Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sam - Security and Monitoring #3 #252

Open
spalen0 opened this issue Jan 21, 2025 · 0 comments
Open

Sam - Security and Monitoring #3 #252

spalen0 opened this issue Jan 21, 2025 · 0 comments
Labels
approved An approved budget request budget request A budget request

Comments

@spalen0
Copy link

spalen0 commented Jan 21, 2025

Scope

The SAM team is dedicated to keeping security and monitoring in place for Yearn projects and strategies.

Old BRs:

Plan

The team will continue to build and improve a monitoring system for the underlying protocols to ensure strategy safety and conduct all internal security reviews of the Yearn ecosystem. All planned tasks are split into the following 3 categories:

1 - Internal Security Reviews of Yearn

V3 Strategy Reviews:

  1. Strategy Security Reviews: Focus on identifying bugs in production and assessing audit quality.
  2. Utilization of GitHub Actions: Ensure that GitHub Actions for tests are completed and working before moving to production. Continue to add tests for emergency withdrawals on strategies in production. Tests are run daily on the latest fork to ensure emergency functions can be called.
  3. Risk Score Attachment: Attach risk scores to issues based on prepared risk assessments and add comments to justify the scores if necessary.
  4. Complex Strategies and High TVL: For strategies marked as complex, having significant TVL in production, or being good candidates for external protocol collaboration, the team will add a "Recurring Review" issue to prioritize later review by other team members. The frequency of the recurring review will depend on the TVL and strategy risk score.

Ventures (yETH, veYFI, etc.)

The team will do full reviews of other projects from the Yearn ecosystem. Recurring reviews will be done if needed.

Bug Bounty Management

Yearn Finance has an open bug bounty program on Immunefi. Submitted bugs will be checked and verified by the team. Additionally, new contracts will be added to Immunefi as they are deployed and ready for the bug bounty program.

Continue with Bug Bounty program on Sherlock, which covers only strategy-specific code in production.

2 - Yearn Risk Scores

Continue the work on Risk Score Framework, add new risk score values by utilizing the new repository which automates attaching risk score values to yDaemon.

Reevaluate the current framework to integrate risk from protocols that use different curators and risks, like Morpho and Euler. The current framework evaluates only the protocol as a whole, but each market carries different risks that are not covered by the current values. Explore changes to define a new formula for the final risk score that will put more weight on riskExposureScore, which defines how much and how often a strategy can be subject to losses.

Create a breakdown of different collateral assets with different risk scores. Continue to evaluate Morpho markets and provide risk scores. Explore new lending markets like Euler and provide risk scores for markets used by Yearn strategies.

3 - Risk Monitoring

The team will work with the strategist on which data should be monitored to ensure strategy safety and help in building the monitoring system. Tenderly will be used heavily for this, with additional custom tools depending on the protocol.

Create and manage Telegram monitoring groups for each protocol. Governance contracts are also monitored, and we will keep them up to date. Some protocols and tools that are planned:

  • Euler - new strategy is in the pipeline but we don't have any monitoring set up.
  • Fluid - new strategy is in the pipeline but we don't have any monitoring set up.
  • Morpho - a lot of new vaults added. Explore the monitoring of curators for strategies with high TVL. Pepare for changes in new Morpho Vaults 1.1.
  • Moonwell - improve bad debt monitoring. The current implementation uses API that doesn't update data hourly.
  • LRTs- continue to monitor EigenLayer and create new tools to monitor slashing when activated.
  • Multisig checker - current stack only monitors for new transactions in the Safe and sends alerts that require manual checking. Try to build an AI Agent to summarize transaction details to minimize manual work.

Deadline

2025-04-30

People

  • Spalen
  • Tapir

Money

  • Infrastructure cost is covered with the total amount.
24 * 3 = 72

Amount (Total)

72000

Wallet address

0xe5e2Baf96198c56380dDD5E992D7d1ADa0e989c0

Reporting

Once
@spalen0 spalen0 added the budget request A budget request label Jan 21, 2025
@0xPickles 0xPickles added the approved An approved budget request label Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
approved An approved budget request budget request A budget request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spalen0 @0xPickles