Security Team Budget Request v2

[rareweasel]

Scope

This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem. It will keep the main plan, and scope of the previous version.

The list of updates published in the previous budget request.:

• April 2023 (no included in the previous request)
• May 2023
• June 2023
• July 2023

This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.

This request also will detail an overview of the team's goals and objectives for the period.

Note that this budget request includes no revenue share.

Plan

Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.

Security Reviews

The security team will continue to work on the following:

• Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production.
• Internal security reviews for the Core Protocol, including v2 vaults, v3, yCRV, yETH and any other Yearn's product as required.
• Management of the Risk Framework and internal security review process for v2 and v3 strategies.
• Review scores and allocations frequently in the Risk Framework to ensure they are aligned regarding risk.
• Coordinate with infrastructure team on support for risk framework updates, bugs and issues.
• Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
• Review and assess bounty requests through our multiple pre-established channels, such as Immunefi or any other source.

External Security Reviews & Audits Coordination

The security team will guide and coordinate all the external security reviews and audits when requested by yteams.

The process for coordinating audits and external security reviews is the following:

1. The yTeam that needs an audit/external security review will request coordination/help.
2. The security team will coordinate the slot/s with the audit firms or external reviewers.
3. Once and agreement with audit firm is reached, security team will create a group so yTeam and auditors can ask/answer questions. Coordination of payment and budget is managed by each yTeam.
4. Once the audit/review finishes, the security team will review the report and coordinate with yTeam to help review issues to ensure they are fixed or acknowledge.

Note that this process might change based on the team's needs.

Ad hoc

The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:

• War room support
• Smart contract development
• Product design
• Protocol and Security related tooling development
• Multisig coordination for emergency transactions
• Security related events support e.g war room games, conferences talks, etc.

Reporting monthly in this issue.

Risk Framework on-chain

The security team plans to migrate the risk framework to an on-chain version. To do so, we already developed some smart contracts as a PoC to integrate them into the v3 vaults allowing it to set the max debt dynamically. Although smart contracts are developed, they need unit tests, and we are coordinating efforts with the v3 team and strategists to push them forward.

Goals

The security team plans to:

• Security
  • Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable.
  • Each security review differs in time and scope but we are estimating it based on normal strategy reviews.
  • Create an internal checklist with the common issues in the v3 strategies to help the strategists to improve the development.
  • Start/continue reviewing new strategies for v3.
  • Continue reviewing updates/new strategies for v2.
• Risk Framework on-chain:
  • Completing the PoC and gathering feedback to improve the current design.
  • Review the current design to accept v2 and v3 strategies.
  • Deploying a version in an L2 chain
  • Selecting some v2 and v3 strategies to score and test it in the L2 chain.
  • Establishing a multi-sig as the owner of the contracts with the key stakeholders.
  • Making the repository public and transferring it to the Yearn organization.

Period

It will cover 3 months:

• From: 2023-08-01
• To: 2023-10-31

People

• Storm0x
• Rare Weasel
• Tapir (intern)

Money

This budget request includes the following concepts:

• 2 core contributor grants.
• 1 internship slot.

Funds to be streamed over three months, starting 1 August 2023.

Total:

10.68 YFI 78,000.00 DAI

Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.

Funds Details

Wallet address

0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E

Reporting

Monthly

[rareweasel]

Security Team August Updates

• SEAL (Security Alliance) <> YEARN Attack Simulation
  • coordinate with SEAL on details and preparation for attack simulations.
  • tabletop exercise meeting with SEAL/ Yearn team
• DDs & Security reviews
  • Followed up on previous security reviews.
  • Aave Lender v3: https://github.com/yearn/yearn-strategies/issues/533
  • Compound Lender v3: https://github.com/yearn/yearn-strategies/issues/534
  • yETH Rate Providers: https://github.com/yearn/yearn-strategies/issues/567
  • Maker DSR v3: https://github.com/yearn/yearn-strategies/issues/541
  • Maker DSR v3 router strategy: https://github.com/yearn/yearn-strategies/issues/579
  • stETH accumulator patch https://github.com/yearn/yearn-strategies/issues/584
• V3 Security
  • Discussed the v3 review process with strategies and v3 teams.
    • https://hackmd.io/@D4Z1faeARKedWmEygMxDBA/H1SBqVdi
  • Reviewed v3 code to implement generic invariant/integration tests for v3 strategies.
  • Propose withdrawal healthcheck draft spec (https://hackmd.io/CLNtri9fSHimM9ClkbUi-g)
    • After discussion of spec Schlag added healthcheck hooks to withdraw https://github.com/yearn/tokenized-strategy-periphery/blob/14076aa2ccc8000cb78ee26a2c0952ad64ad8034/src/HealthCheck/BaseHealthCheck.sol#L172-L239
  • Created an internal repository to execute multiple analyzer/fuzzer tools in the v3 strategies (and also invariant tests soon).
  • Improved the V3 Gotchas doc: https://hackmd.io/r1Jcic8kRwG4dsvHw-N0cA
• Risk Framework
  • Checked/fixed missing risk scores reported in Sync Yearn Farm website.
  • Planning phase for on-chain risk framework
• 4 Bounty Reports
  • Triage spam bounties from immunefi
  • Coordinated small bounty for Permit method lack of chain id in woofy token and ammended disclosure to remove from scope https://github.com/yearn/yearn-security/pull/79
• Budget request approval for the next 3 months: https://github.com/yearn/budget/issues/145

