├── .gitbook
└── assets
│ ├── Capture.PNG
│ ├── CleanShot 2024-02-07 at 16.07.31@2x.png
│ ├── First Flights (1).png
│ ├── README TEMPLATE (1).md
│ ├── README TEMPLATE (2).md
│ ├── README TEMPLATE.md
│ ├── Screenshot 2023-08-30 at 11.33.30.png
│ ├── Screenshot 2023-08-30 at 11.34.19 (1).png
│ ├── Screenshot 2023-08-30 at 11.34.19.png
│ ├── Untitled-2024-01-31-1203.png
│ ├── image (1) (1) (1).png
│ ├── image (1) (1).png
│ ├── image (1).png
│ ├── image (10).png
│ ├── image (11).png
│ ├── image (12).png
│ ├── image (13).png
│ ├── image (14).png
│ ├── image (15).png
│ ├── image (2) (1) (1).png
│ ├── image (2) (1).png
│ ├── image (2).png
│ ├── image (3) (1) (1).png
│ ├── image (3) (1).png
│ ├── image (3).png
│ ├── image (4) (1).png
│ ├── image (4).png
│ ├── image (5) (1).png
│ ├── image (5).png
│ ├── image (6) (1).png
│ ├── image (6).png
│ ├── image (7) (1).png
│ ├── image (7).png
│ ├── image (8) (1).png
│ ├── image (8).png
│ ├── image (9) (1).png
│ ├── image (9).png
│ ├── image.png
│ └── readme(1).md
├── .gitignore
├── README.md
├── SUMMARY.md
├── create-and-submit-a-first-flight.md
├── faqs.md
├── first-flights.md
├── glossary.md
├── hawks-auditors
├── appeals.md
├── how-does-xp-work.md
├── how-to-create-and-submit-a-poc.md
├── how-to-determine-a-finding-validity.md
├── how-to-evaluate-a-finding-severity.md
├── how-to-write-and-submit-a-finding.md
├── payouts.md
├── quick-start.md
├── the-kick-off-period.md
└── what-is-an-auditing-competition.md
├── judging
├── community-judging-eligibility.md
├── disqualification-criteria.md
├── how-community-judging-works.md
├── payouts-and-rewards.md
└── the-judging-process.md
├── protocol-teams-sponsors
└── the-auditing-process.md
└── tools.md
/.gitbook/assets/Capture.PNG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/Capture.PNG
--------------------------------------------------------------------------------
/.gitbook/assets/CleanShot 2024-02-07 at 16.07.31@2x.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/CleanShot 2024-02-07 at 16.07.31@2x.png
--------------------------------------------------------------------------------
/.gitbook/assets/First Flights (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/First Flights (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/README TEMPLATE (1).md:
--------------------------------------------------------------------------------
1 | # Protocol Name
2 |
3 |
8 |
9 |
10 | ## Contest Details **THESE WILL BE PREPENDED TO THE SUBMITTED README BY THE CYFRIN TEAM**
11 |
12 | - Total Prize Pool:
13 | - HM Awards:
14 | - Low Awards:
15 | - GAS, Informational, or QAs Awards:
16 | - Starts
17 | - Ends
18 |
19 | ## Stats **THESE WILL BE PREPENDED TO THE SUBMITTED README BY THE CYFRIN TEAM**
20 | - nSLOC:
21 | - Complexity Score:
22 | - Dollars per Complexity:
23 | - Dollars per nSLOC:
24 |
25 | ## About the Project
26 |
27 | This section should give auditors a feeling for what the protocol does, it's primary functions and the goals it hopes to achieve. Can include links to project websites or docs
28 |
29 | Example:
30 |
31 | ```
32 | About
33 |
34 | This project is meant to enable smart contract auditors (sellers) and smart contract protocols
35 | looking for audits (buyers) to connect using a credibly neutral option, with optional arbitration.
36 |
37 | [Documentation](www.docs.com)
38 | [Website](www.protocolwebsite.com)
39 | [Twitter](www.twitter.com/handle)
40 | [GitHub](www.GitHub.com/account)
41 | ```
42 |
43 | ## Actors
44 |
45 | Detail which roles are included within your protocol, for example 'owner', 'borrower', 'organizer' etc. Draw clear links and outline the powers each actor should have and expected limitations to those powers. Please clearly detail your expected centralization risks.
46 |
47 | Example:
48 |
49 | ```
50 | Actors:
51 | Buyer: The purchaser of services, in this scenario, a project purchasing an audit.
52 | Seller: The seller of services, in this scenario, an auditor willing to audit a project.
53 | Arbiter: An impartial, trusted actor who can resolve disputes between the Buyer and Seller.
54 | The Arbiter is only compensated the arbiterFee amount if a dispute occurs.
55 | ```
56 |
57 | ## Scope (contracts)
58 |
59 | This section should give auditors a clear understanding of what files and directories are included within the scope of the contest. You can itemize every applicable file, or list particular folders or directories, but please be specific and thorough. This will server as an auditors ultimate reference point for what to focus on. Please include a commit hash
60 |
61 | Example:
62 | ```
63 | All Contracts in `src` are in scope.
64 | ```
65 | ```js
66 | src/
67 | ├── Beedle.sol
68 | ├── Fees.sol
69 | ├── Lender.sol
70 | ├── Staking.sol
71 | ├── interfaces
72 | │ ├── IERC20.sol
73 | │ └── ISwapRouter.sol
74 | └── utils
75 | ├── Errors.sol
76 | ├── Ownable.sol
77 | └── Structs.sol
78 |
79 | ```
80 |
81 | ## Compatibilities
82 |
83 | Please outline specific compatibilities of the protocol ie. blockchains (All EVM Compatible, specific chains). Please also include specific tokens, referencing standard contracts/interfaces when necessary, that are expected to function with the protocol. Include all whitelisted, or blacklisted tokens which are or are not supported. If the protocol is expected to function with **any** chain compatible tokens, please specify this.
84 |
85 | Example:
86 |
87 | ```
88 | Compatibilities:
89 | Blockchains:
90 | - Ethereum/Any EVM
91 | Tokens:
92 | - ETH
93 | - WETH
94 | - Matic
95 | - [ERC720](www.tokenstandard.com)
96 | - [ERC721](www.tokenstandard.com)
97 | ```
98 |
99 | ## Setup
100 |
101 | Please outline specific steps/processes to be followed in order for an auditor to run the project off a local clone of the contest repo. Please again be detailed and thorough, including specific markdowned CLI commands and necessary .env adjustments.
102 |
103 | Please also include steps needed to run appropriate tests included in scope.
104 |
105 | Example:
106 |
107 | Build:
108 | ```bash
109 | forge init
110 |
111 | forge install OpenZeppelin/openzeppelin-contracts
112 |
113 | forge install vectorized/solady
114 |
115 | forge build
116 | ```
117 |
118 | Tests:
119 | ```bash
120 | Forge test
121 | ```
122 |
123 | ## Known Issues
124 |
125 | Please clearly detail **all** currently recognized issues or vulnerabilities within the scope submitted. Please be thorough and precise, following the end of the 48-hour Kick-Off period, these Known Issues will be immutable for the duration of the contest.
