Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tapir budget request #217

Open
tapired opened this issue Jun 4, 2024 · 9 comments
Open

Tapir budget request #217

tapired opened this issue Jun 4, 2024 · 9 comments
Labels
approved An approved budget request budget request A budget request

Comments

@tapired
Copy link

tapired commented Jun 4, 2024

Scope

This budget request is to fund Tapir for the month of May for the work already done and the following 2 months, allowing Tapir to continue contributing to the activities outlined in the continuous activity plan.

Plan

Continuous activity:

  • Internal security reviews of the yearn ecosystem
  • Risk scoring & risk score maintenance

About the Risk Assessment

I have already worked on and determined criteria for the risk scores, which you can find here.

I have also compiled all the V3 strategies into an Excel sheet.

From now on, for every strategy I review, I will assign scores according to the criteria and update the Excel sheet. Additionally, I am pairing up with Marco to craft a brand new UI for the Yearn Risk Assessment Dashboard, which is already 25% complete and should be ready for an MVP by next month.

About the future of ySecurity

Meanwhile, during this temporary BR, I am planning to recruit a new ySecurity group with clear goals and a roadmap. The ySecurity group will be responsible for all security-related aspects within Yearn, including security reviews of strategies, risk assessment, and maintenance. Additionally, we can explore the development of bots for monitoring external protocol contracts, including depegs, bad debt, and timelock transactions, similar to the SONNE timelock listener and the Pearl treasury’s DAI bot.

Furthermore, the new BR will specifically recognize Marco's contributions to the Yearn Risk Assessment Dashboard. Most likely, he will receive a one-time grant for the excellent work he has done in building it

Deadline

2024-07-31

People

tapir

Money

One time backpay for the work done in May, $12k DAI
Monthly $12k DAI for June and July

Amount (Total)

36000 DAI

Wallet address

0x80c9aC867b2D36B7e8D74646E074c460a008C0cb

Reporting

Monthly

@tapired tapired added the budget request A budget request label Jun 4, 2024
@tapired tapired added this to yBudget Jun 4, 2024
@github-project-automation github-project-automation bot moved this to Needs Sorted in yBudget Jun 4, 2024
@MacMoriano
Copy link

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

@tapired
Copy link
Author

tapired commented Jun 4, 2024

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

The main task is conducting internal security reviews of every contract that Yearn ships. Additionally, each V3 strategy that is reviewed will be included in the risk document. Assessing the risk according to criteria and justifying the scores with comments will be a relatively simple task, considering the hard work of creating the criteria is already done

@MacMoriano
Copy link

How many internal security reviews are you conducting per day/week?
Or maybe the number of hours spent/week is a better metric for this?

@tapired
Copy link
Author

tapired commented Jun 4, 2024

How many internal security reviews are you conducting per day/week? Or maybe the number of hours spent/week is a better metric for this?

Good question, working 8 hours a day, full-time, as I have been doing for years under the hood of ySecurity.

I appreciate the thorough questioning. I assumed that the people reviewing this budget would be the contributors who already know my contributions. However, I was wrong, as this is a public budget request for the YFI ecosystem. Please let me know if you have any other questions regarding this budget request!

@MacMoriano
Copy link

It would probably help build more confidence in this type of requests (especially after the last hack) if this sort of budget requests would be more data driven.
Like, you mention 8 hours a day, but is the quantifiable in any way? other than that 2 page document and that spreadsheet as I image those didn't take ~200 hours/month to write.

If this sort of data is available to yBudget it's great as they are the ones that ultimately make the decision but it looks completely opaque from the outside and it shouldn't really be.

@tapired
Copy link
Author

tapired commented Jun 4, 2024

It would probably help build more confidence in this type of requests (especially after the last hack) if this sort of budget requests would be more data driven. Like, you mention 8 hours a day, but is the quantifiable in any way? other than that 2 page document and that spreadsheet as I image those didn't take ~200 hours/month to write.

If this sort of data is available to yBudget it's great as they are the ones that ultimately make the decision but it looks completely opaque from the outside and it shouldn't really be.

I agree. I have been conducting security reviews of all Yearn-related code, from strategies to completely new products like yETH, Yearn Boosted Staker, factories, veYFI... There haven't been any hacks so far, which might be a good indicator of the quality of my work.

You can also check the previous "Security Team Budget Request" to see the reviews that's done previously in given time period

You can also check the strategies that are reviewed in both v2/v3 here:
https://github.com/orgs/yearn/projects/27/views/18

@wavey0x
Copy link

wavey0x commented Jun 5, 2024

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

Disrespectful comment.
I feel compelled to reply as someone that's been on the receiving end of Tapir's sc reviews.
He's been delivering audit-quality reviews for the dev team for a long time. Has also been helping formulate v3 strategy dev patterns and best-practices.

we should be lucky to have him (many examples of this).

@rareweasel
Copy link

Are we paying people 12k a month for maintaining a spreadsheet and writing a simple 2 page doc?

Disrespectful comment. I feel compelled to reply as someone that's been on the receiving end of Tapir's sc reviews. He's been delivering audit-quality reviews for the dev team for a long time. Has also been helping formulate v3 strategy dev patterns and best-practices.

we should be lucky to have him (many examples of this).

Totally agree with @wavey0x.

@tapired has been doing a great job making internal security reviews. And it is not only "maintaining a spreadsheet and writing a simple 2 page doc".

@MacMoriano
Copy link

MacMoriano commented Jun 5, 2024

Disrespectful comment.

I'm sorry wavey if it sounded disrespectful, that wasn't my intention.
The issue and my frustration comes from the lack of visibility into the work being done and after the most recent hack I hope you understand why I would be nervous about a tipic like protocol security.

Again, I'm deeply sorry if it sounded harsh or anything like that, that wasn't my goal, but I would still like to see a more results/data driven approach to this type of budget requests.

@0xPickles 0xPickles added the approved An approved budget request label Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved An approved budget request budget request A budget request
Projects
Status: Needs Sorted
Development

No branches or pull requests

5 participants