ones. We will test more v3 strategies before deploying the smart contracts.
Updated the risk framework multisig (new signers).
Fuzzing and Invariant Testing
Created learning resources, and example repos.
Update security review internal process to require stricter testing rules for production deployment.
Updated risk scoring process and documentation regarding testing scores.
Goals Not Achieved
Multisig operations security
Establish and lead a working group composed of several yteams to implement the best practices to manage operational transactions.
On-chain Risk Framework
Already done a bootstrap risk score system for v3 with metadata risk scores, but haven't finished implementing an on-chain version for all the products such as yETH, yCRV and others.
Fuzzing and Invariant Testing
Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing.
Coordinate/lead workshops.
Plan & Goals
Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.
Security Reviews
The security team will continue to work on the following:
Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production.
Internal security reviews for the Core Protocol, including v3 vaults, v3, yCRV, yETH and any other Yearn's product as required. Any v2 strategy will need to use this adapter. The security team will also review the code.
Coordinate with infrastructure team on support for risk framework updates, bugs and issues for off chain data. (see on chain risk framework section for details)
Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
Review and triage bounty reports through our multiple pre-established channels, such as Immunefi, vyper disclosures or any other source.
On-chain Risk Framework
Update the smart contracts and launch the on-chain risk framework to track all the v3 strategies and products.
Coordinate with UI team, Seafood, and Kong team to decide what it would be the best approach to display the new risk scores.
Keep up to date the scores in the Risk Framework.
Review scores and allocations in the Risk Framework frequently to ensure risk information is properly presented to users.
Ad hoc
The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:
Lead retros for incidents and follow-up actions.
Create guidelines and minimal process for operational security of yearn high impact multisigs, communicate them and review adherence to established procedures.
Smart contract development and design
Protocol and Security related tooling development
Multisig coordination for emergency transactions
Security related events support e.g war room games, conferences talks, etc.
External Security Review Process Guidelines
Apply the current process to help yTeams to select and pay for external security reviews including audits/contests/solo auditors.
Track output of external security engangements and report them to yTeams.
Check effectivenes of process and improve it with feedback on reports.
Research New Security Tools
Research new tools to help contributors to improve the security and quality in the smart contracts.
Research new code analyzers, and other similar tools to make our smart contracts safer.
Fuzz and invariant testing presentation, learning resources and support to help yearn contributors.
Goals
General Security
Request/review DD documents when it is needed.
Get feedback from strategists to improve the risk score definitions.
Update our internal checklist with the common issues in the v3 strategies to help the strategists to improve the development.
Continue reviewing strategies for v2/v3.
Update the Github issue template to make easier the security process as needed.
Coordinate/track the external security reviews including audits/contests/solo auditors.
Track output of external security engagements and check effectiveness of process.
Coordinate with ChainSecurity the availability for our slot monthly.
Be the point of contact for the Vyper Security group in case of any incident.
General
Improve our communication giving updates about our tasks in internal groups periodically.
Continue the improvement process, asking for feedback to different contributors and retest the results periodically.
Fuzzing and invariant testing:
Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing.
Create learning resources, example repos, coordinate/lead workshop.
Update security review internal process to require stricter testing rules for production deployment.
Add fuzzing and invariant testing for real yearn products as example for learning resources.
Multisig operations security:
Establish and lead a working group composed of several yteams.
Collect feedback and areas of improvement.
Present public draft for minimun viable multisig operational procedure.
Present a plan to review periodically past multisig operations against established procedures.
Manage the continuous improvement process of the procedures.
On-chain Risk Framework (ORF):
Improve the smart contracts design based on the current improvements in the security process as needed.
Integrate v3, yETH and other core contracts as needed.
Support up to date scores.
Create a tool to check when strategies are missing in the ORF.
Research New Security Tools
Implement a tool to help contributors to improve the security and quality in the smart contracts.
Implement a tool to remove the friction and allow contributors to execute code analyzers, and other similar tools to make our smart contracts safer.
Make a presentation to explain the foundation of fuzzing and invariant testing, share learning resources and support to help yearn contributors.
Period
It will cover 3 months:
From: 2024-05-01
To: 2024-07-31
People
Rare Weasel
Spalen
Rhythm0x (internship)
Money
This budget request includes the following concepts:
2 core contributor grants.
1 intership
Funds to be streamed over three months, starting 1st May 2024.
Total:
76,500.00 DAI (25,500.00 DAI monthly)
Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.
Wallet address
TBD
Reporting
Monthly in this issue.
The text was updated successfully, but these errors were encountered:
Security Team - Budget Request v5 (Updated)
Scope
This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem.
The list of previous budget requests:
This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows and other described tasks. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.
This request also will detail an overview of the team's goals and objectives for the period.
Note that this budget request includes no revenue share.
Presentation link.
Achieved Goals (Previous BR v4)
General
General Security
On-chain Risk Framework
Fuzzing and Invariant Testing
Goals Not Achieved
Multisig operations security
On-chain Risk Framework
Fuzzing and Invariant Testing
Plan & Goals
Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.
Security Reviews
The security team will continue to work on the following:
On-chain Risk Framework
Ad hoc
The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:
External Security Review Process Guidelines
Research New Security Tools
Goals
General Security
General
Fuzzing and invariant testing:
Multisig operations security:
On-chain Risk Framework (ORF):
Research New Security Tools
Period
It will cover 3 months:
People
Money
This budget request includes the following concepts:
Funds to be streamed over three months, starting 1st May 2024.
Total:
76,500.00 DAI (25,500.00 DAI monthly)
Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.
Wallet address
TBD
Reporting
Monthly in this issue.
The text was updated successfully, but these errors were encountered: