V3 Strategy Review Process

## Goals 1. Protect the Yearn brand as one of the most secure and high quality products on the market 2. Lower the time to market for new Yearn strategies. 3. Open the door to new high risk vault and strategies. 4. Strategies that don't need vaults can be more quickly deployed. 5. Help non-Yearn strategies get both on the Yearn UI as well as fully credit rated. 6. Help generate a new revenue stream for both S2 and ySEC. ## Big Idea With the goal of V3 to open up the barriers to building and deploying vaults and strategies to anyone and everyone. We need to revamp our security system to both retain our status as the best in class security focused team, while also allowing for more innovation and experimentation within and outside of Yearn. The current idea is for the V3 UI to have two different sections. A "Yearn" branded section. With Vault and strategies that have come from internal Yearn contributors, some of which will be the equivalent of the up-only highly secure vaults we currently have. But some may also now be, higher risk potentially lossy vaults and strategies. The other section will be the "other". This will be vaults and strategies built and managed by other people and teams outside of Yearn. Some may be very high quality, some may be very low quality. This structure along with the new yTeams model opens up the potential for teams like security to become not only internal auditers but also full credit rating teams. That can sell their services to 3rd parties who want to validate the quality of their vault or strategy. This will not only help depositers and vault managers internally and externally differentiate the good from the bad but also generate a new source of income for Yearn and ySEC that wasn't possible before. ## Process For internal strategies 1. Normal testing of the strategy. 2. Request peer review. 3. 1-2 S2 members peer review the strategy and provide any feedback. (This should be given a specific time frame) 4. Strategy can now be deployed and placed on the UI. (Placement Pending) 5. Send to Security 6. ySsec does full audit of the strategy and assigns it a "Credit Rating". (This should be given a specific time frame) 7. Strategy can now be added to the "Yearn" section of the UI with its rating displayed. 8. Vault managers can now add to Yearn vaults if the rating meets their standards. 9. Iimproving score to get more tvl entails more actions on strategy like external audits, more monitoring, testing, etc. ## Process for External Strategies 1. Normal testing of the strategy. 2. Deployment. 3. Send to a S2 controlled Multi sig or repo with potentially small payment to be added to the UI. 4. 1 member of S2 does a very minimal check simply to make sure its not an obvious scam. (Potentially partially automated with a suite a small invariant tests). 5. Gets added to the "Non-Yearn" section of the UI. 6. If desired they can submit it to ySec for a full credit rating along with a payment. 7. ySec does full audit of the strategy and assigns it an on chain "Credit Rating". 8. Yearn vault managers can now add to Yearn vaults if the rating meets their standards. ## Process for Meta-Vaults (yearn-only) - All strategies must go through the internal review process before consideration. This means 2 peer reviews and a full security review. Additionally, for metavaults we should also perform protocol due diligence and establish ongoing protocol monitoring. ## Important points - Any strategy from any developer can simply deploy a strategy and never have any contact with Yearn. - To be added to the UI a very minimal check should be done, for both internal and external strategies. The more something is reviewed to get on the UI the more we can be held responsible for that strategy. - There should be a clear difference between Yearn branded vaults and strategies and everything else. - While both S2 and ySec are receiving comp from Yearn, Internal strategist don't get charged by either team. But all external strategies do. ## Questions 1. What is the cost for the S2 review of an external strategy? 2. What is the expected time frame for a peer review? 3. What is the cost for the ySec credit rating of an external strategy? 2. What is the expected time frame for a ySec credit rating? 3. Can internal strategies that have not gone through ySec review still be added to the Yearn section in the UI? 4. In terms of monitoring and due diligence, who should handle this? S2 or ySec? Very important to make sure nothing falls through the cracks between handoffs.