Security Team - Budget Request

[rareweasel]

Scope

This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem. It will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.

This request also will detail an overview of the team's goals and objectives for the period.

Note that this budget request includes no revenue share.

Plan

Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.

Security Reviews

The security team will continue to work on the following:

• Internal security reviews for all contracts develop by yteams and changes or updates in the current ones in production.
• Internal security reviews for the Core Protocol, including v2 vaults, v3, yCRV, yETH and any other Yearn's product as required.
• Management of the Risk Framework and internal security review process.
• Review scores and allocations frequently in the Risk Framework to ensure they are aligned regarding risk.
• Coordinate with infrastructure team on support for risk framework updates, bugs and issues.
• Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
• Review and assess bounty requests through our multiple pre-established channels, such as Immunefi or any other source.

External Security Reviews & Audits Coordination

The security team will guide and coordinate all the external security reviews and audits when requested by yteams.

The process for coordinating audits and external security reviews is the following:

1. The yTeam that needs an audit/external security review will request coordination/help.
2. The security team will coordinate the slot/s with the audit firms or external reviewers.
3. Once and agreement with audit firm is reached, security team will create a group so yTeam and auditors can ask/answer questions. Coordination of payment and budget is managed by each yTeam.
4. Once the audit/review finishes, the security team will review the report and coordinate with yTeam to help review issues to ensure they are fixed or acknowledge.

Note that this process might change based on the team's needs.

Ad hoc

The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:

• War room support
• Smart contract development
• Product design
• Protocol and Security related tooling development
• Multisig coordination for emergency transactions

Reporting weekly in the telegram group and monthly in the issue.

Goals

The security team plans to:

• Include one new internship slots during this period to increase security review capabilities.
• Train the new intern based on their knowledge and protocol requirements.
• Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable.
• Each security review differs in time and scope but we are estimating it based on normal strategy reviews.

Deadline

2023-04-01

People

• Storm0x 67% work in security (33% in serpentor during 3 months period)
• Rare Weasel
• 1 internship spot

Money

This budget request includes the following concepts:

• 2 core contributor grants.
• 1 internship slots.

Funds to be streamed over three months, starting 1 April 2023.

Total:

7.5 YFI 62,000.00 DAI

Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.

Funds Details

Wallet address

0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E

Reporting

Monthly

[0xValJohn]

Fully support this! I've been working with Weasel and Storm for about a year now. They have been instrumental in finding hard-to-spot vulnerabilities and are always happy to help and share their knowledge. Funding security reviews is paramount in keeping user deposits safe and maintaining Yearn's reputation. These are the right people for the job and are worth every penny!

[rareweasel]

Security Team April Updates

• Followed up on ongoing security reviews.

• Reviewed warnings about risk framework in the Sync Yearn website recurrently.

• Security reviews

  • Optimism yVault Staking Pools: https://github.com/yearn/yearn-strategies/issues/475
  • Sonne GenLev Recurring Review: https://github.com/yearn/yearn-strategies/issues/492
  • RouterStrategy Atomic Fee-Loss Protection: https://github.com/yearn/yearn-strategies/issues/495
  • Sonne blocksToLiquidationDangerZone misconfiguration: https://github.com/yearn/yearn-strategies/issues/512
  • Sonne GenLev Recurring Review Fixes https://github.com/yearn/yearn-strategies/issues/511
  • Morpho DD https://github.com/yearn/yearn-strategies/pull/431
  • yBAL (yCRV Fork) -Only (3) and (4)- https://github.com/yearn/yearn-strategies/issues/467
  • Optimism Convex 3CRV Base Review: https://github.com/yearn/yearn-strategies/issues/458
  • Convex 3Crypto Review: https://github.com/yearn/yearn-strategies/issues/460
  • Gearbox Lender Review: https://github.com/yearn/yearn-strategies/issues/413

• Created issues (and followed up) to update scores in the Risk Framework

  • St-yCRV: https://github.com/yearn/ydaemon/issues/241
  • Sonne Finance: https://github.com/yearn/ydaemon/issues/243
  • St-yCRV not working: https://github.com/yearn/ydaemon/issues/249
  • Lp-yCRV: https://github.com/yearn/ydaemon/issues/250
  • Update Sonne Finance: https://github.com/yearn/ydaemon/issues/255
  • Create new Curve Group (Optimism) https://github.com/yearn/ydaemon/issues/258

• Followed up the process with the whitehat in the Immunefi report.

