Security Team Budget Request v5

[rareweasel]

Scope

This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem.

The list of previous budget requests:

• v4: Feb-24 to Apr-24
• v3: Nov-23 to Jan-24
• v2: Aug-23 to Oct-23
• v1: May-23 to Jul-23

This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows and other described tasks. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved.

This request also will detail an overview of the team's goals and objectives for the period.

Note that this budget request includes no revenue share.

Presentation link.

Achieved Goals (Previous BR v4)

• General

  • Collected feedback from multiple contributors and implemented some improvements internally.
  • Improved our communication giving updates frequently.
  • Implemented an active improvement process, asking for feedback to different contributors and retest the results periodically.

• General Security

  • Created a new streamlined Due Diligence template for evaluating new protocols used in yearn strategies to improve the accuracy of the new risk scores.
  • Created a checklist document with common potential security issues and security patterns in v3 strategies to help the strategists to improve the development.
  • Made multiple security reviews including updates/new v2/v3 strategies.
  • Updated the Github Issue Template (v3 strategies) to improve the speed and accuracy of the security process.
  • Followed up on the actions discussed in the war room, retros, and similar calls.
  • Lead of the Single Process security-wise for the v3 vaults.
  • Be part of the Vyper security group.
  • Coordinated any external audit with external audit firms.
  • Managed a new discussion with Chain Security about updating our old retainer agreement. We could get a new deal.
  • Tracked expenses in audits, contests, and bounties and shared it monthly.
  • Analyzed external security reviews as revenue stream. To get the flywheel going, we will review them free of charge the first months, and define a cost depending on the demand and availability without impacting the internal tasks.

• On-chain Risk Framework

  • Reviewed and redefined new risk scores for v3 strategies.
  • Already integrated risk score metadata for V3 strategies. UI will display the risk category for each vault soon, improving the UX and allowing users make much better risk/rewards decisions.
  • Tested the new scores in the v3 strategies and redefine some ones. We will test more v3 strategies before deploying the smart contracts.
  • Updated the risk framework multisig (new signers).

• Fuzzing and Invariant Testing

  • Created learning resources, and example repos.
  • Update security review internal process to require stricter testing rules for production deployment.
  • Updated risk scoring process and documentation regarding testing scores.

Goals Not Achieved

• Multisig operations security

  • Establish and lead a working group composed of several yteams to implement the best practices to manage operational transactions.

• On-chain Risk Framework

  • Already done a bootstrap risk score system for v3 with metadata risk scores, but haven't finished implementing an on-chain version for all the products such as yETH, yCRV and others.

• Fuzzing and Invariant Testing

  • Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing.
  • Coordinate/lead workshops.

Plan

Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests.

Security Reviews

The security team will continue to work on the following:

• Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production.
• Internal security reviews for the Core Protocol, including v2/v3 vaults, v3, yCRV, yETH and any other Yearn's product as required.
• Management of the Risk Framework and internal security review process for v2 and v3 strategies.
• Review scores and allocations frequently in the Risk Framework to ensure risk information is properly presented to users.
• Coordinate with infrastructure team on support for risk framework updates, bugs and issues for off chain data. (see on chain risk framework section for details)
• Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.)
• Review and triage bounty reports through our multiple pre-established channels, such as Immunefi, vyper disclosures or any other source.

Ad hoc

The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering:

• Lead retros for incidents and follow-up actions.
• Incident support
• Fuzz and invariant testing workshops, learning resources and support to help yearn devs
• Create guidelines and minimal process for operational security of yearn high impact multisigs, communicate them and review adherence to established procedures.
• Smart contract development
• Product design
• Protocol and Security related tooling development
• Multisig coordination for emergency transactions
• Security related events support e.g war room games, conferences talks, etc.

External Security Review Process Guidelines

• Define and implement a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors.
• Track output of external security engangements and report them to yTeams.
• Check effectivenes of process and improve it with feedback on reports.

Goals

• General Security

  • Request/review DD documents when it is needed.
  • Get feedback from strategists to improve the risk score definitions.
  • Each security review differs in time and scope but we are estimating it based on normal strategy reviews.
  • Update our internal checklist with the common issues in the v3 strategies to help the strategists to improve the development.
  • Continue reviewing strategies for v2/v3.
  • Update the Github issue template to make easier the security process as needed.
  • Coordinate/track the external security reviews including audits/contests/solo auditors.
  • Track output of external security engagements and check effectiveness of process.

• General

  • Improve our communication giving updates about our tasks in internal groups periodically.
  • Continue the improvement process, asking for feedback to different contributors and retest the results periodically.

• Fuzzing and invariant testing:

  • Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing.
  • Create learning resources, example repos, coordinate/lead workshops.
  • Update security review internal process to require stricter testing rules for production deployment.
  • Update risk scoring process and documentation regarding testing scores.
  • Add fuzzing and invariant testing for real yearn products as example for learning resources.

• Multisig operations security:

  • Establish and lead a working group composed of several yteams.
  • Collect feedback and areas of improvement.
  • Present public draft for minimun viable multisig operational procedure.
  • Publish procedures
  • Present a plan to review periodically past multisig operations against established procedures.
  • Manage the continuous improvement process of the procedures.

• On-chain Risk Framework (ORF):

  • Improve the smart contracts design based on the current improvements in the security process as needed.
  • Integrate v3, yETH and other core contracts as needed.
  • Support up to date scores.
  • Create a tool to check when strategies are missing in the ORF.

Period

It will cover 3 months:

• From: 2024-05-01
• To: 2024-07-31

People

• Rare Weasel
• Tapir
• Mil0x (part-time)

Money

This budget request includes the following concepts:

• 3 core contributor grants.

Funds to be streamed over three months, starting 1st May 2024.

Total:

105,000.00 DAI (35,000.00 DAI monthly)

Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period.

Wallet address

0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E

Reporting

Monthly in this issue.