126 |
127 | Example:
128 |
129 | `Known Issues:
130 | - Addresses other than the zero address (for example 0xdead) could prevent disputes from being resolved -
131 | Before the buyer deploys a new Escrow, the buyer and seller should agree to the terms for the Escrow. If the
132 | buyer accidentally or maliciously deploys an Escrow with incorrect arbiter details, then the seller could refuse
133 | to provide their services. Given that the buyer is the actor deploying the new Escrow and locking the funds, it's
134 | in their best interest to deploy this correctly.
135 |
136 | - Large arbiter fee results in little/no seller payment - In this scenario, the seller can decide to not perform
137 | the audit. If this is the case, the only way the buyer can receive any of their funds back is by initiating the dispute
138 | process, in which the buyer loses a large portion of their deposited funds to the arbiter. Therefore, the buyer is
139 | disincentivized to deploy a new Escrow in such a way.
140 |
141 | - Tokens with callbacks allow malicious sellers to DOS dispute resolutions - Each supported token will be vetted
142 | to be supported. ERC777 should be discouraged.
143 |
144 | - Buyer never calls confirmReceipt - The terms of the Escrow are agreed upon by the buyer and seller before deploying
145 | it. The onus is on the seller to perform due diligence on the buyer and their off-chain identity/reputation before deciding
146 | to supply the buyer with their services.
147 |
148 | - Salt input when creating an Escrow can be front-run
149 |
150 | - arbiter is a trusted role
151 |
152 | - User error such as buyer calling confirmReceipt too soon
153 |
154 | - Non-tokenAddress funds locked`
155 |
--------------------------------------------------------------------------------
/.gitbook/assets/README TEMPLATE (2).md:
--------------------------------------------------------------------------------
1 | # Protocol Name
2 |
3 |
8 |
9 |
10 | # Contest Details
11 |
12 | ### Prize Pool
13 |
14 | - Total Pool -
15 | - H/M -
16 | - Low -
17 | - Community Judging Pool -
18 |
19 | - Starts: TBD
20 | - Ends: TBD
21 |
22 | ### Stats
23 |
24 | - nSLOC:
25 | - Complexity Score:
26 |
27 | ## About the Project
28 |
29 | This section should give auditors a feeling for what the protocol does, it's primary functions and the goals it hopes to achieve. Can include links to project websites or docs
30 |
31 | Example:
32 |
33 | ```
34 | About
35 |
36 | This project is meant to enable smart contract auditors (sellers) and smart contract protocols
37 | looking for audits (buyers) to connect using a credibly neutral option, with optional arbitration.
38 |
39 | [Documentation](www.docs.com)
40 | [Website](www.protocolwebsite.com)
41 | [Twitter](www.twitter.com/handle)
42 | [GitHub](www.GitHub.com/account)
43 | ```
44 |
45 | ## Actors
46 |
47 | Detail which roles are included within your protocol, for example 'owner', 'borrower', 'organizer' etc. Draw clear links and outline the powers each actor should have and expected limitations to those powers. Please clearly detail your expected centralization risks.
48 |
49 | Example:
50 |
51 | ```
52 | Actors:
53 | Buyer: The purchaser of services, in this scenario, a project purchasing an audit.
54 | Seller: The seller of services, in this scenario, an auditor willing to audit a project.
55 | Arbiter: An impartial, trusted actor who can resolve disputes between the Buyer and Seller.
56 | The Arbiter is only compensated the arbiterFee amount if a dispute occurs.
57 | ```
58 |
59 | ## Scope (contracts)
60 |
61 | This section should give auditors a clear understanding of what files and directories are included within the scope of the contest. You can itemize every applicable file, or list particular folders or directories, but please be specific and thorough. This will server as an auditors ultimate reference point for what to focus on.
62 |
63 | Example:
64 | ```
65 | All Contracts in `src` are in scope.
66 | ```
67 | ```js
68 | src/
69 | ├── Beedle.sol
70 | ├── Fees.sol
71 | ├── Lender.sol
72 | ├── Staking.sol
73 | ├── interfaces
74 | │ ├── IERC20.sol
75 | │ └── ISwapRouter.sol
76 | └── utils
77 | ├── Errors.sol
78 | ├── Ownable.sol
79 | └── Structs.sol
80 |
81 | ```
82 |
83 | ## Compatibilities
84 |
85 | Please outline specific compatibilities of the protocol ie. blockchains (All EVM Compatible, specific chains). Please also include specific tokens, referencing standard contracts/interfaces when necessary, that are expected to function with the protocol. Include all whitelisted, or blacklisted tokens which are or are not supported. If the protocol is expected to function with **any** chain compatible tokens, please specify this.
86 |
87 | Example:
88 |
89 | ```
90 | Compatibilities:
91 | Blockchains:
92 | - Ethereum/Any EVM
93 | Tokens:
94 | - ETH
95 | - WETH
96 | - Matic
97 | - [ERC720](www.tokenstandard.com)
98 | - [ERC721](www.tokenstandard.com)
99 | ```
100 |
101 | Address that will be deploying the contract:
102 | (if unknown, just tell us if it will be an externally owned account, multi-sig wallet, account abstraction based wallet, or other setup)
103 |
104 | ## Setup
105 |
106 | Please outline specific steps/processes to be followed in order for an auditor to run the project off a local clone of the contest repo. Please again be detailed and thorough, including specific markdowned CLI commands and necessary .env adjustments.
107 |
108 | Please also include steps needed to run appropriate tests included in scope.
109 |
110 | Example:
111 |
112 | Build:
113 | ```bash
114 | forge init
115 |
116 | forge install OpenZeppelin/openzeppelin-contracts
117 |
118 | forge install vectorized/solady
119 |
120 | forge build
121 | ```
122 |
123 | Tests:
124 | ```bash
125 | Forge test
126 | ```
127 |
128 | ## Known Issues
129 |
130 | Please clearly detail **all** currently recognized issues or vulnerabilities within the scope submitted. Please be thorough and precise, following the end of the 48-hour Kick-Off period, these Known Issues will be immutable for the duration of the contest.
131 |
132 | Example:
133 |
134 | `Known Issues:
135 | - Addresses other than the zero address (for example 0xdead) could prevent disputes from being resolved -
136 | Before the buyer deploys a new Escrow, the buyer and seller should agree to the terms for the Escrow. If the
137 | buyer accidentally or maliciously deploys an Escrow with incorrect arbiter details, then the seller could refuse
138 | to provide their services. Given that the buyer is the actor deploying the new Escrow and locking the funds, it's
139 | in their best interest to deploy this correctly.
140 |
141 | - Large arbiter fee results in little/no seller payment - In this scenario, the seller can decide to not perform
142 | the audit. If this is the case, the only way the buyer can receive any of their funds back is by initiating the dispute
143 | process, in which the buyer loses a large portion of their deposited funds to the arbiter. Therefore, the buyer is
144 | disincentivized to deploy a new Escrow in such a way.
145 |
146 | - Tokens with callbacks allow malicious sellers to DOS dispute resolutions - Each supported token will be vetted
147 | to be supported. ERC777 should be discouraged.
