With the original v3 budget request, comparable audit costs were used to come up with an expected cost of $40k. When yAcademy/yAudit was asked for a quote, $65k was given for a 4 week audit. This leaves a shortfall of $25k from the original budget request.
The v3 protocol team explored auditing only a subset of the codebase or asking the auditors to propose a shorter audit timeline. The following feedback was received:
[The v3 strategy & vault repos] are very closely interlinked. The code in these repos are also very dependent on the ERC4626 tokens that they integrate with. If the audit was self-contained to only the code that is in these repos and ignored integrations and compatibility, then it’s possible we would not need 4 weeks for this audit. But because edge case integrations are a common place for security issues to arise, we expected that testing the v3 code would involve a more testing than a standard audit.```
[We] thought it is better to audit the two repos together. Even if the vault code is functioning independently from the strategy code, interface points between contracts (external calls) is a very common place for implementations issues to appear, and being able to focus on this interface while auditing both of the two repos is an important benefit to the audit process. Even ignoring this interface, it’s possible that noticing how two separate steps in the different repos are implemented (say, internal accounting) may make it easier to spot issues that could appear when strategies are implemented.
The V3 protocol team agrees with this assessment and believe it to be in Yearn’s strategic interest to have the full 4 week audit on both codebases performed.
Plan
Pay for a yAudit covering both the vyper multi-strategy v3 vault and the solidity tokenized strategy. The audit will take 4 weeks and is intended to cover both the individual contracts and their integration points.
Deadline
2023-06-30
People
yAudit
Money
The total yAudit quote was for $65k with $40k currently budgeted. $25k is required to cover the shortfall.
Scope
Cover yAudit cost that was above the amount projected in the active Budget request V3 Protocol Team
Why the supplmental request?
With the original v3 budget request, comparable audit costs were used to come up with an expected cost of $40k. When yAcademy/yAudit was asked for a quote, $65k was given for a 4 week audit. This leaves a shortfall of $25k from the original budget request.
The v3 protocol team explored auditing only a subset of the codebase or asking the auditors to propose a shorter audit timeline. The following feedback was received:
The V3 protocol team agrees with this assessment and believe it to be in Yearn’s strategic interest to have the full 4 week audit on both codebases performed.
Plan
Pay for a yAudit covering both the vyper multi-strategy v3 vault and the solidity tokenized strategy. The audit will take 4 weeks and is intended to cover both the individual contracts and their integration points.
Deadline
2023-06-30
People
yAudit
Money
The total yAudit quote was for $65k with $40k currently budgeted. $25k is required to cover the shortfall.
Amount
$25000
Wallet address
TBD
Reporting
Once