Skip to main content

Security

Information about Yearn's security processes, team members, disclosures, PGP keys and more can be found in the /yearn-security repo on Github.

Vulnerability disclosure process#

Potential vulnerabilities are welcomed to be disclosed following the guidelines established in /yearn-security/SECURITY.md. Valid vulnerabilities may be eligible for bounty rewards.

Audits#

Reports from audits on Yearn's vaults, strategies, and other protocol components can be found under yearn-security/audits.

Security assumption#

Yearn as a protocol hinges on the critical assumption that the Governance role is honest. This role is currently controlled by a 6 of 9 Gnosis Safe mu-sig.

A compromised or malicious Governance can cause catastrophic damage across the entire protocol.

It is a conscious design decision that this role is not behind a time lock. Priority is given to the ability to rapidly update and iterate on live vaults, strategies, and other components. Both so as not to advertise new investment strategies in advance, but also in order to rapidly improve our existing components without interruption. It also avoids downtimes whenever there is a bug or security vulnerability that needs to be fixed.

Trusting Governance to be honest is a pre-requisite in order to be able to trust Yearn's vaults.

Modifications to these design decisions can be proposed in the forum through Yearn's governance process.