TL;DR
I’m an independent security researcher who recently sent two responsible disclosures to Yearn’s published PGP security contacts via dhalbert517@tutamail.com on 2026-04-22 and 2026-04-24 (subject lines intentionally withheld from this public post while triage is ongoing — the PGP recipients can match by sender + date on their end).
I’d like to do one month of review covering recent code changes since the last external audit on Yearn V3 strategies + periphery, with all findings routed through the existing PGP thread. If the output is useful, I’d welcome a retroactive grant of up to $1,500 USDC at the DAO’s discretion. No payment up front. No work starts unless a core contributor or designated security reviewer replies in-thread (or via PGP) that a retroactive private review is plausibly grantable.
Posting here to gather feedback on scope, ask size, and whether this path makes sense at all. Feedback welcome.
What the month would cover
Between external audits, Yearn V3 ships new strategies and tunes existing ones continuously. Immunefi covers reactive disclosure; external audits (StateMind, ChainSecurity, yAudit on V3) cover pinned-commit moments; the gap between is where a light proactive review may add marginal value.
In scope (one month):
yearn-vaults-v3core + any new V3 strategy deployed during the monthtokenized-strategy-peripheryyv3-liquityv2-sp-strategy- Any other V3 strategy repo the Yearn security team flags as priority
Out of scope: external deps (Curve / Morpho / Aave / LiquityV2 core) unless directly called by an in-scope file; front-end / governance code; V2/legacy vaults; anything with an active Immunefi live disclosure.
Deliverable
Private report to Yearn’s PGP security contacts at end of month, covering:
- Pinned commits reviewed per repo
- Findings list (severity, contract, function, line, impact, remediation)
- Methodology notes (tooling config, review scope, assumptions made)
If Yearn’s security team subsequently judges a sanitized public summary is safe + useful, I’d be happy to publish one after the PGP thread confirms. Not a precondition of the pilot.
Who I am
- Author of two April 2026 disclosures to Yearn’s published PGP contacts from
dhalbert517@tutamail.com. Verifiable on the Yearn side by sender + date. - Independent researcher operating under the pseudonym “Daniel Halbert”. No legal entity, no KYC path available. Payout (if approved) would go to
0x7899ecdA789C5EF673999dcF9Fd40cE9B67002E4.
Trigger / termination
- Proceed: only if a Yearn core contributor or designated security reviewer replies (in this thread or via PGP) within 7 days indicating retroactive review is at least plausible. If no such signal arrives, I’ll assume there’s no current operational bandwidth for this and withdraw the proposal quietly.
- If proceed: deliver the private Month-1 report to the PGP thread by end of month. Yearn security reviews. Up to $1,500 USDC is transferred retroactively at Yearn’s discretion if the output is useful. If marginal, no payment — pilot ends cleanly, no follow-up.
- Zero upfront, zero long-tail commitment either way.
One open question
Yearn’s Immunefi program is no-KYC-at-payout; is that same tolerance available for a small retroactive monitoring grant routed through governance? That is the single gate for whether the pilot can proceed under pseudonymous operation. Appreciate any signal either way.
— Daniel Halbert