Security Rating Level: 4
Evaluation Date: Dec 20th, 2021

1. History & Team (Weight 20%; Score 92)

1.1 Project age (8%; 80)
Launched on mainnet from 2021 Jan, alive for 12 months.
1.2 Past exploits (8%; 100)
In the past 12 months, Yearn v2 was never attacked
1.3 Team anonymity (2%; 100)
Team are public
1.4 Team experience in programming (2%; 100)
Founder, Andre Cronje, started working on software engineering from 2009 or earlier

2. Exposure (Weight 25%; Score 69)

2.1 Historical TVL (17.5%; 80)
Average market share in the past 4Q: 3.7%, 3.9%, 4.1%, 3.9%
Data collected from Yearn-finance Protocol: TVL and stats - DefiLlama
2.2 Industry segment (5%; 40)
Yearn is a yield aggregator
2.3 Infrastructure (2.5%; 50)
Out of business nature, heavy oracles are needed for price feed

3. Audit (Weight 35%; Score 83)

Audit report available on: yearn-security/audits at master · yearn/yearn-security · GitHub
3.1 Transparency and scope (14%; 100)
Full scope audit done, and report is public
3.2 Audit firm trust score (10.5%; 70)
Audited by MixBytes and Trail of Bits, Tier 2 audit firm
3.3 Audit findings (10.5%; 40)
Critical issues were found in audit
3.4 Other credits (up to additive 5.25%; 10)
Core smart contracts audited by multiple firms; audit done before deployment

4. Code quality (Weight 15%; Score 80)

Repository on github: GitHub - yearn/yearn-vaults: Yearn Vault smart contracts
4.1 Documentation
Excellent documentation.
4.2 Test
Comprehensive test done, with code coverage 100%

5. Developer community (Weight 5%; Score 93)

5.1 Bug bounty program (3.5%; 90)
Exists. Reward up to $200,000
5.2 Issues raised on Github (1.5%; 100)
136 issues raised on github repository

The N-SCOSS for Compound is 81.35, level 4