Discussion: Yearn Finance Security

This is a prior discussion for a security proposal for Yearn. All community feedback is welcome.

Suggestion One:

Yearn Finance / YFI currently uses two separate domains for its operations, which makes us more susceptible to Phishing attacks and makes it extremely confusing towards newcomers.

Domain 1: https://ygov.finance/

Domain 2: https://yearn.finance/

The proposal is to merge both objectives into a single domain.

Suggestion Two:

As you may have heard, yearn finance was subjected to a Phishing attack on discord.

To mediate this issue in the future, I propose a popup on Yearn’s website to indicate the correct domain and inform users to type in the domain instead of clicking links or google searching it.

Suggestion Three:

We form a set of community security experts to look out for vulnerabilities related to Yearn’s operation routinely.

Example: Recently a security flaw on the newly deployed yVault was discovered by community member: @samczsun

(update: exploit was patched)

Whether these community experts will work on a volunteer basis or would be compensated is up to discussion.

12 Likes

Suggestion 1:
Pushed this one, once some UI\UX updates are ready, webpages will be merged.

Suggestion 2:
Not convinced that this solution is effective. However, would be glad to see more trustworthy people joining discord as mods.

Suggestion 3:
Would be great to test in dev before pushing to prod. Oh, wait…

Solid points overall, thank you!

4 Likes

Would support a security budget for audits and miscellaneous admin budget for hosting costs

11 Likes

Can we create a donation contract that people can contribute to for security related spends with the promise that it will be refilled and contributors refunded when issuance is decided upon?

Could get a slight return on deposit up to a certain amount invested. clearly there would be trust that the governance process would repay the funds, but considering it just created 80 million dollars of value, I assume we could get enough people to contribute.

3 Likes

Interesting.
So just to be clear, a community security fund, with a ROI on it?

As a quick fix, can propose to open gitcoin grant one of the multisig signer wallets.

Otherwise, might have to wait for something similar to YIP-14.

1 Like

sounds like speed is imperative so that’s probably a good idea. Can we record who contributes to refund later?

Agreed with Gitcoin approach.
And once YIP-14 is passed it can be a back-up fund?

If we do gitcoin grant I’d prefer it to be one way road – no refunds. However, it is possible to back track payments.

1 Like

That’s fine. I was just worried it wouldn’t get enough contributions

1 Like

I’d be willing to donate to a gitcoin grant, but If we go the refund route i would contribute significantly more. I’m oke either way.

edit: How much do we need? the ideal form might depend on that.

edit 2: It’s probably better to go the donation way for now. We can’t make financial decisions without an official vote imo.

1 Like

Crossposting from YIP14: yEarnRewardsReserve

Paying out all our revenue as a startup doesn’t make much sense to me. Wondering if others feel the same way and if it’s worth a Proposal.

I feel the protocol should account for a percentage of fees being allocated to support development and security. Look to OpenSSH for a model where altruistic developers did not work. The protocol is already housing a significant amount of value and a smart contract vulnerability could be catastrophic. The development team should be free to allocate funds how they want to but I feel this should come from protocol fees and not just the community.

2 Likes

As soon as you create something valuable, the first thought should be on how to safeguard it. Security budget should definitely be a priority!

4 Likes