### Scope This budget request is for the security team comprised currently of two core contributors and one internship slots to continue contributing with security related work in the yearn ecosystem. The list of previous budget requests: - v3: [Nov-23 to Jan-24](https://github.com/yearn/budget/issues/172) - v2: [Aug-23 to Oct-23](https://github.com/yearn/budget/issues/145) - v1: [May-23 to Jul-23](https://github.com/yearn/budget/issues/115) This request will cover one quarter (3 months) and continue the team's work on security reviews for all contracts under development in the yearn teams as capability allows and other described tasks. Over the following period, these budget requests should develop and provide a detail of work attempted and achieved. This request also will detail an overview of the team's goals and objectives for the period. Note that this budget request includes no revenue share. Presentation [link](https://docs.google.com/presentation/d/1gBYEFV05rUm9-4Wi4cJ9JaP3jNnz9KnBuuPRRJH6VcU/edit?usp=sharing). ### Plan Note that there are no clawbacks based on the below performance targets. But performance should impact future budget requests. ### Security Reviews The security team will continue to work on the following: - Internal security reviews for all contracts develop by yTeams and changes or updates in the current ones in production. - Internal security reviews for the Core Protocol, including v2/v3 vaults, v3, yCRV, yETH and any other Yearn's product as required. - Management of the Risk Framework and internal security review process for v2 and v3 strategies. - Review scores and allocations frequently in the Risk Framework to ensure risk information is properly presented to users. - Coordinate with infrastructure team on support for risk framework updates, bugs and issues for off chain data. (see on chain risk framework section for details) - Help, guidance and coordination with auditors and external security reviewers for engagements with protocol-related contracts. (Each team needs to request their own audit security budget.) - Review and triage bounty reports through our multiple pre-established channels, such as Immunefi, vyper disclosures or any other source. ### Ad hoc The security team will also continue working with existing Yearn teams (or new ones) to provide ad-hoc support. Including but not limited to offering: * Lead retros for incidents * Incident support * Fuzz and invariant testing workshops, learning resources and support to help yearn devs * Create guidelines and minimal process for operational security of yearn high impact multisigs, communicate them and review adherence to established procedures. * Smart contract development * Product design * Protocol and Security related tooling development * Multisig coordination for emergency transactions * Security related events support e.g war room games, conferences talks, etc. ### External Security Review Process Guidelines - Define and implement a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors. - Track output of external security engangements and report them to yTeams. - Check effectivenes of process and improve it with feedback on reports. ## Goals The security team plans to: * Fuzzing and invariant testing: * Establish and lead a campaign across yearn teams to incorporate fuzzing and invariant testing. * Create learning resources, example repos, coordinate/lead workshops. * Update security review internal process to require stricter testing rules for production deployment. * Update risk scoring process and documentation regarding testing scores. * Add fuzzing and invariant testing for real yearn products as example for learning resources. * veYFI fuzzing and invariant testing * Compound lender/borrower example fuzzing * Multisig operations security: * Establish and lead a working group composed of several yteams. * Collect feedback and areas of improvement. * Present public draft for minimun viable multisig operational procedure. * Publish procedures * Present a plan to review periodically past multisig operations against established procedures. * Manage the continuous improvement process of the procedures. * Risk Framework On-chain: * Integrate v3, yETH and other core contracts as needed. * Support up to date scores. * General Security * Help create and review Due Dilligence documents on new protocols used by yearn's strategies, when applicable. This item will consider external risk data providers to coordinate new v3 risk scoring process. * Each security review differs in time and scope but we are estimating it based on normal strategy reviews. * Create an internal checklist with the common issues in the v3 strategies to help the strategists to improve the development. * Start/continue reviewing new strategies for v3. * Continue reviewing updates/new strategies for v2. * Improve Github issues to make easier the security process. * Define a process for yTeams to select and pay for external security reviews including audits/contests/solo auditors. * Track output of external security engagements and check effectiveness of process. ### Period It will cover 3 months: - From: 2024-02-01 - To: 2024-04-30 ### People - Storm0x - Rare Weasel - Tapir ### Money This budget request includes the following concepts: - 2 core contributor grants. - 1 internship slots. Funds to be streamed over three months, starting 1st February 2024. **Total:** *141,300.00 DAI* Any funds not spent at the end of the period will be transferred back to the yBudget team or considered for the next period. #### Funds Details  ### Wallet address 0x4851C7C7163bdF04A22C9e12Ab77e184a5dB8F0E ### Reporting Monthly in this issue.