• Published the disclosure for the Immunefi report.

  • https://github.com/yearn/yearn-security/pull/74

• Created/submitted Immunefi request to update our bounties program to improve the scope and clearness. https://immunefi.com/bounty/yearnfinance/

• Updated our [SECURITY.md](http://SECURITY.md) file https://github.com/yearn/yearn-security/pull/75

• Closed +8 invalid reports in Immunefi and notified the team about the spam.

• Reviewed the protocol v3 code, presentation, and docs to familiarize me with the code and be able to review new strategies.

• yETH internal security review ongoing

• yETH Chainsecurity audit report analysis

• Cleaned up recurring reviews in the new strategist dashboard.

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team May Updates

• Followed up on ongoing security reviews.
• Created recurring reviews as per process.
• Reviewed warnings about risk framework in the Sync Yearn website weekly.
• DDs & Security reviews
  • yBAL (yCRV Fork): https://github.com/yearn/yearn-strategies/issues/467
  • Flux Finance DD: https://github.com/yearn/yearn-strategies/pull/529
  • Flux Finance Code: https://github.com/yearn/yearn-strategies/issues/528
  • 0.4.6 Router Upgrade: https://github.com/yearn/yearn-strategies/issues/490
  • yETH Review: https://github.com/yearn/yearn-strategies/issues/519
  • Gearbox Lender Strategy Review: https://github.com/yearn/yearn-strategies/issues/413
  • Curve Factory Maintenance: https://github.com/yearn/yearn-strategies/issues/517
  • Balancer Aura Factory Review: https://github.com/yearn/yearn-strategies/issues/518
  • yETH Bootstrap Review: https://github.com/yearn/yearn-strategies/issues/527
  • Convex Arbitrum Strategy Fixes Review: https://github.com/yearn/yearn-strategies/issues/460
• Created issues (and followed up) to update scores in the Risk Framework
  • Comp v3 Lender Borrower: https://github.com/yearn/ydaemon/issues/265
  • yBAL: https://github.com/yearn/ydaemon/issues/264
  • Staking OP Rewards: https://github.com/yearn/ydaemon/issues/267
  • Flux Finance: https://github.com/yearn/ydaemon/issues/271
• Triaged and closed 3 invalid reports in Immunefi and notified the team about the spam.
• Updated our internal security process: https://github.com/yearn/yearn-strategies/pull/532
• Reviewed the protocol v3 code, presentation, and docs to familiarize me with the code and be able to review new strategies.
• Read yETH and v3 vaults audit reports
• Gave feedback about a AI platform to build a PoC for the Risk Framework.
• Developed some contracts (PoC) to track risk scores on-chain, and a MaxDebtManager to use as v3 module.
• Started development of SC review check list for internal process assistance.
• Triage with vaults, and other yearn vyper projects 3 bug issues in vyper compiler for possible impact in production code and contracts in development.