148 |
149 | - Buyer never calls confirmReceipt - The terms of the Escrow are agreed upon by the buyer and seller before deploying
150 | it. The onus is on the seller to perform due diligence on the buyer and their off-chain identity/reputation before deciding
151 | to supply the buyer with their services.
152 |
153 | - Salt input when creating an Escrow can be front-run
154 |
155 | - arbiter is a trusted role
156 |
157 | - User error such as buyer calling confirmReceipt too soon
158 |
159 | - Non-tokenAddress funds locked`
160 |
--------------------------------------------------------------------------------
/.gitbook/assets/README TEMPLATE.md:
--------------------------------------------------------------------------------
1 | # Protocol Name
2 |
3 |
8 |
9 |
10 | # Contest Details
11 |
12 | ### Prize Pool
13 |
14 | - High - 100xp
15 | - Medium - 20xp
16 | - Low - 2xp
17 |
18 | - Starts: TBD
19 | - Ends: TBD
20 |
21 | ### Stats
22 |
23 | - nSLOC:
24 | - Complexity Score:
25 |
26 | ## About the Project
27 |
28 | This section should give auditors a feeling for what the protocol does, it's primary functions and the goals it hopes to achieve. Can include links to project websites or docs
29 |
30 | Example:
31 |
32 | ```
33 | About
34 |
35 | This project is meant to enable smart contract auditors (sellers) and smart contract protocols
36 | looking for audits (buyers) to connect using a credibly neutral option, with optional arbitration.
37 |
38 | [Documentation](www.docs.com)
39 | [Website](www.protocolwebsite.com)
40 | [Twitter](www.twitter.com/handle)
41 | [GitHub](www.GitHub.com/account)
42 | ```
43 |
44 | ## Actors
45 |
46 | Detail which roles are included within your protocol, for example 'owner', 'borrower', 'organizer' etc. Draw clear links and outline the powers each actor should have and expected limitations to those powers. Please clearly detail your expected centralization risks.
47 |
48 | Example:
49 |
50 | ```
51 | Actors:
52 | Buyer: The purchaser of services, in this scenario, a project purchasing an audit.
53 | Seller: The seller of services, in this scenario, an auditor willing to audit a project.
54 | Arbiter: An impartial, trusted actor who can resolve disputes between the Buyer and Seller.
55 | The Arbiter is only compensated the arbiterFee amount if a dispute occurs.
56 | ```
57 |
58 | ## Scope (contracts)
59 |
60 | This section should give auditors a clear understanding of what files and directories are included within the scope of the contest. You can itemize every applicable file, or list particular folders or directories, but please be specific and thorough. This will server as an auditors ultimate reference point for what to focus on.
61 |
62 | Example:
63 | ```
64 | All Contracts in `src` are in scope.
65 | ```
66 | ```js
67 | src/
68 | ├── Beedle.sol
69 | ├── Fees.sol
70 | ├── Lender.sol
71 | ├── Staking.sol
72 | ├── interfaces
73 | │ ├── IERC20.sol
74 | │ └── ISwapRouter.sol
75 | └── utils
76 | ├── Errors.sol
77 | ├── Ownable.sol
78 | └── Structs.sol
79 |
80 | ```
81 |
82 | ## Compatibilities
83 |
84 | Please outline specific compatibilities of the protocol ie. blockchains (All EVM Compatible, specific chains). Please also include specific tokens, referencing standard contracts/interfaces when necessary, that are expected to function with the protocol. Include all whitelisted, or blacklisted tokens which are or are not supported. If the protocol is expected to function with **any** chain compatible tokens, please specify this.
85 |
86 | Example:
87 |
88 | ```
89 | Compatibilities:
90 | Blockchains:
91 | - Ethereum/Any EVM
92 | Tokens:
93 | - ETH
94 | - WETH
95 | - Matic
96 | - [ERC720](www.tokenstandard.com)
97 | - [ERC721](www.tokenstandard.com)
98 | ```
99 |
100 | ## Setup
101 |
102 | Please outline specific steps/processes to be followed in order for an auditor to run the project off a local clone of the contest repo. Please again be detailed and thorough, including specific markdowned CLI commands and necessary .env adjustments.
103 |
104 | Please also include steps needed to run appropriate tests included in scope.
105 |
106 | Example:
107 |
108 | Build:
109 | ```bash
110 | forge init
111 |
112 | forge install OpenZeppelin/openzeppelin-contracts
113 |
114 | forge install vectorized/solady
115 |
116 | forge build
117 | ```
118 |
119 | Tests:
120 | ```bash
121 | Forge test
122 | ```
123 |
124 | ## Known Issues
125 |
126 | Please clearly detail **all** currently recognized issues or vulnerabilities within the scope submitted. Please be thorough and precise, following the end of the 48-hour Kick-Off period, these Known Issues will be immutable for the duration of the contest.
127 |
128 | Example:
129 |
130 | `Known Issues:
131 | - Addresses other than the zero address (for example 0xdead) could prevent disputes from being resolved -
132 | Before the buyer deploys a new Escrow, the buyer and seller should agree to the terms for the Escrow. If the
133 | buyer accidentally or maliciously deploys an Escrow with incorrect arbiter details, then the seller could refuse
134 | to provide their services. Given that the buyer is the actor deploying the new Escrow and locking the funds, it's
135 | in their best interest to deploy this correctly.
136 |
137 | - Large arbiter fee results in little/no seller payment - In this scenario, the seller can decide to not perform
138 | the audit. If this is the case, the only way the buyer can receive any of their funds back is by initiating the dispute
139 | process, in which the buyer loses a large portion of their deposited funds to the arbiter. Therefore, the buyer is
140 | disincentivized to deploy a new Escrow in such a way.
141 |
142 | - Tokens with callbacks allow malicious sellers to DOS dispute resolutions - Each supported token will be vetted
143 | to be supported. ERC777 should be discouraged.
144 |
145 | - Buyer never calls confirmReceipt - The terms of the Escrow are agreed upon by the buyer and seller before deploying
146 | it. The onus is on the seller to perform due diligence on the buyer and their off-chain identity/reputation before deciding
147 | to supply the buyer with their services.
