Risk scores are separated into two categories: strategy-related and external protocol-related. Strategy-related scores are intended to focus solely on the strategy implementation. While there may be indirect exposure to external protocols when evaluating these scores, the primary focus is on the strategy implementation itself. External protocol-related scores directly target external protocols. While the strategy-related scores indirectly reference the external protocol, the responses are not directly related to the external protocol itself. Conversely, these scores fully concentrate on the external protocol. In the case of multiple external protocols integrated with a strategy, each external protocol should be evaluated according to the risk scores, and the average will be the final score. For example, if a strategy involves depositing DAI to CurveLP and staking it in Convex, then both Convex and Curve should be evaluated accordingly. All scores are intended to be filled objectively, so the metrics are chosen as objectively as possible. However, due to the uncertainty of potential strategies and external protocols, ySec can make exceptions and assign scores that do not strictly adhere to the scoring framework. In such cases, every score type has an optional text box, which ySec fills out to justify why the score is given as it is.

Scope Type File Logic Contracts Interfaces Lines nLines nSLOC Comment Lines Complex. Score

Scope This budget request is to fund Tapir for the month of May for the work already done and the following 2 months, allowing Tapir to continue contributing to the activities outlined in the continuous activity plan. Plan Continuous activity: Internal security reviews of the yearn ecosystem Risk scoring & risk score maintenance About the Risk Assessment I have already worked on and determined criteria for the risk scores, which you can find here.

Scope Type File Logic Contracts Interfaces Lines nLines nSLOC Comment Lines Complex. Score

Scope https://github.com/peapodsfinance/contracts/pull/35/ Commit hash and branch https://github.com/peapodsfinance/contracts/pull/35/files# [M-1] POTENTIAL: _rewardsPerShare can be inflated Summary The very first depositor of TokenRewards can manipulate the _rewardsPerShare such that the interaction with the TokenRewards contract would not be possible for the other users

Scope Type File Logic Contracts Interfaces Lines nLines nSLOC Comment Lines Complex. Score

Risk scores are separated into two categories: strategy-related and external protocol-related. Strategy-related scores are intended to focus solely on the strategy implementation. While there may be indirect exposure to external protocols when evaluating these scores, the primary focus is on the strategy implementation itself. External protocol-related scores directly target external protocols. While the strategy-related scores indirectly reference the external protocol, the responses are not directly related to the external protocol itself. Conversely, these scores fully concentrate on the external protocol. In the case of multiple external protocols integrated with a strategy, each external protocol should be evaluated according to the risk scores, and the average will be the final score. For example, if a strategy involves depositing DAI to CurveLP and staking it in Convex, then both Convex and Curve should be evaluated accordingly. All scores are intended to be filled objectively, so the metrics are chosen as objectively as possible. However, due to the uncertainty of potential strategies and external protocols, ySec can make exceptions and assign scores that do not strictly adhere to the scoring framework. In such cases, every score type has an optional text box, which ySec fills out to justify why the score is given as it is.

Description of the strategy Briefly explain the external protocols that the strategy interacts with Lorem Ipsum Briefly explain what the strategy does to get yield Lorem Ipsum Checks

1- Due Diligence and Checks Review (attach link to due diligence document for review, see template here (attach link to checks document for review, see template here Once a strategy's due diligence has been approved by the team, the strategist can begin codifying it for code review 2- Strategy Review Description: {description} Commit (hash): {link}

Scope https://github.com/peapodsfinance/contracts/pull/34/files Commit hash and branch 677606deaafbb8651f26473c88994c131560e413 [M-1] If the pod has transfer tax then calling manualProcessFee is impossible Summary manualProcessFee function would not work if the pod has transfer tax

Scope Type File Logic Contracts Interfaces Lines nLines nSLOC Comment Lines Complex. Score

Critic: Significant loss of funds, freezing of user actions or the strategy's harvest/tend cycle, vault reporting an undesired loss High: Loss of funds, but the attack is rare and the funds at risk are not significant. Loss of yield in considerable amounts and freezing of yield in the harvest/tend cycle. Medium: Loss of funds, but the attack is very rare or highly complex, or the potential loss of funds is relatively lower. This includes when a function doesn't work as intended, especially if it's used in the system's state (not just a view function for display purposes). Low: Any issue that doesn't result in a loss of funds but causes a function not to work as intended (some view functions, perhaps). Informational: Providing information that we should be aware of, such as new curve pools using WETH instead of ETH or details about the Vyper compiler version, etc. LevSonne Update (https://github.com/yearn/yearn-strategies/issues/587) (October) NONE Pearl Compounder (https://github.com/yearn/yearn-strategies/issues/577) (October)

Protocol name: {name} Brief Strategy Description: {description} 1- Due Diligence Review (attach link to due diligence document for review, see template here Once a strategy's due diligence has been approved by the team, the strategist can begin codifying it for code review 2- Strategy Review Description: {description}

Goal We aim to improve our service in terms of security as a yTeam and add more value to the Yearn community across all the products. External Strategists Reviews We came up with few strategist types that can be attracted to make a strategy using yearnv3 infrastructure First Strategist: This strategist is confident in the profitability and adaptability of their strategy for Yearn. Understanding the potential for significant revenue through Yearn's platform—if the strategy is listed—they're keen on attracting deposits from Yearn users. To ensure the strategy is secure and reliable, ySec will conduct a thorough review, not only of the strategy but also of any external protocols it interacts with. Additionally, due diligence checks will be carried out. The strategist will be charged either a one-time fee or a subscription based on the strategy's performance and its complexity. Given the potential for increased fees from Yearn users, this strategist should find value in investing in a comprehensive security review by ySec. Second Strategist:

Functions to override _deployFunds(uint256 _amount) _amount parameter is S.totalIdle + assets , where S.totalIdle is supposedly the idle balance of the contract and assets is the fresh taken user funds. Check assumptions on trying to deploy the _amount. If in some cases strategy doesnt want to fully deploy the _amount, then override availableDepositLimit function such that _amount is always deployable IMPORTANT Some strategies may not be suited for force _deployFunds on deposits since this could be an attack vector in some cases. e.g single siding into an LP pool that can be unbalanced or MEV'd, etc. Careful consideration must be employed and tests on these cases for strategies that deposit directly to a protocol and on what cases it can become dangerous to do so. Flags or other mechanism to limit rate of funds deployed may be reasonable in some cases. _freeFunds(uint256 _amount) As stated in the natspec of the original code: Any difference between `_amount` and what is actually freed will be

The Risks of Relying on Chainlink as the Sole Source of Truth for DeFi Price Feeds Chainlink has emerged as a popular decentralized oracle network for many DeFi projects, providing secure and reliable off-chain data, including price information. However, relying solely on Chainlink as the single source of truth for your project's price feed can introduce potential risks and challenges. In this article, we will discuss the concerns associated with relying exclusively on Chainlink and explore the benefits of diversifying your price feed sources. Dependency on a single protocol: While Chainlink is known for its robust security features and reliable data sources, relying on it as the sole price feed exposes your entire business model to the risks associated with a single protocol. In the DeFi ecosystem, where millions of dollars are at stake, this dependency could prove to be a point of vulnerability. Centralization concerns: One of the core principles of DeFi is decentralization, and relying exclusively on Chainlink might be seen as a deviation from this principle. By diversifying your price feed sources, you can reduce the potential centralization risks and create a more resilient ecosystem. Potential for manipulation: Although Chainlink employs various measures to prevent price manipulation, no oracle solution is completely immune to attacks. By using multiple oracle solutions, you can mitigate the risks associated with manipulation and ensure a more accurate representation of the market. Customizability: Projects like Compound have opted for solutions like the Open Price Feed to allow for greater customization and control over their price feed mechanism. By using a combination of oracles, you can tailor your price feed to your project's specific needs and requirements. What's the best practices using Chainlink price feeds? Check for non-zero prices: Ensure the returned price is greater than zero to avoid any issues related to invalid data.

We are aware that liquidity in Layer 2 (L2) decentralized exchanges (DEXes) is not as substantial as Ethereum and is often fragmented. At the time of writing, there are numerous DEXes where liquidity is dispersed among them. Optimism and popular liquidity rewards liquidity In Optimism, the primary rewards is OP. At the time of writing there are 3 major liquidity sources such as UniswapV3, Sushiswap and Velodrome (Solidly fork) Liquidity for OP Velodrome Finance OP pools Sushiswap OP pool