Tapir budget request

[tapired]

Scope

This budget request is to fund Tapir for the month of May for the work already done and the following 2 months, allowing Tapir to continue contributing to the activities outlined in the continuous activity plan.

Plan

Continuous activity:

• Internal security reviews of the yearn ecosystem
• Risk scoring & risk score maintenance

About the Risk Assessment

I have already worked on and determined criteria for the risk scores, which you can find here.

I have also compiled all the V3 strategies into an Excel sheet.

From now on, for every strategy I review, I will assign scores according to the criteria and update the Excel sheet. Additionally, I am pairing up with Marco to craft a brand new UI for the Yearn Risk Assessment Dashboard, which is already 25% complete and should be ready for an MVP by next month.

About the future of ySecurity

Meanwhile, during this temporary BR, I am planning to recruit a new ySecurity group with clear goals and a roadmap. The ySecurity group will be responsible for all security-related aspects within Yearn, including security reviews of strategies, risk assessment, and maintenance. Additionally, we can explore the development of bots for monitoring external protocol contracts, including depegs, bad debt, and timelock transactions, similar to the SONNE timelock listener and the Pearl treasury’s DAI bot.

Furthermore, the new BR will specifically recognize Marco's contributions to the Yearn Risk Assessment Dashboard. Most likely, he will receive a one-time grant for the excellent work he has done in building it

Deadline

2024-07-31

People

tapir

Money

One time backpay for the work done in May, $12k DAI Monthly $12k DAI for June and July

Amount (Total)

36000 DAI

Wallet address

0x80c9aC867b2D36B7e8D74646E074c460a008C0cb

Reporting

Monthly

[MacMoriano]

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

[tapired]

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

The main task is conducting internal security reviews of every contract that Yearn ships. Additionally, each V3 strategy that is reviewed will be included in the risk document. Assessing the risk according to criteria and justifying the scores with comments will be a relatively simple task, considering the hard work of creating the criteria is already done

[MacMoriano]

How many internal security reviews are you conducting per day/week? Or maybe the number of hours spent/week is a better metric for this?

[tapired]

How many internal security reviews are you conducting per day/week? Or maybe the number of hours spent/week is a better metric for this?

Good question, working 8 hours a day, full-time, as I have been doing for years under the hood of ySecurity.

I appreciate the thorough questioning. I assumed that the people reviewing this budget would be the contributors who already know my contributions. However, I was wrong, as this is a public budget request for the YFI ecosystem. Please let me know if you have any other questions regarding this budget request!

[MacMoriano]

It would probably help build more confidence in this type of requests (especially after the last hack) if this sort of budget requests would be more data driven. Like, you mention 8 hours a day, but is the quantifiable in any way? other than that 2 page document and that spreadsheet as I image those didn't take ~200 hours/month to write.

If this sort of data is available to yBudget it's great as they are the ones that ultimately make the decision but it looks completely opaque from the outside and it shouldn't really be.

[tapired]

It would probably help build more confidence in this type of requests (especially after the last hack) if this sort of budget requests would be more data driven. Like, you mention 8 hours a day, but is the quantifiable in any way? other than that 2 page document and that spreadsheet as I image those didn't take ~200 hours/month to write.

If this sort of data is available to yBudget it's great as they are the ones that ultimately make the decision but it looks completely opaque from the outside and it shouldn't really be.

I agree. I have been conducting security reviews of all Yearn-related code, from strategies to completely new products like yETH, Yearn Boosted Staker, factories, veYFI... There haven't been any hacks so far, which might be a good indicator of the quality of my work.

You can also check the previous "Security Team Budget Request" to see the reviews that's done previously in given time period

You can also check the strategies that are reviewed in both v2/v3 here: https://github.com/orgs/yearn/projects/27/views/18

[wavey0x]

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

Disrespectful comment. I feel compelled to reply as someone that's been on the receiving end of Tapir's sc reviews. He's been delivering audit-quality reviews for the dev team for a long time. Has also been helping formulate v3 strategy dev patterns and best-practices.

we should be lucky to have him (many examples of this).

[rareweasel]

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

Disrespectful comment. I feel compelled to reply as someone that's been on the receiving end of Tapir's sc reviews. He's been delivering audit-quality reviews for the dev team for a long time. Has also been helping formulate v3 strategy dev patterns and best-practices.

we should be lucky to have him (many examples of this).

Totally agree with @wavey0x.

@tapired has been doing a great job making internal security reviews. And it is not only "maintaining a spreadsheet and writing a simple 2 page doc".

[MacMoriano]

Disrespectful comment.

I'm sorry wavey if it sounded disrespectful, that wasn't my intention. The issue and my frustration comes from the lack of visibility into the work being done and after the most recent hack I hope you understand why I would be nervous about a tipic like protocol security.

Again, I'm deeply sorry if it sounded harsh or anything like that, that wasn't my goal, but I would still like to see a more results/data driven approach to this type of budget requests.