When participating in a Code4rena mitigation review, your objectives are to:

Questions? Ask @Cloud Ellie.

Participation and no-shows

Any warden who is unable to participate in an invitational audit MUST inform C4 staff within 24h of the audit launch at the latest, so that an alternate can be arranged.

Failure to provide notice of non-participation will have a negative impact on your ability to participate in future invitationals and other certified warden opportunities.

Before you begin

What to include

What not to include

Submission guidelines for mitigation reviews

  1. Review each mitigation provided, and submit feedback on each one:
    1. For the in-scope mitigations, was the original bug fixed? In the “Mitigation status” dropdown, choose either Mitigation Confirmed or Unmitigated.
    2. Enter the reportID of the original finding (e.g. H-01, M-03, etc.).
    3. Your comments: please ****include the rationale for your assessment, and/or steps followed. Optionally, a quick screenshot or code snippet provides evidence that helps the sponsor and judge understand your conclusion.
  2. Newly-discovered HMs (either missed in the previous audit(s) or caused by an attempted mitigation) should be submitted via the audit submission form, as usual:
    1. In the “Mitigation status” dropdown, choose New.
    2. In the field labeled “Report ID of original finding,” please include the specific reportID of the original finding OR leave blank if not related to a specific original finding.
    3. Select the appropriate risk rating
    4. For HM errors found within mitigations, please use the title "[reportId] mitigation error"
    5. Include Vulnerability Details as you normally would for highs/mediums.

<aside> ‼️ Important note: You must submit a mitigation review for every finding from the parent audit that is listed as in-scope for the mitigation review. So if the parent audit had 2 Highs and 3 Mediums that the sponsor mitigated and are in-scope, you must submit a review for all 5 issues, to indicate whether they have been successfully addressed. Incomplete mitigation reviews will not be eligible for awards.

</aside>

Judging, discussion, and awarding

Once the mitigation review competition ends, C4 staff will add the sponsor team, judge, and participating wardens to the findings repo.

Wardens are asked to:

  1. First, look for opportunities for quick consensus: duplicate issues, unanimous agreement, etc.
  2. Then, look for differences of opinion for the judge to consider.
  3. Avoid engaging in ongoing debates and allow the judge to make a final determination based on input from wardens and sponsors.

The sponsor team will review and comment on the submissions concurrently with the wardens and judge.

Awarding will work as follows: