# Security Team Tasks ## Goal The principal goal of this document is divide each goal in smaller tasks to be achieve in the next period. This makes easier the process of accomplishment and show progress to the team, and community. Also, it might be used as evidence of the job done during the period if needed. Once it is defined, we will create a spreadsheet to track all these tasks in order to make easier the process, and following up. ## Tasks Based on our goals defined in [Budget Request v4](https://github.com/yearn/budget/issues/192), we divided the tasks in these sections: > Some of these tasks need to be completed in a frequent basis. That frequency will be defined (is not defined here) by the team based on each member skills and knowledge, and tracked internally. - Fuzzing and invariant testing (Weasel) - [ ] Ask Schlag about missing things in https://github.com/yearn/tokenized-strategy-foundry-mix/tree/master/src/test - [ ] Maybe adding handler/actor manager logic? - [ ] Create Github template repository using Foundry, invariant/fuzzing tests, forks, etc. - [ ] Create examples (new repositories from template) for veYFI, Compound lender/borrower and others. - [ ] Create a presentation to describe this new concept (fuzzing/invariants using Foundry). - [ ] Fuzzing/Invariant: Define new section (or update) in the GH Template for v2/v3 strategies. - [ ] Fuzzing/Invariant: Update GH Template (create PR) with the new section (or changes) for v2/v3 strategies. - [ ] Update/apply (if needed) the internal review process to consider invariant/fuzzing tests. - [ ] Update risk scoring process and documentation regarding testing scores considering these new concepts. - [ ] Improve communication: send updates to tg groups. - [ ] Define Telegram groups to whom to send the updates. - [ ] Send the updates frequently monthly? - Multisig operations security (Both but leaded by Tapir) - [ ] Define the scope for the list of multisigs. - [ ] Get a full list of multisig Yearn/yTeams have. - [ ] Filter multisigs using some conditions (like funds they manage or they have managed during the last X months or periods). - [ ] Establish and lead a working group composed of several yTeams. - [ ] Define yTeams interesting in discussing. - [ ] Create an initial draft (doc) to share with the yTeams. - [ ] Collect feedback and areas of improvement. - [ ] Define what info we need to get to formulate the questions. - [ ] Create message template to send to multiple yGroups. - [ ] Send message to yGroups periodically (TBD). - [ ] Process results, and actions to improve. - [ ] Present public draft for minimun viable multisig operational procedure. Document will be created by the working group. - [ ] Publish procedures in the most important tg channels. - [ ] Present a plan to review periodically past multisig operations against established procedures. - [ ] Review multisig operations against established procedures. - [ ] Review multisig operations against established procedures. - [ ] Present results privately. - [ ] Present overall results in Cantina. - [ ] Ask for feedback and improve doc frequently. - On-chain Risk Framework (ORF) (Both but leaded by Weasel) - [ ] Create script/tool to look for missing strategies/vaults (v2/v3) in the ORF to try to automate it. - [ ] Define how integrate v3, yETH, yCRV, yPRISMA and other products. Discuss with each yTeam. After defining the security review processes and the impact in the ORF. - [ ] Keep up to date the scores. - [ ] Collect feedback and improvements. - [ ] Define what info we need to get to formulate the questions. - [ ] Create message template to send to multiple yGroups. - [ ] Send message to yGroups periodically (TBD). - [ ] Process results, and actions to improve. - [ ] Improve communication: send updates to tg groups. - [ ] Define Telegram groups to whom to send the updates. - [ ] Send the updates frequently monthly? - General Security, Processes & Feedback - [ ] Keep up to date our internal checklist with the common issues in the v3 strategies to help the strategists to improve the development. (Tapir) - [ ] Prioritize/assign security reviews frequently. (Both depending on availability) - [ ] Define Single Vaults v3 Process (security wise) and internal/external scores (?). - [ ] Ask different yTeams for feedback. - [ ] Define what info we need to get to formulate the questions. - [ ] Create message template to send to multiple yGroups (or maybe DM). - [ ] Send message to yGroups (maybe DM) periodically (TBD). - [ ] Process results, and actions to improve. - [ ] Improve communication: send updates to tg groups. - [ ] Define Telegram groups to whom to send the updates. - [ ] Send the updates frequently monthly? - Track Audit/Contests/Other Expenses (Both lead by Weasel) - [ ] Define/apply process to select/pay an audit firm. - [ ] Send a message monthly asking what yTeams are planning to get an audit slot. - [ ] Improve communication: send updates to tg groups. - [ ] Define Telegram groups to whom to send the updates. - [ ] Send the updates frequently monthly? - Others - [ ] Detail idea of external paid security reviews - [ ] After a retro/warroom/similar call, follow up actions frequently. - Pending - - General Security - Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable. This item will consider external risk data providers to coordinate new v3 risk scoring process. - Improve Github issues to make easier the security process. - Define a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors. - Track output of external security engagements and check effectiveness of process.