budget icon indicating copy to clipboard operation
budget copied to clipboard

Published 20 hours ago verified publisher icon yearn

Security Team Budget Request v4

Open rareweasel opened this issue 1 year ago • 2 comments

Scope

This budget request is for the security team comprised currently of two core contributors and a part-time contributor to continue contributing with security related work in the yearn ecosystem.

The list of previous budget requests:

This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows and other described tasks. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.

This request also will detail an overview of the team's goals and objectives for the period.

Note that this budget request includes no revenue share.

Presentation link.

Plan

Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.

Security Reviews

The security team will continue to work on the following:

  • Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production.
  • Internal security reviews for the Core Protocol, including v2/v3 vaults, v3, yCRV, yETH and any other Yearn's product as required.
  • Management of the Risk Framework and internal security review process for v2 and v3 strategies.
  • Review scores and allocations frequently in the Risk Framework to ensure risk information is properly presented to users.
  • Coordinate with infrastructure team on support for risk framework updates, bugs and issues for off chain data. (see on chain risk framework section for details)
  • Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
  • Review and triage bounty reports through our multiple pre-established channels, such as Immunefi, vyper disclosures or any other source.

Ad hoc

The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:

  • Lead retros for incidents
  • Incident support
  • Fuzz and invariant testing workshops, learning resources and support to help yearn devs
  • Create guidelines and minimal process for operational security of yearn high impact multisigs, communicate them and review adherence to established procedures.
  • Smart contract development
  • Product design
  • Protocol and Security related tooling development
  • Multisig coordination for emergency transactions
  • Security related events support e.g war room games, conferences talks, etc.

External Security Review Process Guidelines

  • Define and implement a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors.
  • Track output of external security engangements and report them to yTeams.
  • Check effectivenes of process and improve it with feedback on reports.

Goals

The security team plans to:

  • Fuzzing and invariant testing:

    • Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing.
    • Create learning resources, example repos, coordinate/lead workshops.
    • Update security review internal process to require stricter testing rules for production deployment.
    • Update risk scoring process and documentation regarding testing scores.
    • Add fuzzing and invariant testing for real yearn products as example for learning resources.
      • veYFI fuzzing and invariant testing
      • Compound lender/borrower example fuzzing

  • Multisig operations security:

    • Establish and lead a working group composed of several yteams.
    • Collect feedback and areas of improvement.
    • Present public draft for minimun viable multisig operational procedure.
    • Publish procedures
    • Present a plan to review periodically past multisig operations against established procedures.
    • Manage the continuous improvement process of the procedures.

  • Risk Framework On-chain:

    • Integrate v3, yETH and other core contracts as needed.
    • Support up to date scores.

  • General Security

    • Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable. This item will consider external risk data providers to coordinate new v3 risk scoring process.
    • Each security review differs in time and scope but we are estimating it based on normal strategy reviews.
    • Create an internal checklist with the common issues in the v3 strategies to help the strategists to improve the development.
    • Start/continue reviewing new strategies for v3.
    • Continue reviewing updates/new strategies for v2.
    • Improve Github issues to make easier the security process.
    • Define a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors.
    • Track output of external security engagements and check effectiveness of process.
    • Follow up on the actions discussed in the war room, retros, and similar calls with the assigned contributors, reviewing ETA.
    • Become owner and lead of the Single Process security-wise for the v3 vaults working with the strategists and other contributors in order to get the best (and simple) process to increase our TVL, and revenue.
    • Be part of the Vyper security group.

  • General

    • Improve our communication giving updates about our tasks in internal groups periodically.
    • Implement an active improvement process, asking for feedback to different contributors and retest the results periodically.

Period

It will cover 3 months:

  • From: 2024-02-01
  • To: 2024-04-30

People

  • Rare Weasel
  • Tapir
  • Mil0x (part-time)

Money

This budget request includes the following concepts:

  • 2 core contributor grants.
  • 1 part-time contributor.

Funds to be streamed over three months, starting 1st February 2024.

Total:

85,990.00 DAI

Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.

Funds Details

Fund Details

Wallet address

0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E

Reporting

Monthly in this issue.

rareweasel avatar Jan 31 '24 15:01 rareweasel

Security Team February Updates

  • DDs & Security reviews
    • Ajna Lender: https://github.com/yearn/yearn-strategies/issues/564
    • yETH Periphery Update: https://github.com/yearn/yearn-strategies/issues/596
    • V3 Leveraged LST strategy (ongoing): https://github.com/yearn/yearn-strategies/issues/608
    • AAVE V3 Lender updates: https://github.com/yearn/yearn-strategies/issues/633
    • Prisma Convex Farmer Update: https://github.com/yearn/yearn-strategies/issues/628
  • Bug bounty report
    • Triaged Immunefi reports.
  • Risk Framework On-chain
    • Improved script to check missing strategies in the ORF (WIP). Analyzing a dynamic approach to get alerts/notifications when strategies are missing in the ORF.
  • Other
    • Sent DM to some yContributors to get feedback about the security team.
    • Full revisited our goals discussing internally the best approach.
    • Created/updated internal tasks for the new/old goals, setting priorities.
    • Coordinated tasks for the new part-time member: @mil0x
    • Internal discussion about simplifying processes, improving communication, vault scores and others.
    • Coordinated/assigned responsibilities/tasks to each member.

rareweasel avatar Mar 04 '24 21:03 rareweasel

Security Team March Updates

  • DDs & Security reviews
    • Compound v3 Updates: https://github.com/yearn/yearn-strategies/issues/634
    • V2 Router V3: https://github.com/yearn/yearn-strategies/issues/629
    • V3 Lst Steth: https://github.com/yearn/yearn-strategies/issues/570
    • Yearn BaseERC4626 & Sturdy: https://github.com/yearn/yearn-strategies/issues/631
    • Ajna Router & BaseERC4626: https://github.com/yearn/yearn-strategies/issues/636
    • Pendle LP Factory: https://github.com/yearn/yearn-strategies/issues/575
  • Bug bounty report
    • Triaged Immunefi reports.
  • Other
    • Updated the risk framework eth multisig with new members.
    • Tracked new audit payments to ChainSecurity and yAudit.
    • Lost Discord Handle: Had the retro call & followed-up the actions.
    • Could get the previous agreement with ChainSecurity and discussed a new one, getting more flexibility in terms of slots. The security team has a monthly recurrent call to coordinate/plan the next slots.
    • Lot of internal discussions during weeks, but we are almost done with these 3 documents:
      • "Security Processes & Risk Management".
      • "Risk Scores Definition".
      • New GitHub V3 strategy issue template https://github.com/yearn/yearn-strategies/pull/644
    • Found few bugs in Yearn Tokenized Periphery TradeFactorySwapper https://github.com/yearn/tokenized-strategy-periphery/commit/abdec3622bea14311660507b79f531e2c13ca33a

rareweasel avatar Apr 03 '24 21:04 rareweasel