148 |
149 | - Salt input when creating an Escrow can be front-run
150 |
151 | - arbiter is a trusted role
152 |
153 | - User error such as buyer calling confirmReceipt too soon
154 |
155 | - Non-tokenAddress funds locked`
156 |
--------------------------------------------------------------------------------
/.gitbook/assets/Screenshot 2023-08-30 at 11.33.30.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/Screenshot 2023-08-30 at 11.33.30.png
--------------------------------------------------------------------------------
/.gitbook/assets/Screenshot 2023-08-30 at 11.34.19 (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/Screenshot 2023-08-30 at 11.34.19 (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/Screenshot 2023-08-30 at 11.34.19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/Screenshot 2023-08-30 at 11.34.19.png
--------------------------------------------------------------------------------
/.gitbook/assets/Untitled-2024-01-31-1203.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/Untitled-2024-01-31-1203.png
--------------------------------------------------------------------------------
/.gitbook/assets/image (1) (1) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (1) (1) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (1) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (1) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (10).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (10).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (11).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (11).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (12).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (12).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (13).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (13).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (14).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (14).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (15).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (15).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (2) (1) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (2) (1) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (2) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (2) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (2).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (2).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (3) (1) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (3) (1) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (3) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (3) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (3).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (3).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (4) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (4) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (4).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (4).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (5) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (5) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (5).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (5).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (6) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (6) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (6).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (6).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (7) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (7) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (7).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (7).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (8) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (8) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (8).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (8).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (9) (1).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (9) (1).png
--------------------------------------------------------------------------------
/.gitbook/assets/image (9).png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image (9).png
--------------------------------------------------------------------------------
/.gitbook/assets/image.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Cyfrin/codehawks-docs/25f69cb845c4890e65fe6efd7f62e66d0e249d69/.gitbook/assets/image.png
--------------------------------------------------------------------------------
/.gitbook/assets/readme(1).md:
--------------------------------------------------------------------------------
1 | # Protocol Name
2 |
3 |
8 |
9 |
10 | ## Contest Details **THESE WILL BE PREPENDED TO THE SUBMITTED README BY THE CYFRIN TEAM**
11 |
12 | - Total Prize Pool:
13 | - HM Awards:
14 | - Low Awards:
15 | - GAS, Informational, or QAs Awards:
16 | - Starts
17 | - Ends
18 |
19 | ## Stats **THESE WILL BE PREPENDED TO THE SUBMITTED README BY THE CYFRIN TEAM**
20 | - nSLOC:
21 | - Complexity Score:
22 | - Dollars per Complexity:
23 | - Dollars per nSLOC:
24 |
25 | ## About the Project
26 |
27 | This section should give auditors a feeling for what the protocol does, it's primary functions and the goals it hopes to achieve. Can include links to project websites or docs
28 |
29 | Example:
30 |
31 | ```
32 | About
33 |
34 | This project is meant to enable smart contract auditors (sellers) and smart contract protocols
35 | looking for audits (buyers) to connect using a credibly neutral option, with optional arbitration.
36 |
37 | [Documentation](www.docs.com)
38 | [Website](www.protocolwebsite.com)
39 | [Twitter](www.twitter.com/handle)
40 | [GitHub](www.GitHub.com/account)
41 | ```
42 |
43 | ## Actors
44 |
45 | Detail which roles are included within your protocol, for example 'owner', 'borrower', 'organizer' etc. Draw clear links and outline the powers each actor should have and expected limitations to those powers. Please clearly detail your expected centralization risks.
46 |
47 | Example:
48 |
49 | ```
50 | Actors:
51 | Buyer: The purchaser of services, in this scenario, a project purchasing an audit.
52 | Seller: The seller of services, in this scenario, an auditor willing to audit a project.
53 | Arbiter: An impartial, trusted actor who can resolve disputes between the Buyer and Seller.
54 | The Arbiter is only compensated the arbiterFee amount if a dispute occurs.
55 | ```
56 |
57 | ## Scope (contracts)
58 |
59 | This section should give auditors a clear understanding of what files and directories are included within the scope of the contest. You can itemize every applicable file, or list particular folders or directories, but please be specific and thorough. This will server as an auditors ultimate reference point for what to focus on. Please include a commit hash
60 |
61 | Example:
62 | ```
63 | All Contracts in `src` are in scope.
64 | ```
65 | ```js
66 | src/
67 | ├── Beedle.sol
68 | ├── Fees.sol
69 | ├── Lender.sol
70 | ├── Staking.sol
71 | ├── interfaces
72 | │ ├── IERC20.sol
73 | │ └── ISwapRouter.sol
74 | └── utils
75 | ├── Errors.sol
76 | ├── Ownable.sol
77 | └── Structs.sol
78 |
79 | ```
80 |
81 | ## Compatibilities
82 |
83 | Please outline specific compatibilities of the protocol ie. blockchains (All EVM Compatible, specific chains). Please also include specific tokens, referencing standard contracts/interfaces when necessary, that are expected to function with the protocol. Include all whitelisted, or blacklisted tokens which are or are not supported. If the protocol is expected to function with **any** chain compatible tokens, please specify this.
84 |
85 | Example:
86 |
87 | ```
88 | Compatibilities:
89 | Blockchains:
90 | - Ethereum/Any EVM
91 | Tokens:
92 | - ETH
93 | - WETH
94 | - Matic
95 | - [ERC720](www.tokenstandard.com)
96 | - [ERC721](www.tokenstandard.com)
97 | ```
98 |
99 | ## Setup
100 |
101 | Please outline specific steps/processes to be followed in order for an auditor to run the project off a local clone of the contest repo. Please again be detailed and thorough, including specific markdowned CLI commands and necessary .env adjustments.
102 |
103 | Please also include steps needed to run appropriate tests included in scope.
104 |
105 | Example:
106 |
107 | Build:
108 | ```bash
109 | forge init
110 |
111 | forge install OpenZeppelin/openzeppelin-contracts
112 |
113 | forge install vectorized/solady
114 |
115 | forge build
116 | ```
117 |
118 | Tests:
119 | ```bash
120 | Forge test
121 | ```
122 |
123 | ## Known Issues
124 |
125 | Please clearly detail **all** currently recognized issues or vulnerabilities within the scope submitted. Please be thorough and precise, following the end of the 48-hour Kick-Off period, these Known Issues will be immutable for the duration of the contest.
126 |
127 | Example:
128 |
129 | `Known Issues:
130 | - Addresses other than the zero address (for example 0xdead) could prevent disputes from being resolved -
131 | Before the buyer deploys a new Escrow, the buyer and seller should agree to the terms for the Escrow. If the
132 | buyer accidentally or maliciously deploys an Escrow with incorrect arbiter details, then the seller could refuse
133 | to provide their services. Given that the buyer is the actor deploying the new Escrow and locking the funds, it's
134 | in their best interest to deploy this correctly.
135 |
136 | - Large arbiter fee results in little/no seller payment - In this scenario, the seller can decide to not perform
137 | the audit. If this is the case, the only way the buyer can receive any of their funds back is by initiating the dispute
138 | process, in which the buyer loses a large portion of their deposited funds to the arbiter. Therefore, the buyer is
139 | disincentivized to deploy a new Escrow in such a way.
140 |
141 | - Tokens with callbacks allow malicious sellers to DOS dispute resolutions - Each supported token will be vetted
142 | to be supported. ERC777 should be discouraged.
143 |
144 | - Buyer never calls confirmReceipt - The terms of the Escrow are agreed upon by the buyer and seller before deploying
145 | it. The onus is on the seller to perform due diligence on the buyer and their off-chain identity/reputation before deciding
146 | to supply the buyer with their services.
147 |
148 | - Salt input when creating an Escrow can be front-run
149 |
150 | - arbiter is a trusted role
151 |
152 | - User error such as buyer calling confirmReceipt too soon
153 |
154 | - Non-tokenAddress funds locked`
155 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .svelte-kit
2 | .sveltepress
3 | node_modules
4 | .env
5 | .vercel
6 | dist
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # 👋 Intro to Cyfrin Codehawks
2 |
3 | CodeHawks is a **leading competitive smart contract audit marketplace powered by** [**Cyfrin**](https://cyfrin.io). CodeHawks works to **protect DeFi, Protocols, their users, and funds** from smart contract exploits through private and public smart contract security auditing competitions, joined by industry-leading auditors world-wide.
