A look at Code4rena audits: Mitigation Reviews

Open audit competitions are the best way to keep high-severity bugs out of production. Because mitigating one bug can sometimes introduce another, Code4rena offers Mitigation Review competitions. Once new code is ready for review, the highest-performing Wardens who found the initial vulnerabilities are best placed to assess any refactoring.

So how do Mitigation Reviews work?

The ability to accurately understand a codebase’s context is one of the most important factors contributing to a security researcher’s success in finding vulnerabilities. With this offering, Sponsors have the opportunity to work with the highest-performing Wardens from their initial audits. These Wardens have a deeper understanding of the structure and intent of the code and are very familiar with the vulnerabilities the community identified in the first audit.

Depending on the Sponsor’s preference, the top 3 or top 5 Wardens from their previous audit competition will be a part of the Mitigation Review. The scope of the review includes:

  • Insertions: lines of code that are entirely new

  • Deletions: lines of code that are completely removed with no replacement

  • Changes: lines of code whose contents have been either partially or fully replaced

Does the judging and award process of Mitigation Reviews differ from usual C4 competitions?

It does indeed. Every participating Warden receives a minimum of 10% of the total pool, with the remaining percentage being split upon completion based on erroneous mitigations identified.

In regards to assessing the validity of Warden findings, a mitigation error has to be a hard error, not just a stylistic one. Points are distributed based on the severity of the finding, which are then tallied up to calculate the final split of the prize pool between the participating Wardens. If no vulnerabilities are found, then the remainder of the pool is split evenly.

In Mitigation Reviews, we’ve found a powerful way to continue the mutually beneficial relationship between Sponsors and Wardens. We’re excited to release this offering as now Sponsors can have their mitigatory code reviewed by Wardens with a deeply contextualized understanding, and Wardens are rewarded with additional opportunities for their initial contributions.

Get started

Code4rena has audited projects including OpenSea, ENS, Sushi, PoolTogether, Connext, BadgerDAO, NFTX, and Slingshot.

If you’re interested in running a Mitigation Review for your project — drop us a line. We can spin up something for you within 48 hours.

Subscribe to Code4rena
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
This entry has been permanently stored onchain and signed by its creator.