Security Team Budget Request v3

[rareweasel]

Scope

This budget request is for the security team comprised currently of two core contributors and one internship slot to continue contributing with security-related work in the yearn ecosystem. It will keep the main plan, and scope of the previous version.

The list of updates published in the previous (v2) budget request:

• August 2023
• September 2023
• October 2023 (wip)

Presentation: link

This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.

This request also will detail an overview of the team's goals and objectives for the period.

Note that this budget request includes no revenue share.

Plan

Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.

Security Reviews

The security team will continue to work on the following:

• Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production.
• Internal security reviews for the Core Protocol, including v2/v3 vaults, v3, yCRV, yETH and any other Yearn's product as required.
• Management of the Risk Framework and internal security review process for v2 and v3 strategies.
• Review scores and allocations frequently in the Risk Framework to ensure risk information is properly presented to users.
• Coordinate with infrastructure team on support for risk framework updates, bugs and issues for off chain data. (see on chain risk framework section for details)
• Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
• Review and triage bounty reports through our multiple pre-established channels, such as Immunefi, vyper disclosures or any other source.

External Security Reviews & Audits Coordination

The security team will guide and coordinate all the external security reviews and audits when requested by yteams.

The process for coordinating audits and external security reviews is the following:

1. The yTeam that needs an audit/external security review will request coordination/help.
2. The security team will coordinate the slot/s with the audit firms or external reviewers.
3. Once and agreement with audit firm is reached, security team will create a group so yTeam and auditors can ask/answer questions. Coordination of payment and budget is managed by each yTeam.
4. Once the audit/review finishes, the security team will review the report and coordinate with yTeam to help review issues to ensure they are fixed or acknowledge.

Note that this process might change based on the team's needs.

Ad hoc

The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:

• War room support
• Smart contract development
• Product design
• Protocol and Security related tooling development
• Multisig coordination for emergency transactions
• Security related events support e.g war room games, conferences talks, etc.

Risk Framework On-chain

As part of concerted plan of improving on yearn's current risk framework and overall security to support the upcoming launch of v3 and also integrating into it yETH and other yearn's core contracts, we developed and executed the plan to launch the risk framework protocol, which consists of a suite of contracts to manage yearn's risk framework.

In order to migrate the Risk Framework off-chain to on-chain, the security team has already deployed the initial smart contracts for a pilot phase on Polygon. In that direction, we also created this multi-sig (multichain) that will manage the configuration (scores).

We also have developed and published the subgraph to make it easier to query data from the contracts.

Both items have been tested successfully (set scores and tags) with some strategies/vaults from v2/v3 on Polygon.

Links:

• Risk Framework.
• Risk Framework Subgraph.
• Subgraph. (you can query the scores already sent)

The migration phase will follow after our initial pilot. We plan to back up all the current strategies and scores (342 strategies in 5 networks) from yDaemon. Verify and update each score as needed and publish in the on-chain version -only active strategies- gradually during pilot phase to test integrations.

Detailed Phases:

• Pilot phase: initial deployment and testing, protocol, subgraph and CLI alpha version. (current phase)
• Migration phase: migrate and load off chain information into on chain protocol.
• Testing phase: test contracts for parity with off chain scoring.
• Feature support: Add support for v3 and yETH to have risk score. Integrate with v3 debtmanager modules.
• Multichain: Research design to support risk framework on different chains.

Last cycle we started the first phase of the onchain framework, feedback and changes are expected as we adjust the new Risk framework to be capable of supporting yearn's important core contracts. Continous development and improvement will happen during the upcoming cycles.

As a key integration, ySecurity plans to closely work with v3 strategist group to detailed an overall process for maintaning and showing in the UI and other tooling the appropiate risk information to yearn's contract users. This may entail combining external risk data (defi safety and llamarisk being in discussion) with our internal DD and risk process to have an aggregate and consistent risk profile to present to users.