4 |
5 | ### The Problem CodeHawks Solves
6 |
7 | Digital value exchange enabled by decentralized finance and smart contracts requires outstanding security and best practices to reach mainstream adoption.
8 |
9 | _Over $250B is locked in the DeFi ecosystem, and in the past six months alone, over $1B has been lost in more than 100 DeFi exploits._ \
10 | \
11 | Last year, 6% of the Total Value Locked (TVL) in DeFi was stolen, resulting in the loss of hundreds of millions of dollars in users and protocols funds and, inherently, faith in the entire ecosystem.
12 |
13 | Furthermore, finding, hiring, and working with expert and reliable auditors has been extremely rudimental until now. Protocols were forced to perform word-of-mouth research, with little to no possibility of ensuring the quality of their audits.
14 |
15 | **CodeHawks solves this** by bridging together top-notch Blockchain security experts and Protocols in an eco-system built to create security in web3.
16 |
17 | ### Why CodeHawks?
18 |
19 | [CodeHawks](https://codehawks.com), powered by [Cyfrin](https://cyfrin.io), brings together top-notch global auditors and a community of thousands of security researchers to ensure the highest security standards when securing your codebases.
20 |
21 | | Feature/Attribute | CodeHawks | Competitors |
22 | | --------------------------- | ---------------------------- | ------------------------------------ |
23 | | **Pricing** | Low platform fees | Higher platform fees |
24 | | **Process Transparency** | Full Transparency Throughout | Sometimes Opaque |
25 | | **Types of Audits Offered** | Competitive & Private | Typically One Type |
26 | | **Referral Program** | Generous 15% Referral Fee | Usually Lower or No Referral Program |
27 | | **Audit Speed** | Quick Turnaround | Often Slower |
28 | | **Post-Audit Support** | Long-term Code Safeguarding | Typically Limited to Initial Audit |
29 | | **Additional Services** | Education, long term support | Often Limited to Auditing |
30 | | **Customer Support** | 24/7 Dedicated Support | Limited Support Hours |
31 |
32 | ### How CodeHawks works
33 |
34 | There are three core components in every CodeHawks smart contract auditing competition:
35 |
36 | 1. **Sponsors (protocols)**: Organizations or entities that implement smart contracts.
37 | 2. **Judges**: World-leading experts who oversee the audit process and ensure its integrity.
38 | 3. **Hawks (auditors)**: Professionals who conduct the actual audit of the smart contracts
39 |
40 | ### For Sponsors
41 |
42 | Protocols approach Cyfrin CodeHawks with their audit requirements. They have the flexibility to choose between:
43 |
44 | * **Public Competitive Audits**: A dynamic audit process where multiple auditors compete to identify vulnerabilities.
45 | * **Private Competitive Audits**: A more traditional approach where a selected auditor or team reviews the smart contract.
46 |
47 | Learn more about all the [Cyfrin security solutions](https://cyfrin.io/pricing) and its ecosystem.
48 |
49 | ### For Hawks (Auditors)
50 |
51 | The Hawks, our Auditors, lie at the heart of the CodeHawks ecosystem.
52 |
53 | They:
54 |
55 | * Engage in competitive audits, showcasing their expertise.
56 | * Get [paid for their findings](hawks-auditors/payouts.md).
57 | * Build a network to find private auditing opportunities.
58 | * Are sometimes eligible to become [community judges](broken-reference).
59 |
60 | If you're interested in becoming a Hawk on CodeHawks, start by visiting our [Quickstart guide](hawks-auditors/quick-start.md)
61 |
62 | ### For Judges
63 |
64 | Judges are the team, community, and protocol members dedicated to reviewing Hawks submissions, deduplicating, validating, testing, and ensuring the highest quality standards when selecting them.
65 |
66 | They are responsible for ensuring our top-notch security reports by revising, testing, and verifying thousands of security researchers' submissions every year.
67 |
68 | To learn more about our [judging process](judging/the-judging-process.md) or [evaluation criteria](judging/disqualification-criteria.md) - visit the dedicated sections.
69 |
70 |
71 |
72 |
--------------------------------------------------------------------------------
/SUMMARY.md:
--------------------------------------------------------------------------------
1 | # Table of contents
2 |
3 | * [👋 Intro to Cyfrin Codehawks](README.md)
4 | * [✏️ Glossary](glossary.md)
5 | * [⁉️ FAQs](faqs.md)
6 |
7 | ## 🛡️ Hawks (auditors)
8 |
9 | * [What is a Competitive Audit?](hawks-auditors/what-is-an-auditing-competition.md)
10 | * [Quick Start](hawks-auditors/quick-start.md)
11 | * [The Kick-Off Period](hawks-auditors/the-kick-off-period.md)
12 | * [How to Present Your Findings](hawks-auditors/how-to-write-and-submit-a-finding.md)
13 | * [How to Evaluate a Finding Severity](hawks-auditors/how-to-evaluate-a-finding-severity.md)
14 | * [How to Determine a Finding Validity](hawks-auditors/how-to-determine-a-finding-validity.md)
15 | * [How to Write a PoC](hawks-auditors/how-to-create-and-submit-a-poc.md)
16 | * [Appeals](hawks-auditors/appeals.md)
17 | * [Payouts](hawks-auditors/payouts.md)
18 | * [How Does XP Work?](hawks-auditors/how-does-xp-work.md)
19 |
20 | ## 👩⚖️ Judging
21 |
22 | * [The Judging Process](judging/the-judging-process.md)
23 | * [How Community Judging Works](judging/how-community-judging-works.md)
24 | * [Community Judging Eligibility](judging/community-judging-eligibility.md)
25 | * [Disqualification Criteria](judging/disqualification-criteria.md)
26 | * [Payouts and Rewards](judging/payouts-and-rewards.md)
27 |
28 | ## 👩💻 Protocol teams (sponsors)
29 |
30 | * [The Auditing process](protocol-teams-sponsors/the-auditing-process.md)
31 | * [Case Studies](https://cyfrin.io/case-studies)
32 | * [Request an Audit](https://cyfrin.io/get-an-audit)
33 |
34 | ***
35 |
36 | * [🦅 First Flights](first-flights.md)
37 | * [🫂 Create and Submit a First Flight](create-and-submit-a-first-flight.md)
38 | * [🛠️ Tools](tools.md)
39 | * [Learn blockchain security](https://updraft.cyfrin.io)
40 | * [Twitter](https://twitter.com/CodeHawks)
41 | * [LinkedIn](https://www.linkedin.com/company/101332422)
42 | * [GitHub](https://github.com/cyfrin)
43 | * [Support](https://discord.gg/UFXqFACHWA)
44 |
--------------------------------------------------------------------------------
/create-and-submit-a-first-flight.md:
--------------------------------------------------------------------------------
1 | # 🫂 Create and Submit a First Flight
2 |
3 | Community First Flights are Cyfrin's most recent expansion to our First Flight initiative. Community First Flights presents the perfect opportunity for those wanting to contribute a fun code base or strengthen the developer side of their skill set!
