Open audit competitions are the best way to keep high-severity bugs out of production. Because mitigating one bug can sometimes introduce another, Code4rena offers Mitigation Review competitions. Once new code is ready for review, the highest-performing Wardens who found the initial vulnerabilities are best placed to assess any refactoring.
So how do Mitigation Reviews work?
The ability to accurately understand a codebase’s context is one of the most important factors contributing to a security researcher’s success in finding vulnerabilities. With this offering, Sponsors have the opportunity to work with the highest-performing Wardens from their initial audits. These Wardens have a deeper understanding of the structure and intent of the code and are very familiar with the vulnerabilities the community identified in the first audit.
Depending on the Sponsor’s preference, the top 3 or top 5 Wardens from their previous audit competition will be a part of the Mitigation Review. The scope of the review includes:
Insertions: lines of code that are entirely new
Deletions: lines of code that are completely removed with no replacement
Changes: lines of code whose contents have been either partially or fully replaced
Does the judging and award process of Mitigation Reviews differ from usual C4 competitions?
It does indeed. Every participating Warden receives a minimum of 10% of the total pool, with the remaining percentage being split upon completion based on erroneous mitigations identified.
In regards to assessing the validity of Warden findings, a mitigation error has to be a hard error, not just a stylistic one. Points are distributed based on the severity of the finding, which are then tallied up to calculate the final split of the prize pool between the participating Wardens. If no vulnerabilities are found, then the remainder of the pool is split evenly.
In Mitigation Reviews, we’ve found a powerful way to continue the mutually beneficial relationship between Sponsors and Wardens. We’re excited to release this offering as now Sponsors can have their mitigatory code reviewed by Wardens with a deeply contextualized understanding, and Wardens are rewarded with additional opportunities for their initial contributions.
Code4rena has audited projects including OpenSea, ENS, Sushi, PoolTogether, Connext, BadgerDAO, NFTX, and Slingshot.
If you’re interested in running a Mitigation Review for your project — drop us a line. We can spin up something for you within 48 hours.