Risk Framework - CLI

As part of our launch of the pilot phase onchain risk framework, we are providing additional tooling to interface with the core functionality of the protocol, the CLI is planned to be the primary interface to interact with yearn's risk framework.

This CLI will be in development but already supports the key functionality of providing the graph for the risk heatmap which is no longer active on the deprecated yearn.watch/risk page and is a key input for v2 allocations decisions (currently not showing the heatmap).

pyrisk CLI

Planned functionality for this cycle:

• yDaemon full support and parity for off chain risk framework support (for migration phase)
• v3 support
• Full on chain framework integration with subgraph
• Strategy and vaults information
• Caching layer
• Rich Terminal UI
• Exporting data (useful for war rooms, scripting input, etc)

We believe this tooling is key for both yearn's normal operations and more so during exceptional times like in war rooms, where we need quick information of specific vaults and strategies to integrate with our other scripting tooling. Our goal for the CLI is to be a tool used by all yTeams.

Internal Simulation Attacks

As part of the team that provided information to the SEAL team for the Simulation Attack on Yearn, we considered these simulations an imperative experience and tool for improving processes, understanding our weaknesses, and testing our response time.

That being said, our goal is to build the foundations in terms of tools, scripts, and bots to simulate attacks internally on a regular basis. Considering we don't have anything built yet, we plan to start building (or reusing) these tools in this BR period to create simulated attacks on v3, yETH, etc.

Goals

The security team plans to:

• Security
  • Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable. This item will consider external risk data providers to coordinate new v3 risk scoring process.
  • Each security review differs in time and scope but we are estimating it based on normal strategy reviews.
  • Create an internal checklist with the common issues in the v3 strategies to help the strategists to improve the development.
  • Start/continue reviewing new strategies for v3.
  • Continue reviewing updates/new strategies for v2.
  • Improve Github issues to make easier the security process.
• Risk Framework On-chain:
  • Testing of all use cases to achieve parity with off chain data.
  • Incorporating feedback to improve the current design.
  • Migrating the active v2 strategies.
  • Integrate v3, yETH and other core contracts as needed.
  • Keeping it up to date with the scores.
• Risk Framework - CLI
  • Launching the CLI v1 for all members with the basic commands
  • Integrating with telegram bots to send notifications.
  • Displaying the risk framework heatmap.
  • Supporting some basic queries such as:
    • Get our exposure to a given protocol.
    • Filter vaults/strategies by tags/scores.
    • List the strategies that are not in the risk framework (created by factories).
• Internal Simulation Attacks
  • Researching the required tools for these types of simulations.
  • Building any other required/specific tool/app for the simulations.
  • Coordinate with SEAL Attack simulation team for access to their forked tooling (block explorer, etc)
  • Analyze multiple attack vectors to consider in a simulation.
  • Plan the internal simulation attack.

Period

It will cover 3 months:

• From: 2023-11-01
• To: 2024-01-31

People

• Storm0x
• Rare Weasel
• Tapir

Money

This budget request includes the following concepts:

• 2 core contributor grants.
• 1 internship slots.

Funds to be streamed over three months, starting 1st November 2023.

Total:

136,740.00 DAI

Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.

Funds Details

The previous YFI amount was converted into DAI at 5500 DAI as an average price during the last 3 months.

YFI Conversion

Wallet address

0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E

Reporting

Monthly in this issue.

