Question to Security Team

# Budget Request for security Q&A 1. we are missing july's report A1. It is still work in progress, but the current updates are [here](https://github.com/yearn/budget/issues/115#issuecomment-1655758809). 2. focus should be on v3 and v2 development should be almost minimal. However we are spending the same amount of funds as we were working when we were launching many v2 strats A2. Although volume for v2 strategies has been decreasing or paused during the past period, the security team has focused on reviewing all of the contracts for the other products from yCRV/yETH teams along with some of the v3 contracts used for periphery and new strategies (see past updates for details) that have been sent to prod. We anticipate a lot more v3 strategies to be coming in the pipeline for this upcoming period as seen here: https://github.com/orgs/yearn/projects/27/views/18 We also anticipate we'll see an increase of need for security reviews as we migrate most strats to v2, team is also working on review check list for v3 specifically. Although members of the ysec team can go into other areas of yearn to help when volume or need for reviews is low, (we usually do help in other areas as needed), we are wary to completely move members away from the team since it's very hard to rebuild a security team once demand starts to rise again. 3. put yourselves in ybudget seats. Do you think the ask is low, high or adequate? A3. We think the ask is adequate given that the compensation in the security space is very competitive at the moment (see references below for info) and also that yearn is one of the few protocols that is capable of having an internal security team which shows in the quality of our products in terms of security and our record of handling past incidents since we installed the security review process (0 hacks in v2 vaults and strategies) and incident response procedures. Getting feedback from other teams or protocols that don't have one, the value of having internal security reviews is that the quality of code before audit increases a lot more, you can see in all past reports around yETH, yCRV, etc the volume of high/critical findings is reduced to almost 0 which allows the audit firms to avoid wasting time in obvious surface high or critical issues and go really in depth into the code base looking for other issues, this brings resiliency to yearn's product and also increases the value yearn pays for audits. Compared to other teams that don't have an internal security team, they either have to spend a lot more in security for external audits or their quality of code is poor once they reached production (e.g 10+ high/crit findings pre-launch) because they lack this early feedback in the development process. Investing in a security team gives yearn an edge over many other protocols. 4. Tapir will continue helping in security reviews and task as intern spot. We believe he has done a great job from the feedback we have gotten from other members of the yteams, we want him to continue his growth on security skills as much as possible since getting experienced folk to join the security team has been very hard in the past. ## Research ### SpearBitDAO weekly salaries Junior Security Researcher (JSR) $3K USDC 🐥 Associate Security Researcher (ASR) $6.25K USDC 🦅 Security Researcher (SR) $12.5K USDC 🦉 Lead Security Researcher (LSR) $20K USDC https://twitter.com/SpearbitDAO/status/1664642186405728256 ### CryptoJobList https://cryptojobslist.com/salaries/junior-smart-contract-auditor-salary Average is 105K$ year, 10% takes 200K$ (seniors) ### Decentralized audit contest platforms Sherlock ![](https://hackmd.io/_uploads/rJ0b2GZj2.png) **Tapirs comment:** I think a base salary for a decent security researcher is 100k. If you are senior enough its 200k. If you are super duper good, its weekly 10K-20K, approx 400-900k. I think the question to be asked ourselves is which part are we in in this scale. Also we need to remember that we are not actually auditing stuff from scratch but just reviewing small pieces of code (usually). It's not like that we review an entire different complex code base every month. However, even small pieces hurt yearn back then (Stargate incident). Also, I personally spotted few bugs in the backlog that could result in big losses (Stargate v3, maker delta neutral). Also, even though the yETH is audited, I found 1 small issue that is not found by the ChainSecurity aswell. During the entire development phase of yETH I was fully sync with Korin and brainstormed the issues so its clear that we are not just checking security but we also involve in development of the code in somehow.