4 |
5 | ### Submission Criteria
6 |
7 | The rules are simple:
8 |
9 | 1. Create a fun project with a theme! (Holidays are popular)
10 | 2. Ensure the in-scope contracts are \~ 100-200 nSLOC
11 | 3. The project should have a maximum complexity of 200
12 |
13 | In addition to the above, First Flights are meant to contain bugs! Make sure your project intentionally includes:
14 |
15 | * One or two easy-to-find bugs
16 | * One medium-difficulty bug
17 | * One hard-to-find bug
18 | * One High/Critical
19 | * One Low
20 |
21 | Be sure to write up an answer key detailing the intentional bugs you've placed in your code!
22 |
23 | The final piece required is to ensure your project has an appropriate README. Please use the template provided below and tell us about your protocol!
24 |
25 | {% file src=".gitbook/assets/README TEMPLATE.md" %}
26 | Community First Flight README Template
27 | {% endfile %}
28 |
29 | ### How to submit a First Flight
30 |
31 | Once your repo is ready fill out this [form](https://app.deform.cc/form/4f8e7158-eb8a-457c-b15a-c3267514ec12) and, ping @**equious.eth** on [Discord](https://discord.gg/cyfrin). He will arrange the sharing of your code base privately. From here, your submission will be vetted, and you'll be provided any necessary feedback or adjustments that require implementation.
32 |
33 | ### When will my First Flight start?
34 |
35 | Submissions will be accepted on a first-come, first-served basis. A few things to note:
36 |
37 | * A submission must be fully vetted and accepted before being 'in line'.
38 | * First Flights are held twice/month.
39 | * In order to run the contest, we require at least three days' notice before the next expected First Flight.
40 | * Code bases ready with less notice than this will be scheduled for the next available First Flight.
41 |
42 | Cyfrin retains the right to shift to a **lottery selection process** should the pending submissions grow too large.
43 |
--------------------------------------------------------------------------------
/faqs.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Find answers to the most frequently asked questions on CodeHawks.
3 | ---
4 |
5 | # ⁉️ FAQs
6 |
7 | ### **⚙️ General**
8 |
9 | ***
10 |
11 |
12 |
13 | What is Cyfrin CodeHawks?
14 |
15 | Codehawks is a smart contract competitive audits platform helping protect some of the world’s largest protocols, thousands of users, and billions of TVL through crowdsourced security pre and post-deployment security solutions.
16 |
17 |
18 |
19 |
20 |
21 | What is a competitive audit?
22 |
23 | Protocols and organizations host competitions to find vulnerabilities in their smart contracts. Auditors uncover vulnerabilities and bugs in a project’s codebase to earn a reward.
24 |
25 | Competitions incentivize security auditors to conduct more comprehensive audits by offering rewards based on the severity of the bugs they discover.
26 |
27 |
28 |
29 |
30 |
31 | How can I host a competition on CodeHawks?
32 |
33 | Fill out [this form](https://cyfrin.io/get-an-audit) to contact us. One of our experts will contact you within 48 hours to walk you through every step of the process and find the right security solution for your protocol or organization's needs.
34 |
35 |
36 |
37 |
38 |
39 | How is a contest prize pool determined?
40 |
41 | The total prize pool of a contest is calculated based on the number of lines of code in the codebase's scope, without counting comments and empty lines.
42 |
43 |
44 |
45 |
46 |
47 | How do I get rewarded?
48 |
49 | Rewards are paid out in USDC through the ZKsync chain. Once a judge deems a submission valid, a reward will be assigned and credited to the zkSync wallet address indicated by the user on their profile once the competition ends.
50 |
51 | **Note**: crediting the reward won't be possible without a ZKsync wallet connected to the user profile.
52 |
53 |
54 |
55 |
56 |
57 | Where can I find invoice information for my winnings?
58 |
59 | **Address:**
60 |
61 | 9066 CASCADA WAY #102\
62 | NAPLES, FL. 34114\
63 | UNITED STATES\
64 | \
65 | **Tax ID:**\
66 | 92-1600150\
67 | \
68 | **Company Name:**\
69 | Cyfrin Inc.
70 |
71 |
72 |
73 |
74 |
75 | How do I KYC to receive a reward?
76 |
77 | Specific competitions will need auditors to KYC to receive their rewards. Once the contest ends, if you're not KYC'd yet, you'll receive an in-platform notification and an email with all the steps you'll need to take to complete the KYC process and unlock your rewards.
78 |
79 |
80 |
81 | ### 🤝 Competitive Audits
82 |
83 | ***
84 |
85 |
86 |
87 | What is a first flight?
88 |
89 | CodeHawks First Flights is a Cyfrin flagship initiative. Smart contract auditing contests written to simulate real-world protocols, designed to introduce the next generation of developers to security audits.
90 |
91 |
92 |
93 |
94 |
95 | Do we have to wait until the start date to see the code?
96 |
97 | Yes, codebases are made public only once the contest has started. You can find the starting date and time for every contest in the related contest page on [codehawks.com](https://codehawks.com)
98 |
99 | #### How is nSLOC calculated?
100 |
101 | nSLOC stands for 'Normalized Source Code', which is a custom measurement used (among others) when evaluating the complexity of a codebase.
102 |
103 | To get the NSLOC count of a file:
104 |
105 | 1. For all functions, reduce any multiline function declarations to a single line.
106 | 2. Remove all comments
107 | 3. Remove all empty lines
108 | 4. Count the remaining lines
109 |
110 |
111 |
112 | ### 📃 **Submissions**
113 |
114 | ***
115 |
116 |
117 |
118 | Is "X" a valid submission?
119 |
120 | To determine if "X" is a valid submission, it must be evaluated against the criteria provided by CodeHawks. A valid submission typically represents a vulnerability in the codebase. The submission should fall into one of the categories: High, Medium, Low, Gas, or Informational. However, it's essential to note that if more than 85% of your findings are invalid, you will be disqualified from the competition. For instance, if you submit one valid finding and six invalid ones, only 14.3% of your submissions are valid, leading to disqualification.
121 |
122 | Additionally, any findings associated with the "[4naly3er](https://github.com/Picodes/4naly3er)" tool, run at the start of each competition, are ineligible for rewards. The submission format should also align with the latest format provided on the website.
123 |
124 | The guidelines used to evaluate the findings' validity can be found in the [how-to-determine-a-finding-validity.md](hawks-auditors/how-to-determine-a-finding-validity.md "mention")documentation.
125 |
126 |
127 |
128 |
129 |
130 | I’m unsure of the severity of my submission, what should I do?
131 |
132 | If you're unsure of the severity of your submission, consider the following steps based on the information provided by CodeHawks:
133 |
134 | 1. **Review the Categories:** Revisit the definitions of the severity categories provided by CodeHawks:
135 | * **High:** Funds are directly or nearly directly at risk.
136 | * **Medium:** Funds are indirectly at risk, or protocol functionality or availability is disrupted.
137 | * **Low, Gas, Informational:**
138 | * **Low:** Funds are not at risk, but a function might be incorrect, or the state might not be handled appropriately.
139 | * **Gas:** Refers to gas optimizations.
