We provide samczsun with an offer he can’t refuse to become the first hire of a yEarn auditing academy that attracts and mentors top talent. Survival of the fittest: real contracts are audited, and mentees are expected to follow along and start adding value. Mission: audit yEarn contracts in a collaborative and semi-structured process. Auditors that shine are rewarded, and if they shine even more, are offered permanent position in the academy. The mentees become mentors. Eventually the academy could grow to become a profitable auditing wing of yEarn offering its services to the outside world for hefty premiums.
The yEarn technical community is innovating at a rapid speed. Efforts must be made to mitigate software bugs. Auditing talent is currently scarce and will continue to be for sometime because the pace of innovation in smart-contract products is much faster than that of producing auditors.
The yEarn community already expends a significant amount of time negotiating audit contracts or coordinating one-off informal audits. Planting the seed for an auditing wing of yEarn will bring immense benefits in the short and long term. If structured and run efficiently, we should witness the rise of a new breed of excellent auditors coming out of the academy.
The yEarn community should then incentivise rising stars to stay and continue to work on yEarn contracts full time. As yEarn matures over-time, auditors can begin to offer services to the outside world. At that point, the Academy becomes a self-sufficient, and potentially massively profitable sub-DAO. The yEarn community will of course own part of it, and should get back all the money it invested in the academy, and then some.
yEarn is innovating at an ever increasing speed
Software bugs are a matter of “when” and “how bad”, not “if”. We must make mitigation efforts.
Auditing firms are overbooked, they have financial incentive to speed up audits which can affect quality.
Negotiating audit contracts with auditing firms is a laborious and clunky analog process.
yEarn is a hub of innovation and as a result should attract top talent.
Smart contracts will probably experience an even bigger cambrian explosion once the enterprise starts using permissionless networks such as Ethereum as a settlement layer. Hence, the Adademy will most likely become an highly-profitable organization, thereby paying back all the investment put into it … and then some.
If done correctly and efficiently, we should soon see mentees graduating to become paid mentors themselves.
This is a rough spec and should not be considered final.
The academy is governed by YFI holders but not micro-managed.
Start with two members: samczsun and a support admin that handles the onboarding of new auditors and the maintaining of the collaboration platform.
Communication between auditors and mentees is kept as efficient as possible. No endless tm discussions, but rather a streamlined lines of communication. A platform of sort. TBD.
Curriculum is trial-by-fire type of thing: mentees walk along the process of auditing a contract, receiving hints and/or assignments, results are shared in a certain format ect.
Mentees join by invitation only, and are unpaid.
Mentees that show merit begin to receive rewards. If they continue shining, they become permanent members with competitive compensation.
Traditional ways of education and collaboration are obsolete.
Invitation-only is an efficiency measure, to make sure time and energy is not wasted hand-holding mentees. But anyone who shows interest and meets the basic minimal requirements should get an invitation.
Merit-based: auditors that stick around and bring value are rewarded.
Synchronous communication is inefficient.
Some structure in the collaboration between mentors and mentees is needed to reduce time waste.
No time is wasted authoring educational materials: this is a trial-by-fire type of situation, mentees learn by walking along the auditing process of real contracts.
We should begin efforts to establish an in-house auditing academy
We should keep the status quo by relying on volunteer auditing, ad-hoc bounties and as-needed contracts with auditing firms.
Yes, let’s begin efforts to establish an in-house auditing academy
EDIT: the name yAudits was suggested (h/t @Dogetoshi@CryptoCap and bluekirby) but others also pointed out that the Academy should over-time establish some sort of independence of yEarn so as to not influence the quality of audits (ht @Beepidibop@1A1zP1eP5). My recommendation would be a middle-ground where the Academy is a sub-DAO of yEarn, but with some “board-of-governers”-type power and majority ownership still held by YFI governance, since the Academy is funded by yEarn after all. Minority ownership share of the sub-DAO could go to the auditors that ultimately end up being voted as permanent members … as an incentive for them to stay and work for the Academy (like when startups offer shares to early devs).
yAudit – I love the sound of it. But what incentives are there for someone to audit YFI’s code for free? Just the hope to work with us officially later? How expensive would/could this be exactly? Sounds great, I just have a lot of questions and would love to get more formal details about it
I definitely support the idea of fostering auditing skill within Yearn– but I’m not sure what exactly is would take to poach Sam away from Trail of Bits. But yes, I’m down for exploring our options here.
I am in process with a dedicated team to first develop a secure deployment and auditing process for contracts that allow the community to observe the audit.
We plan to quickly move to provide free education for auditors and developers provided we can secure the donations.
Our token will allow the community to provide direction to the non-profit board, with the security against vote manipulation by being bound by the charter of the non-profit.
Please let me know if you like to discuss our project. We have some fun ideas to make it not only valuable, but engaging for the community.
Our biggest hurdle is securing the proper legal advice for proper incorporation. Several on the have experience with forming a tax-exempt non-profit, but proper legal advice should always be retained first.
Overall support, but I think our in-house audit team should refrain from advertising audits on our own code, since it looks weird PR-wise (e.g. “The only ones saying their code are good are yearn themselves.”)
But an in-house audit team has the added benefit that we can rely on them when we’re considering building strategies for new platforms. Since it’s in house it might be more responsive to our needs than an external team.
a friend of mine told me about this thread. i work as a pentester and work with a good handful of different languages so i think i could get up to speed decently quickly in SOL but does this group have any suggestions on getting up to speed quickly other than RTFM? Thanks.
This is really cool idea. Thanks for proposing it.
I think something like this could be more attractive to the founding member if it’s set up as its project from the very beginning (maybe via a yVCvault funded initiative?). This way the goal would always be to end up with an independent organization, which would provide strong incentives for the founding team. Initially this person (team) could work as part of the yEarn team and only audit yEarn contracts, but once the team has some experience and there is demand for their work outside of yEarn, they could smoothly transition to become a separate DAO.
As to the approach followed to train new auditors, I would leave that to samczsun, but personally learning by doing sounds like a good idea as I 100% agree that traditional ways of education and collaboration are obsolete.
Great idea for Auditing Academy. Poaching sounds like he may not be interested though. Please be sure that samczsun has genuine interest to put this above his other endeavors. This is a very serious full time position that requires constant diligence and fast action under fire when things go wrong.
Have the education process be handled by a non-profit taking input for the community and sector experts.
Managing the definition of standards through a community vote. We will need to be careful that bad actors can’t manipulate the vote, but we can work on that. And the non-profit charter can help prevent that.
Additionally, we have a design that will record the auditor’s work, streamed live through IPFS, with an archived video, any auditor reports, test results, dev documentation, and contract DAPP all uploaded to IPFS. The store of the auditor’s record can have it’s key burned so it’s stored in perpetuity.
The link to the IPFS store with the auditor’s archive of work can be wrapped in an IPLD token and deposited in the contract such that it can’t be removed. This way, the code on the cina will always have a link to its auditor report with video.
Awesome idea as long as it’s an addition to 3rd party audits for yearn contracts. Self-audits aren’t a good idea even if they’re a different section or team. But will definitely improve confidence in the yearn code.
As a source of income there’s a limit to how much this can scale so it has to be managed separately so it won’t interfere with yearn’s main products.