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team September Updates

• SEAL (Security Alliance) <> YEARN Attack Simulation
  • Coordinated the last details for the simulation attack.
  • Attended the simulation attack war room.
• DDs & Security reviews
  • Followed up on previous security reviews.
  • Pearl DD: https://github.com/yearn/yearn-strategies/pull/588
  • 3 Polygon separate V3 LST Strategies (polygon-stETH, polygon-stMATIC, mainnet-stETH): https://github.com/yearn/yearn-strategies/issues/570
  • Convex Frax Factory Template: https://github.com/yearn/yearn-strategies/issues/561
  • stETH accumulator upgrade: https://github.com/yearn/yearn-strategies/issues/584
  • yBAL zap update https://github.com/yearn/yearn-strategies/issues/568
  • Ongoing review of v3 Maker DSR and Router strategy https://github.com/yearn/yearn-strategies/issues/579
  • Quick review on minor PR for veYFI gauges https://github.com/yearn/veYFI/pull/228/files
• V3 Security & Template
  • Discussed the v3 review process with strategies and v3 teams.
    • https://hackmd.io/@D4Z1faeARKedWmEygMxDBA/H1SBqVdi
  • Reviewed v3 code to implement generic invariant/integration tests for v3 strategies.
  • v3 Template: add summary table: https://github.com/yearn/yearn-strategies/pull/591
  • v3 Template: Add Risk score section: https://github.com/yearn/yearn-strategies/pull/592
• Immunefi Bounty Reports
  • Triage spam bounties from immunefi.
  • Triage low bounty report in V3 code.
  • Added yETH production contracts to bounty page
• Risk Framework
  • Off-chain
    • VelodromeV2 Factory Has Incorrect TVL (Op Network): https://github.com/yearn/ydaemon/issues/323
    • Create New "Generic Lev Aave v3" Group (v3 Polygon): https://github.com/yearn/ydaemon/issues/324
    • Missing Strategy in the "Curve Boosted Factory" (Ethereum) Group: https://github.com/yearn/ydaemon/issues/325
    • Group "Convex Factory" (Ethereum) Is Not Display in Risk Framework: https://github.com/yearn/ydaemon/issues/326
  • On-chain
    • Created the multi-chain multisigs for the ySecurity team and risk framework onchain.
    • Added more unit tests using Foundry, covering edge cases.
    • Added Integration tests (using forks).
    • Deployed in Base (testnet) and Polygon (testnet).
    • Added new unit tests to the RiskFramework contract.
    • Made small changes to improve the design.
  • CLI
    • Released First alpha version of CLI in python for risk fmk with heatmap command to display the risk framework map https://github.com/storming0x/py-risk
• Others
  • Fixed issue and re-deployed subgraph on Base network
    • https://thegraph.com/studio/subgraph/yearn-vaults-v2-subgraph-base

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team October Updates

• DDs & Security reviews
  • Tangible: https://github.com/yearn/yearn-strategies/issues/573
  • DYFI PR: https://github.com/yearn/veYFI/pull/230
  • v3 Router https://github.com/yearn/yearn-strategies/issues/579
  • Aave V3 Lender: small changes due to new dependency tokenized-strategy release (v3.0.1)
  • Convex Frax Strategy Fix: https://github.com/yearn/yearn-strategies/issues/561
  • Pearl Compounder: https://github.com/yearn/yearn-strategies/issues/577
• V3 Security & Template
  • Add Experts & Test Coverage Sections: https://github.com/yearn/yearn-strategies/pull/597
• Immunefi Bounty Reports
  • Triage bounties from immunefi.
• Risk Framework
  • On-chain
    • Improved smart contracts design to support multi networks.
    • Tested with v2 and v3 strategies.
    • Deployed Risk Framework on-chain contracts on Polygon.
    • Developed subgraph for the risk framework contracts.
    • Created a script to get the differences between the RF off-chain (yDaemon) vs on-chain.
    • Add copyScores function: https://github.com/yearn/risk-framework/pull/8
    • Made both Github repositories public and transferred to the Yearn organization.
      • Risk Framework: https://github.com/yearn/risk-framework
      • Risk Framework Subgraph: https://github.com/yearn/risk-framework-subgraph
      • Subgraph: https://thegraph.com/hosted-service/subgraph/yearn/yearn-risk-framework
  • CLI
    • Support heatmap graph
    • Support risk group data commands
• Others
  • Multi-chain Factories: Created subgraph to query new vaults created dynamically (wip).
  • Prepared Security Team Budget Request v3.
  • Prepared Security Team Updates Presentation.

NOTE: some of the links for internal gh repos are access restricted for security purposes.