Discussion: Yearn Finance Security

This is a prior discussion for a security proposal for Yearn. All community feedback is welcome.

Suggestion One:

Yearn Finance / YFI currently uses two separate domains for its operations, which makes us more susceptible to Phishing attacks and makes it extremely confusing towards newcomers.

Domain 1: https://ygov.finance/

Domain 2: https://yearn.finance/

The proposal is to merge both objectives into a single domain.

Suggestion Two:

As you may have heard, yearn finance was subjected to a Phishing attack on discord.

To mediate this issue in the future, I propose a popup on Yearn’s website to indicate the correct domain and inform users to type in the domain instead of clicking links or google searching it.

Suggestion Three:

We form a set of community security experts to look out for vulnerabilities related to Yearn’s operation routinely.

Example: Recently a security flaw on the newly deployed yVault was discovered by community member: @samczsun

(update: exploit was patched)

Whether these community experts will work on a volunteer basis or would be compensated is up to discussion.

Suggestion 1:
Pushed this one, once some UI\UX updates are ready, webpages will be merged.

Suggestion 2:
Not convinced that this solution is effective. However, would be glad to see more trustworthy people joining discord as mods.

Suggestion 3:
Would be great to test in dev before pushing to prod. Oh, wait…

Solid points overall, thank you!

Would support a security budget for audits and miscellaneous admin budget for hosting costs

Can we create a donation contract that people can contribute to for security related spends with the promise that it will be refilled and contributors refunded when issuance is decided upon?

Could get a slight return on deposit up to a certain amount invested. clearly there would be trust that the governance process would repay the funds, but considering it just created 80 million dollars of value, I assume we could get enough people to contribute.

Interesting.
So just to be clear, a community security fund, with a ROI on it?

As a quick fix, can propose to open gitcoin grant one of the multisig signer wallets.

Otherwise, might have to wait for something similar to YIP-14.

sounds like speed is imperative so that’s probably a good idea. Can we record who contributes to refund later?

Agreed with Gitcoin approach.
And once YIP-14 is passed it can be a back-up fund?

If we do gitcoin grant I’d prefer it to be one way road – no refunds. However, it is possible to back track payments.

That’s fine. I was just worried it wouldn’t get enough contributions

I’d be willing to donate to a gitcoin grant, but If we go the refund route i would contribute significantly more. I’m oke either way.

edit: How much do we need? the ideal form might depend on that.

edit 2: It’s probably better to go the donation way for now. We can’t make financial decisions without an official vote imo.

Crossposting from YIP14: yEarnRewardsReserve

Paying out all our revenue as a startup doesn’t make much sense to me. Wondering if others feel the same way and if it’s worth a Proposal.

I feel the protocol should account for a percentage of fees being allocated to support development and security. Look to OpenSSH for a model where altruistic developers did not work. The protocol is already housing a significant amount of value and a smart contract vulnerability could be catastrophic. The development team should be free to allocate funds how they want to but I feel this should come from protocol fees and not just the community.

As soon as you create something valuable, the first thought should be on how to safeguard it. Security budget should definitely be a priority!