  • incorrect evaluation for default arguments passed to internal calls https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g

  • OOB DynArray access when array is on both LHS and RHS of an assignment https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv

  • integer overflow for loops of form for i in range(x, x+N) https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team June Updates

• DDs & Security reviews
  • Followed up on ongoing security reviews.
  • Created recurring reviews as per process.
  • yBAL (Zap): https://github.com/yearn/yearn-strategies/issues/467
  • lp-yCRV Recovery: https://github.com/yearn/yearn-strategies/issues/549
  • Liquidty DD: https://github.com/yearn/yearn-strategies/pull/531
  • Velodrome v2 DD: https://github.com/yearn/yearn-strategies/pull/555
  • Velodrome v2 factory strategy template review: https://github.com/yearn/yearn-strategies/issues/552
  • ERC4626 router for vaults v3 ongoing review: https://github.com/yearn/yearn-strategies/issues/545
• Risk Framework
  • Reviewed warnings about risk framework in the Sync Yearn website weekly.
  • Pushed changes and internally shared (to get feedback) the new contracts/repository for Risk Framework on-chain.
  • Created issues (and followed up) to update scores:
    • Remove Sturdy Group: https://github.com/yearn/ydaemon/issues/280
    • Create Router Strategy v2 Group (Ethereum): https://github.com/yearn/ydaemon/issues/279
    • Create new Aura Factory Group: https://github.com/yearn/ydaemon/issues/278
• Bounty reports
  • Updated the immunefi bounty page with new assets in scope to filter spam quicker.
  • Triaged and closed 15 invalid reports in Immunefi and notified the team about the spam.
• Updated the SC review check list for internal process assistance.
• Help review escrow contract for yTrades bounty. BountyContract
• Reviewed audit reports for yETH.
• Started reviewing yearn V3 strategy and vault contracts in deep in order to create security checklists for strategists to maintain yearn v3 safety (document will be shared publicly after the v3 study is completed and some progress has been made)

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team July Updates

• Security events
  • Attended Defi Security Summit 2023 to learn about latest security research, infra, services and process to apply to yearn's smart contracts.
  • Attended Ecosystem security retreat to show case yearn's security process (DD, incident response) and help draft common standards for industry around specific areas that are lacking, incident response, best practices for coding SC, etc.
  • Attended and helped with war room games exercises for tenderly/yearn/yaudit event in Paris.
• DDs & Security reviews
  • Followed up on ongoing security reviews.
  • YCRV zap v3 - new pool support: https://github.com/yearn/yearn-strategies/issues/468
  • vl-yCRV Rewards Distributor: https://github.com/yearn/yearn-strategies/issues/556
  • ERC 4626 router review finished: https://github.com/yearn/yearn-strategies/issues/545
  • Read external audit reports for Yearn related Smart Contracts.
  • yETH Rate Provider Contract review: https://github.com/yearn/yearn-strategies/issues/567
  • yLQTY Vault Review: https://github.com/yearn/yearn-strategies/issues/491
  • Maker DSR V3 Strategy Review: https://github.com/yearn/yearn-strategies/issues/541
• V3
  • Studying V3 design and code to help with upcoming batch of v3 related security reviews. https://github.com/orgs/yearn/projects/27/views/18
  • Further recurring reviews for V3 Smart contracts.
  • Preparation for v3 checklist to aid in reviews.
  • Read latest v3 audit reports from external firms.
• Risk Framework
  • Reviewed warnings about risk framework in the Sync Yearn website weekly.
  • Discussed some issues regarding risk fmk in with the yDaemon team internally.
  • Started design/discussions about the required changes in yDaemon to support v3 groups. https://github.com/yearn/ydaemon/issues/300
  • Update Liquidity Provider yCRV Group: https://github.com/yearn/ydaemon/issues/291
  • Add new yLQTY Group: https://github.com/yearn/ydaemon/issues/295
• Bounty reports
  • Updated the immunefi bounty page with new assets in scope to filter spam quicker.
    • New v3 contract addresses.
    • New yETH contract addresses
  • Triaged and closed 1 invalid report in Immunefi and notified the team about the spam.
• Vyper security disclosures
  • Triaged 3 vyper security disclosures and analyze possible impact to yearn's production smart contracts in coordination with vyper and yearn core team. (no impact)
• Prepare budget request for the next 3 months: https://github.com/yearn/budget/issues/145

NOTE: some of the links for internal gh repos are access restricted for security purposes.