⏰ Scheduling your mitigation review

Usually we can kick off the mit. review within a few days of judging + mitigations being completed, and they typically run for 5 days.

</aside>

Your mitigations must be submitted, and your mitigation review repo set up, at least 2 business days before launch.
Mitigations of all High and Medium issues (we call them "HMs" for short) will be considered in-scope. We don't expect you to mitigate every QA / Gas issue, so we exclude those from mit. reviews.
For competitive mitigation reviews: Judging on the “parent” audit must be 100% finalized at least 3 business days prior to the mitigation review launch. This ensures that wardens have a clear source of truth for all findings that are being mitigated — and allows us to assign the mitigation review to the top-performing wardens from your audit.

⚙️ Technical guidelines

While judging for your audit is underway, your team should work through whatever mitigations you choose to pursue. For each mitigation, you'll leave a comment on the related C4 finding, linking to the PR that resolves it.

Wherever possible, we ask that you create a single branch in your own organization’s repo containing all related pull requests (PRs). This branch should be based on the commit you used for your Code4rena audit.
Mitigations should be provided in separate pull requests, one per finding. If that is not possible (e.g. because several audit findings stem from the same core problem), then please add the PR link via comment to all relevant findings it resolves.
1. Most C4 mitigation reviews focus exclusively on reviewing mitigations of High and Medium risk findings. QA mitigations should go in a separate branch.
2. If you want your mitigation review to include QA or Gas-related PRs, please reach out to C4 staff and let’s chat!
Note that if you provide all fixes in a single PR, and it appears that unrelated issues have been combined, C4 staff may request that you split it apart.
Please also include the following, if applicable:
- contract changes
- updated tests
- updated documentation
- an overview of changes

👥 How C4 mitigation reviews work

Wardens can submit both reviews of the mitigations themselves (e.g. mitigation confirmed/disputed,) as well as newly-introduced High and Medium risk issues.
Competitive mitigation reviews are structured similarly to our competitive audits, with a start and end date and a judge who will assess the risk and validity of any newly discovered findings.
- C4 staff will provide you with a private Github repo where you can post links to your branch and PRs along with any additional information you wish to share with the participating wardens. All info can be added to the README file.
- C4 staff will post the mitigation review for RSVP - typically we recruit 3 of the top-performing wardens from your audit to compete in the mit. review.
  
  <aside> 📛 If there are any wardens who participated in your audit that you're especially keen to include in the mitigation review, please share their usernames with C4 staff. Our standard approach for mitigation reviews is to open the RSVP to all participants in your audit, and award it to the 3 highest-ranking wardens who raise their hands - but we can also extend the invite to a warden of your choice, if there's someone in particular whose contributions you valued.
  
  </aside>

During the mitigation review

As with Code4rena audits, participating wardens may reach out to you in the audit channel or a private thread with questions. Please make yourself available for the duration of the mitigation review, and keep an eye on the warden-facing channel for questions as well.

<aside> ❗ A code freeze is in effect during the mitigation review.

</aside>

After a competitive mitigation review

Once the mitigation review competition ends, C4 staff will give the sponsor team, judge, and participating wardens access to the submissions.

Wardens and judge are asked to look for opportunities for quick consensus: duplicate findings, unanimous agreement, etc.