Proposal to improve ysec services and operations

# Proposal to improve ysec services and operations ## Goal We aim to improve our service in terms of security as a yTeam and add more value to the Yearn community across all the products. ## External Strategists Reviews We came up with few strategist types that can be attracted to make a strategy using yearnv3 infrastructure ### First Strategist: This strategist is confident in the profitability and adaptability of their strategy for Yearn. Understanding the potential for significant revenue through Yearn's platform—if the strategy is listed—they're keen on attracting deposits from Yearn users. To ensure the strategy is secure and reliable, ySec will conduct a thorough review, not only of the strategy but also of any external protocols it interacts with. Additionally, due diligence checks will be carried out. The strategist will be charged either a one-time fee or a subscription based on the strategy's performance and its complexity. Given the potential for increased fees from Yearn users, this strategist should find value in investing in a comprehensive security review by ySec. ### Second Strategist: This strategist is primarily focused on creating and hosting a strategy on their own platform, without concern for its listing on Yearn. While they're obligated to pay a protocol fee to Yearn, they could avoid this by forking Yearn and retaining the protocol fee. So, why might they consider not doing so? ySec offers an incentive: a thorough code review/audit at a discounted rate or even for free. This offer is intended to encourage the strategist to collaborate rather than compete, ensuring both parties benefit. ### Third Strategist: This strategist is involved in a separate protocol or DAO and aims to bootstrap liquidity for a unique token or a novel yield source. They're likely looking at Yearn as a potential marketing partner, rather than a codebase to fork. Regardless of the reputation implications of forking Yearn, we'd prefer to build a collaborative relationship. As such, ySec can offer similar benefits as to the second strategist, including discounted or free security reviews and ongoing monitoring. ## Internal Strategists Reviews The Yearn strategist team crafts a variety of strategies, from high-stakes ones to those that are experimental. If ySec bills the strategists for every review, it might slow down the strategy creation process. Moreover, the strategist team may want to quote other external audit firms over ysec internal team and might opt for external audits instead of internally paying. **What ySec can offer to strategists?** Here's how the process of writing a strategy usually goes: **Idea Stage:** A strategist thinks of a strategy. **Coding:** The strategist translates this idea into code. **Team Review:** The strategy undergoes peer reviews by other strategists. **Security Review:** This is when ySec steps in to ensure the code's safety. After this, once the strategy is deployed, the strategist gets a fee. Both the strategist and ySec have put in significant work, in this scheme ySec can also get a smaller portion (TBD how much?) of the performance fee that strategy generates as they support the ongoing strategy's security. **Here's what ySec will do in return:** **Security Review:** ySec will scrutinize the code to spot any issues before it's rolled out. **Recurring Reviews:** After the code's deployment, ySec will periodically review it to ensure its continued safety. **Risk Scoring/endorsing:** Ysecurity team will be tasked to manage and oversee the on chain risk framework that would integrate with v3 debt manager that caps risk on strategies deployed. Part of the service of the review will add that risks core for the strategy to be able to grow in TVL and get more performance fees. **External Audit (Optional):** If a strategy uses third-party systems, ySec can check those as well doing a DD document for the strategy (ysec is in charge of writing DD as part of service). This is a detailed task but is worth it for strategies handling large sums. If ySec spots an error and gets a reward (bug bounty), they'll share part of it with Yearn. In essence, ySec's aim is to ensure that all strategies are safe while fostering collaboration with the Yearn team. ** Do we want to say something about monitoring protocols as part of the package deal? ** @storm0x `Storm, Weasel please add your thoughts here, that's how I feel so far about this section` ## What else ySec can offer to Yearn? ### Risk Framework this is part of the strategy security review service above ### Monitoring tools also this can be part of the service ### Writing strategies additional revenue source, would need external reviews to sign off on some amount of TVL ### Coding brand new products (yETH, Serpentor) details --- **Weasel comments** - How will we manage the scores in the risk framework with the meta-vaults vs tokenized-vaults? We should differenciate add a vault into the risk framework on-chain vs add a vault into the registry (aka go to prod). - Registry: the vault will be displayed in our website. - Risk framework: maybe the website will have a label or something to say "Risk: low/medium/etc" Regarding getting a fee in change for a security review, we should consider creating: - Multiple fee layers: It is not the same (risk, our exposure as a team and as protocol, cost, etc) review as an Aave fork as a Meme protocol. - Mutiple security layers: idk exactly how/what, but just another idea.