140 | * **Informational:** Pertains to code style, maturity, code smells, comment correctness, etc.
141 | 2. **Judge's Discretion:** Remember that determining the severity involves some subjectivity. The final categorization is up to the judges' discretion. If the protocol you're auditing has specific criteria that should be followed.
142 | 3. **Seek Feedback:** Before finalizing your submission, consider discussing it with peers or mentors on our [Discord](https://discord.gg/cyfrin) server who have experience in the field. They might provide insights that can help you gauge the severity of your findings.
143 | 4. **Provide Detailed Information:** When submitting, provide comprehensive details about the vulnerability. This includes a summary, vulnerability details, potential impact, tools used, and recommended mitigation. The more information you provide, the easier for the judges to assess the severity accurately.
144 | 5. **Stay Updated:** As CodeHawks evolves, the basis for findings and their categorizations might change. Always refer to the latest guidelines on the CodeHawks website to ensure you're up-to-date with their criteria.
145 |
146 | Lastly, even if you're unsure, submitting your findings is better. The judges will review it and assign the appropriate severity based on their assessment.
147 |
148 | For more information consult [how-to-evaluate-a-finding-severity.md](hawks-auditors/how-to-evaluate-a-finding-severity.md "mention").
149 |
150 | #### **What happens if I choose the wrong severity?**
151 |
152 | The severity of findings has an element of subjectivity. The judges will review your submission and may re-categorize it based on their assessment.
153 |
154 | There isn't a direct penalty mentioned for misclassifying the severity. However, consistently misclassifying or misrepresenting findings could impact your credibility in the competition.
155 |
156 | For more information consult [how-to-evaluate-a-finding-severity.md](hawks-auditors/how-to-evaluate-a-finding-severity.md "mention").
157 |
158 |
159 |
160 |
161 |
162 | What happens if one of my submissions is invalid?
163 |
164 | If "Y" is an invalid finding and you have many invalid findings, it can count against you. Specifically, if more than 85% of your findings are invalid, you will be disqualified from the competition. This system is designed to allow some leeway for invalid submissions but aims to prevent participants from spamming the system with numerous invalid findings.
165 |
166 | Refer to the [how-to-determine-a-finding-validity.md](hawks-auditors/how-to-determine-a-finding-validity.md "mention") to make sure your findings respect our validity guidelines.
167 |
168 |
169 |
170 | ### **👩⚖️ Judging**
171 |
172 | ***
173 |
174 |
175 |
176 | Who are the CodeHawks judges?
177 |
178 | Judging is conducted by a dedicated panel of members from the Cyfrin team and engineers from the sponsoring protocol. This approach ensures impartiality and minimizes potential bias and conflicts of interest.
179 |
180 |
181 |
182 |
183 |
184 | What is community judging?
185 |
186 | Community judging allows eligible CodeHawks auditors to earn rewards for judging other users' submissions. This drastically speeds up triage and turnaround times while giving auditors another chance to climb the leaderboard and showcase their skills.
187 |
188 |
189 |
190 |
191 |
192 | How long does judging take?
193 |
194 | The duration for judging varies based on the size of the codebase and the number of submissions received. Specific timelines for each contest will be announced on our [**Twitter page**](https://twitter.com/CodeHawks) and within the appropriate contest channel on our [Discord](https://discord.gg/cyfrin).
195 |
196 |
197 |
198 |
199 |
200 | Can I help Judge?
201 |
202 | Currently, we do not have a community judges initiative in place. However, it's on our roadmap for future implementation. Our primary concern is to ensure that any system we introduce maintains the highest standards of impartiality and transparency. We've observed conflicts of interest arising on other competitive platforms when community members were involved in judging.
203 |
204 | We aim to create a judging process everyone can trust and feel comfortable with.
205 |
206 |
207 |
208 |
209 |
210 | I don’t agree with the judgment, what can I do?
211 |
212 | The judging period of every contest is immediately followed by a 48-hour Appeals Period. This period allows auditors an opportunity to raise objections and voice concerns they have with the preliminary judgments. The Appeals Period will be clearly announced via [Twitter](https://twitter.com/CodeHawks) and [Discord](https://discord.gg/cyfrin)
213 |
214 | See the [Appeals](hawks-auditors/appeals.md) page for more information.
215 |
216 |
217 |
218 |
219 |
220 | What is a finding?
221 |
222 | A finding represents a vulnerability in the codebase. Findings are categorized into different levels of severity:
223 |
224 | 1. **High:** This category indicates that funds are directly or nearly at risk.
225 | 2. **Medium:** In this category, funds are indirectly at risk, or protocol functionality or availability is disrupted.
226 | 3. **Low, Gas, Informational:**
227 | * **Low:** Funds are not at risk, but a function might be incorrect, state might not be handled appropriately, etc.
228 | * **Gas:** Refers to gas optimizations.
229 | * **Informational:** Pertains to code style, maturity, code smells, comment correctness, and similar aspects.
230 |
231 | It's important to note that these categories involve some subjectivity, and the judges determine a finding's category. If a protocol has specific criteria, then that should be followed.
232 |
233 | Additionally, at the beginning of each competition, the "[4naly3er](https://github.com/Picodes/4naly3er)" tool will be run, and any findings associated with this tool are ineligible for rewards. The basis for findings may evolve as CodeHawks progresses.
234 |
235 | For more information on findings and how to evaluate their severity, consult the [how-to-evaluate-a-finding-severity.md](hawks-auditors/how-to-evaluate-a-finding-severity.md "mention")guide.
236 |
237 |
238 |
239 |
--------------------------------------------------------------------------------
/first-flights.md:
--------------------------------------------------------------------------------
1 | # 🦅 First Flights
2 |
3 | CodeHawks First Flights is a Cyfrin flagship initiative to introduce the next generation of web3 developers to smart contract security audits.
4 |
5 | It goes beyond the traditional learning process by offering a format for emerging auditors to gain hands-on experience with real-world web3 security audits and **receive feedback and advice on their submitted findings.**
6 |
7 | We have created [CodeHawks First Flights](https://www.codehawks.com/first-flights) to upskill those learning smart contract auditing a ground to learn, network, get feedback, and test their newly-acquired skills in the open.
8 |
9 | {% hint style="success" %}
10 | **Want to learn smart contract development and security?**
11 |
12 | If you're just starting, join us at [Cyfrin Updraft](https://updraft.cyfrin.io), the ultimate smart contract learning platform, completely free.
13 | {% endhint %}
14 |
15 |
16 |
17 | ***
18 |
19 | ### What is a CodeHawks First Flight?
20 |
21 | First Flights are smart contract auditing challenges with smaller codebases and different reward mechanisms from our standard competitions. These make them the perfect testing and learning ground for any aspirant smart contract security auditor.
22 |
23 | The community even contributes some First Flight code bases! Visit [Community First Flights](create-and-submit-a-first-flight.md) to learn more about how you can contribute.
24 |
25 | A new First Flight is announced monthly and will be available on the [CodeHawks](https://codehawks.com) platform for participation.
26 |
27 | Unlike the CodeHawks smart contract auditing competitions, First Flights does not offer monetary prize pools but grants participants experience earned by submitting findings.
