Open rareweasel opened 1 year ago
Fully support this! I've been working with Weasel and Storm for about a year now. They have been instrumental in finding hard-to-spot vulnerabilities and are always happy to help and share their knowledge. Funding security reviews is paramount in keeping user deposits safe and maintaining Yearn's reputation. These are the right people for the job and are worth every penny!
Followed up on ongoing security reviews.
Reviewed warnings about risk framework in the Sync Yearn website recurrently.
Security reviews
Created issues (and followed up) to update scores in the Risk Framework
Followed up the process with the whitehat in the Immunefi report.
Published the disclosure for the Immunefi report.
Created/submitted Immunefi request to update our bounties program to improve the scope and clearness. https://immunefi.com/bounty/yearnfinance/
Updated our [SECURITY.md](http://security.md/) file https://github.com/yearn/yearn-security/pull/75
Closed +8 invalid reports in Immunefi and notified the team about the spam.
Reviewed the protocol v3 code, presentation, and docs to familiarize me with the code and be able to review new strategies.
yETH internal security review ongoing
yETH Chainsecurity audit report analysis
Cleaned up recurring reviews in the new strategist dashboard.
NOTE: some of the links for internal gh repos are access restricted for security purposes.
Triage with vaults, and other yearn vyper projects 3 bug issues in vyper compiler for possible impact in production code and contracts in development.
incorrect evaluation for default arguments passed to internal calls https://github.com/vyperlang/vyper/security/advisories/GHSA-ph9x-4vc9-m39g
OOB DynArray access when array is on both LHS and RHS of an assignment https://github.com/vyperlang/vyper/security/advisories/GHSA-3p37-3636-q8wv
integer overflow for loops of form for i in range(x, x+N) https://github.com/vyperlang/vyper/security/advisories/GHSA-6r8q-pfpv-7cgj
NOTE: some of the links for internal gh repos are access restricted for security purposes.
NOTE: some of the links for internal gh repos are access restricted for security purposes.
NOTE: some of the links for internal gh repos are access restricted for security purposes.
Scope
This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem. It will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.
This request also will detail an overview of the team's goals and objectives for the period.
Note that this budget request includes no revenue share.
Plan
Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.
Security Reviews
The security team will continue to work on the following:
External Security Reviews & Audits Coordination
The security team will guide and coordinate all the external security reviews and audits when requested by yteams.
The process for coordinating audits and external security reviews is the following:
Note that this process might change based on the team's needs.
Ad hoc
The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:
Reporting weekly in the telegram group and monthly in the issue.
Goals
The security team plans to:
Deadline
2023-04-01
People
Money
This budget request includes the following concepts:
Funds to be streamed over three months, starting 1 April 2023.
Total:
7.5 YFI 62,000.00 DAI
Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.
Funds Details
Wallet address
0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E
Reporting
Monthly