[rareweasel]

Security Team November Updates

• DDs & Security reviews
  • Compound V3 Lender Borrower (V3 strategy): https://github.com/yearn/yearn-strategies/issues/572
  • yPrisma: https://github.com/yearn/yearn-strategies/issues/602
  • Stargate Staker (V3 strategy, ongoing): https://github.com/yearn/yearn-strategies/issues/535
  • yETH Governance (ongoing): https://github.com/yearn/yearn-strategies/issues/596
  • yPrisma Reviews:
    • Issue: https://github.com/yearn/yearn-strategies/issues/602
    • yPrisma Cleanup: https://github.com/wavey0x/yearn-prisma/pull/4
    • yPrisma Proxy and Minter: https://github.com/wavey0x/yearn-prisma/commit/849fa35cbfa4a03b9905e323841f5437c70443b6
  • veYFI redemption oracle updates https://github.com/yearn/veYFI/pull/232#event-11125437515
• Bounty Reports
  • Triage bounties from immunefi.
  • veYFI gauges APR manipulation issued triaged and closed.
  • Coordinate preventive actions on curve pool oracle report issue and help update Redemption contract for veYFI.
• Risk Framework
  • On-chain
    • Implemented copyScores function: https://github.com/yearn/risk-framework/pull/8
    • Supported active/inactive targets: https://github.com/yearn/risk-framework/pull/9
    • Updated docs and scripts: https://github.com/yearn/risk-framework/pull/10
    • Deployed new ORF version with the new improvements. More info here.
    • Migrated ~250 scores from yDaemon to the new contract.
    • Supported new changes in the subgraph: https://github.com/yearn/risk-framework-subgraph/pull/2
    • Deployed new Subgraph version here.
• Others
  • Collaborating with strategist (Val) for the Stargate Staker strategy. Writing comprehensive tests for edge cases: https://github.com/0xValJohn/tokenized-strategy-foundry-mix/pull/1
  • Giza Call: PoC is used for analyzing risk datasets in a model.

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team December Updates

• DDs & Security reviews
  • Prisma Convex Farmer: https://github.com/yearn/yearn-strategies/issues/606
  • Updated Prisma prod card and created the recurring review.
    • https://github.com/yearn/yearn-strategies/issues/612
    • https://github.com/yearn/yearn-strategies/issues/613
  • Stargate Staker (V3 strategy, finished): https://github.com/yearn/yearn-strategies/issues/535
  • yETH Governance (finished): https://github.com/yearn/yearn-strategies/issues/596
  • Gamma Factory Strategies (V3 strategy): https://github.com/yearn/yearn-strategies/issues/569
  • veYFI Recurring Review (ongoing): https://github.com/yearn/yearn-strategies/issues/610
• Bug bounty report
  • Triaged veYFI bounty report.
  • Coordinated security review for veYFI with bounty reporter deadrossxyz
• Risk Framework On-chain
  • Updated the scores for v3 strategies and updated the issues with the score transaction links.
  • Added tags for some v3 strategies.
• Incident Retros
  • Help guide and lead veYFI bug bounty report retro.
  • Help guide and lead LP YCRV retro and root cause actions.

NOTE: some of the links for internal gh repos are access restricted for security purposes.

[rareweasel]

Security Team January Updates

• DDs & Security reviews
  • YearnBoostedStaker: https://github.com/yearn/yearn-strategies/issues/614
  • veYFI Recurring Review (finished): https://github.com/yearn/yearn-strategies/issues/610
  • Spark lender v3 https://github.com/yearn/yearn-strategies/issues/627
• Bug bounty report
  • Triaged veYFI bounty report.
• Risk Framework On-chain
  • Updated the scores for v3 strategies and updated the issues with the score transaction links.
  • Added tags for some v3 strategies.
• Lead Retros and action plans
  • LP incident
  • Lender Borrower incident
• Other
  • Started a Github repository (template) with multiple features to guide yTeams in using Foundry, invariant tests, fuzzing, fork, and static analyzers in the Github actions.
  • Added docs on testing for security considerations https://docs.yearn.fi/security/testing
  • Working on a new V3 strategy security checklists: https://hackmd.io/btMxqcktREOIMjVwcgjRtg
  • Read veYFI code to add invariant tests and fuzzing using the Github template.
  • Attended discussion about the ChainSec retainer deal.
  • Prepared budget request v4 for the new period.

NOTE: some of the links for internal gh repos are access restricted for security purposes.