[Proposal] [Poll] Hire a pentesting company to check the main frontends used to interact with Yearn contracts

Hire a pentesting company to check the main servers and frontends used to interact with Yearn contracts

This would be done in perpetuity, but only the first audit would be more costly. Afterward, they’d just do a faster check each month. This would permit us to display on the website a badge saying something like “Secured by …”.

Additionally, we would implement w/e security protocols they recommend. For example, who has access to changing the frontend? How is that access secured? Who has access to the actual server? How is that secured? And so on.

Testing and contract audits won’t help us much if someone hacks yearn.finance and changes the website to call functions with the wrong arguments, or other similarly bad stuff. This is highly needed.

I will formalize the proposal during the next few days. We should come up with suggestions on what pentesting company we should go for, and what’s the budget.

Poll:

  • Let’s do this!
  • No.
0 voters

This thread is for discussion and for polling sentiment (same as https://snapshot.page/#/yearn), therefore I guess I’ll also have to submit an YIP, right?

Alternatively, we could extend the bug bounty program to cover this.

The bug bounty seems like the easier way to go.

1 Like