When participating in a Code4rena mitigation review, your objectives are to:

• Review all mitigations submitted by the sponsor, and assess whether they’re sound
• Share your feedback for each mitigation — which typically corresponds to a High or Medium risk finding in their most recent C4 audit
• Flag any newly-introduced bugs or vulnerabilities

Questions? Ask @Cloud Ellie.

Participation and no-shows

Any warden who is unable to participate in an invitational audit MUST inform C4 staff within 24h of the audit launch at the latest, so that an alternate can be arranged.

Failure to provide notice of non-participation will have a negative impact on your ability to participate in future invitationals and other certified warden opportunities.

Before you begin

• C4 staff will ensure that judging is complete on the “parent” audit before the mitigation review begins.
• The sponsor is instructed to create a single branch in their own repos containing all related PRs. There will be a separate PR per finding, e.g. mitigation of H-01, mitigation of M-03, etc. (This way the wardens can review all discussions related to the vulnerabilities that were found.) Though we do understand that sometimes the findings are interrelated and stem from a shared problem in the code, in which case a shared PR is fine.
• All warden(s) assigned to the mitigation review should have the certified Security Researcher (SR) role, so they can view the findings repo for the preceding / parent audit.

What to include

• Commentary on each High and Medium finding’s mitigation

  <aside> ⚠️ Occasionally, QA and Gas fixes are also included in the scope of mitigations to be reviewed. The repo README will always outline the complete scope of mitigations to be reviewed, and should be considered the definitive source for any questions about scope.

  </aside>

• Additional HM findings you discover

• Depending on the type of mitigation review (Solo or Versus), please refer to the instructions below as well.

What not to include

• There’s no need to provide a disclaimer regarding completeness or liability; Code4rena’s agreements with sponsors, and our reports, already include disclaimers and language about limitations. (For example, here.)
• Some HM issues from the preceding audit may be “acknowledged” by the sponsor; i.e. they do not intend to fix the issues for various reasons. These should be listed in the “Out of scope” section of the Mitigation Review repo README file and a review should not be submitted for these.
• New low-severity / non-crit / Gas findings: you’re welcome to submit these as a courtesy, but there’s no need to do so.
• Vulnerabilities submitted during the preceding audit should not be submitted as new HM issues during the mitigation review. They will be considered out of scope and ineligible for awards. If a warden feels an issue from the preceding audit was overlooked or undervalued, it is recommended to look into submitting it to the sponsor via other channels (e.g., a bug bounty program).

Submission guidelines for mitigation reviews

1. Review each mitigation provided, and submit feedback on each one:
   1. For the in-scope mitigations, was the original bug fixed? In the “Mitigation status” dropdown, choose either Mitigation Confirmed or Unmitigated.
   2. Enter the reportID of the original finding (e.g. H-01, M-03, etc.).
   3. Your comments: please ****include the rationale for your assessment, and/or steps followed. Optionally, a quick screenshot or code snippet provides evidence that helps the sponsor and judge understand your conclusion.
2. Newly-discovered HMs (either missed in the previous audit(s) or caused by an attempted mitigation) should be submitted via the audit submission form, as usual:
   1. In the “Mitigation status” dropdown, choose New.
   2. In the field labeled “Report ID of original finding,” please include the specific reportID of the original finding OR leave blank if not related to a specific original finding.
   3. Select the appropriate risk rating
   4. For HM errors found within mitigations, please use the title "[reportId] mitigation error"
   5. Include Vulnerability Details as you normally would for highs/mediums.

• Want some examples of past satisfactory submissions? Click to expand!

<aside> ‼️ Important note: You must submit a mitigation review for every finding from the parent audit that is listed as in-scope for the mitigation review. So if the parent audit had 2 Highs and 3 Mediums that the sponsor mitigated and are in-scope, you must submit a review for all 5 issues, to indicate whether they have been successfully addressed. Incomplete mitigation reviews will not be eligible for awards.

</aside>

Judging, discussion, and awarding

Once the mitigation review competition ends, C4 staff will add the sponsor team, judge, and participating wardens to the findings repo.

Wardens are asked to:

1. First, look for opportunities for quick consensus: duplicate issues, unanimous agreement, etc.
2. Then, look for differences of opinion for the judge to consider.
3. Avoid engaging in ongoing debates and allow the judge to make a final determination based on input from wardens and sponsors.

The sponsor team will review and comment on the submissions concurrently with the wardens and judge.

Awarding will work as follows:

• Participation pool: 30% of the mitigation review pool will be divided equally among all participating wardens who meet the following criteria:

  • submits a review of every in-scope mitigation;
  • all reviews meet the criteria of a satisfactory OR nullified submission.

  Please refer to the C4 docs for current definitions of satisfactory/unsatisfactory. TL;DR -

  • Satisfactory: review is both valid and meets expectations for quality of submission
  • Nullified: review meets expectations for quality of submission, but is proven invalid by another warden's review or HM finding. (Note: please use this instead of changing the original labels from mitigation confirmed to unmitigated, or vice versa)
  • Unsatisfactory: review is of insufficient quality

  To facilitate the integration of final mitigation statuses into the audit report, judges are requested to add the confirmed for report label to indicate their agreement with either mitigation confirmed or unmitigated status. Please add this label to one issue within each set of duplicates. It's important to note that this label is solely for reporting purposes and does not affect the awarding process.

  For newly-discovered HMs, please continue to use the selected for report and duplicate labels as usual.