Introducing yAcademy

Originating in the depths of the Yearn governance forums, yAcademy is maturing into its own spinoff — and hoping to aid in the growing demand for smart contract security.

To date, we have successfully completed two blocks of the Fellowship Program. Furthermore, our residents are already accepting, and completing smart contract security reviews.

We are tackling a human scalability problem as protocols continue to innovate on the frontier. yAcademy aims to facilitate community education, participation, and awareness, while raising the baseline knowledge level of smart contract security.

Our core contributors are aligned in directing energy towards becoming more of a public goods service, than a traditional for-profit business. Our approach stresses on being communal; where collaboration is encouraged in a nimble, nurturing environment with minimal overhead.

Fellowship Program

At the heart of yAcademy, lies the Fellowship Program, a development-driven learning experience.

The Fellowship is not an introductory-level program. Suitable applicants will be expected to have at least some software development experience, and embrace the trial-by-fire 🔥, self-starter nature of open-source software. (read more)

Participants usually belong to one of the following buckets:

• Fellows — smart contract developers looking to transition into security
• Residents — ex-fellow graduates who excelled in a previous block, and are available to support fellows in the current block
• Guest Project Developers — usually from projects requesting security reviews from yAcademy
• Guest Speakers — security experts from their respective field who wish to educate on a topic of their choice
• yAcademy Core *— responsible for coordinating, communicating, and ensuring program operational efficiency

*Some core members are also security researchers who participate in one of the other buckets.

Each fellowship iteration is organized into a block:

Fig 1: Anatomy of a yAcademy Block

Each block is a 4-week program. It begins with a welcome session, where the yAcademy core team gives an overview of the block, and a chance for the fellows to greet each other.

Each week:

1. Begins with a code overview from a project’s guest developer(s) — who remains available in the discord for questions.
2. (Excluding first week) Fellows also give a recap of their findings for the previous contracts they reviewed.
3. During the week, fellows collaborate and review the codebase, with guidance from residents and guest developer(s).
4. (Bonus) We usually have one or more guest speakers near the end of the week, who teach about a security topic, reflect on their experiences, or engage in discussions with our fellows. Previous guests have included leading security researchers such as samczsun, storm0x, doggie, flashfish0x, and cryptographers such as JP Aumasson.

Before the final session, block participants are introduced to Coordinape, to encourage meritocracy in recognizing and compensating fellows in a DAO-native manner. In the final session, the block is debriefed, and a panel of guest speakers reflect on their experiences and give block participants a chance for Q&A.

Residency and scaling

Fellow graduates who excel in the block, will be invited to join our team of residents. By doing so, we also scale the program and ecosystem defence through a virtuous cycle:

→ more resources to support additional fellows → more residents → more fellows → more support → etc.

Our residents are expected to perform two main duties:

1. Support fellows in the fellowship blocks.
2. Perform security reviews for projects who are looking for a more time-sensitive, and comprehensive review.

To elaborate on the first point: residents will provide support, answer questions, and may even take initiative in collaboration, but they are not expected to hand-hold the fellows in setup or dev tooling questions — the focus is on the code.

We recognize there is a fine balance between aiming to provide a public goods service, being self-sustainable, and compensating residents fairly. Therefore, projects looking for resident reviews are expected to have a budget for security reviews.

An illustrative overview

Living on-chain can be scary. Adversaries lurk in the shadows, and attack opportunistically.

yAcademy would like to be a source of comfort. A safe space to learn, discuss, and teach each other, so that we better protect ourselves against the Mallory’s and Eve’s of the dark forest:

1. Stay safe

Fig 2: Cozy up in yAcademy — away from the laser eyes of Mallory & Eve

yAcademy consists of, and is surrounded by like-minded individuals who place an emphasis on security. Together, we hope to provide a net-positive experience where projects, developers, and contributors all benefit and safely scale the ecosystem.

2. Before the Block: Codebase triage

Fig 3: Contrasting whether a project’s expectations and codebase are suitable for Fellows or Residents

After a project submits a form containing information such as their codebase, expectations, availability, and budget, the core team triages to determine whether the work is suitable for our residents, or our fellows.

3. During the Block: Interactivity

Fig 4: Residents are multithreaded creatures.

During the fellowship blocks, residents will be also be working on other security reviews — unrelated to the block. Therefore, fellows are encouraged to take initiative, coordinate amongst themselves, and face challenges head-on.

But fret not! The program is focused on the fellows, and we do not want them feeling alone. Alongside the residents — project guest developers, core team members, and other contributors will all be around to provide fellow support.

4. After the Block: Defender of the ecosystem

Fig 5: More defensive programming — to level the playing field against malicious attackers.

By now, we will have all wished that these diagrams were instead drawn by DALL·E 2.

The figure above is supposed to illustrate that at the end of the block, if a fellow has successfully participated and completed a fellowship, the broader space will have benefited. A fellow is now capable of the following:

1. Outstanding fellows with a clear talent for security are invited to join yAcademy, as residents.
2. Returning to their home projects — or regular degen blockchain activities— equipped with more knowledge of defensive programming.
3. Becoming a defender of the ecosystem: reviewing contracts themselves, bug-hunting via bounties, teaching and raising security awareness.

Looking ahead

yAcademy hopes to remain nimble, while scaling our programs and services in parallel tracks. As a sneak peak 👀, we are looking into a parallel track reviewing rust codebases — with an emphasis on ZK (Zero-Knowledge).

We are excited to continue contributing to the security space, and improve as a community. Stay updated for future posts on retrospectives, and yAcademy’s plans to iterate, improve, and grow.

Want to connect?

• Developer applying for fellowship: https://yacademy.dev/fellowship-program/
• Guest Auditor looking to educate, and collaborate: https://yacademy.dev/guest-auditor-program/
• Project seeking security review: https://yacademy.dev/auditing-services/
• Contribute or contact: https://yacademy.dev/contact/

Socials

• Twitter: https://twitter.com/yAcademyDAO
• Medium: https://medium.com/yacademyblog
• Github: https://github.com/yacademy