28 |
29 | ***
30 |
31 | ### How to join a CodeHawks First Flight
32 |
33 | Joining a CodeHawks First Flight is the same as joining a proper auditing competition:
34 |
35 | 1. If you haven't already, create a new account on [codehawks.com](https://codehawks.com)
36 | 2. Subscribe to the upcoming competition by clicking on the subscribe button on the competition box
37 | 3. When the First Flight starts, you'll be notified via email, on the platform, and our [Twitter](https://twitter.com/codehawks)
38 | 4. The contest's codebase will be made public, and you can start analysing, testing, and auditing the codebase in scope!
39 |
40 | ***
41 |
42 | ### How CodeHawks First Flights work
43 |
44 | **Subscribe to and join the competition kickoff**
45 |
46 | * A new First Flight takes off every week
47 | * First Flights will be announced and detailed like a standard audit competition on [codehawks.cyfrin.io](https://codehaw.cyfrin.io), [Twitter](https://twitter.com/codehawks), and [Discord](https://discord.gg/cyfrin) server.
48 | * Thoroughly read the guidelines on the contest page to understand the scope and the codebase.
49 | * The scope of the codebase will be made public upon contest launch.
50 | * Deep dive into the smart contracts to find bugs and potential exploits vectors.\
51 |
52 |
53 | **Identify vulnerabilities and submit findings like a real auditor**
54 |
55 | * Participants must review the smart contract codebase, looking for bugs and potential exploit vectors.
56 | * After identifying vulnerabilities, participants will have to [write a PoC](hawks-auditors/how-to-create-and-submit-a-poc.md) and [submit their findings](hawks-auditors/how-to-write-and-submit-a-finding.md).
57 | * A live submission portal offers the same authentic experience of our standard CodeHawks competitive audits submission process.\
58 |
59 |
60 | **Receive feedback and learn faster.**
61 |
62 | * A judge will thoroughly review and test every finding, [evaluate its validity](hawks-auditors/how-to-determine-a-finding-validity.md), and confirm or adjust the severity level.
63 | * After the [judging phase](judging/the-judging-process.md), participants can [appeal](hawks-auditors/appeals.md) the judge's decisions.
64 | * Receive direct feedback on your submissions and use this feedback to improve.\
65 |
66 |
67 | **Celebrate your achievements**
68 |
69 | * Upon finalization of results, [XP points](hawks-auditors/how-does-xp-work.md) are awarded!
70 | * As participants accumulate XP, they can rise through the ranks on the leaderboards and gain recognition for their expertise.
71 |
72 | ### Why Join a First Flight?
73 |
74 | **1. The ultimate learning opportunity for aspirant smart contract auditors**
75 |
76 | Engage in a new challenge every week, ensuring constant exposure to different scenarios and learning from real-world use cases and experts' code bases.
77 |
78 | **2. Evolve your skills in real-world scenarios**
79 |
80 | The complexity of each Flight increases over time, ensuring that participants are consistently challenged and their skills progressively honed.
81 |
82 | **3. Earn CodeHawks XP and climb the leaderboard**
83 |
84 | While there is no monetary prize, participants are rewarded with [CodeHawks XP](hawks-auditors/how-does-xp-work.md) for every vulnerability discovered, recognizing their efforts toward self-improvement.
85 |
86 | {% hint style="success" %}
87 | **Not feeling ready to join?**
88 |
89 | Join us at [Cyfrin Updraft](https://updraft.cyfrin.io) to kickstart your smart contract security and development career, completely free.
90 | {% endhint %}
91 |
--------------------------------------------------------------------------------
/glossary.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Find the definition of commonly used terms on CodeHawks.
3 | ---
4 |
5 | # ✏️ Glossary
6 |
7 |
8 |
9 | nSLOC
10 |
11 | nSLOC stands for 'Normalized Source Lines of Code', a custom measurement we use (among other things) to evaluate the complexity of a codebase.
12 |
13 | To get the NSLOC count of a file:
14 |
15 | 1. For all functions, reduce any multiline function declarations to a single line.
16 | 2. Remove all comments
17 | 3. Remove all empty lines
18 | 4. Count the remaining lines
19 |
20 |
21 |
22 |
23 |
24 | PoC - Proof of Concept
25 |
26 | A proof of concept (PoC) is a demonstration or experiment that seeks to validate the feasibility, functionality, and potential of a particular idea, concept, or method. Typically used in the early stages of development, a PoC demonstrates that a concept or theory has practical potential for real-world application. It doesn't aim to represent a finished product or solution. Instead, verifying that a specific idea can be developed into a functional prototype or product is a foundational step.
27 |
28 |
29 |
30 |
31 |
32 | QAs - Quality Assurance
33 |
34 | QA reports are essential software development and testing documents that highlight the status, progress, and potential issues of a particular product or system under evaluation. Here's a brief overview of what a QA report might entail.
35 |
36 |
37 |
38 |
39 |
40 | Finding
41 |
42 | Any submission done by a Hawk (auditor) to a contest reporting a bug or potential exploitation vector in a smart contract or codebase
43 |
44 |
45 |
46 |
47 |
48 | Complexity
49 |
50 | The complexity of a code base or smart contract, calculated using [Solidity Core Metrics](https://github.com/Consensys/solidity-metrics), taking into consideration:
51 |
52 | * nSLOC
53 | * Number of contracts
54 |
55 | And other parameters
56 |
57 |
58 |
59 |
60 |
61 | Sponsor
62 |
63 | Any protocol's team or developers willing to make their smart contracts more secure and their users safe by sponsoring a [smart contract auditing competition](broken-reference) on Codehawks.com
64 |
65 |
66 |
67 |
68 |
69 | Hawks
70 |
71 | The unique community of auditors on [codehawks.com](https://codehawks.com)
72 |
73 |
74 |
--------------------------------------------------------------------------------
/hawks-auditors/appeals.md:
--------------------------------------------------------------------------------
1 | # Appeals
2 |
3 | At Cyfrin CodeHawks, we pride ourselves on providing a transparent and fair competition environment. The **Appeals Period** is a testament to this commitment.
4 |
5 | For 48 hours following judging, escalations will be accepted to contest judgments. This period will be clearly announced across all channels.\
6 | During the 48 hours, interactions will be enabled on your GitHub submissions. During this time, you may leave comments detailing your escalation for re-assessment.
7 |
8 | ### Appeals eligibility criteria
9 |
10 | To enforce a fair and streamlined competition environment, to raise an appeal on a third-party submission (owned by other auditors), auditors must:
11 |
12 | 1. **Have at least one submission in the Contest they would be judging:** This assures the community judge that they will possess the context and familiarity with the code necessary to provide an accurate and valid submission assessment.
13 | 2. **Have earned at least $200 USDC from previous CodeHawks competitions:** This will further mitigate unqualified or inexperienced judges and serve as a Sybil defense mechanism.
14 | 3. **Have a total submission to valid submission ratio greater than or equal to 0.2** will ensure that only auditors who share Cyfrin's commitment to industry-leading quality can judge other submissions.
15 |
16 | **Note:** An auditor will always be eligible to appeal their own submissions. The above eligibility criteria apply to appealing the submissions of others only.
17 |
18 | ### Preliminary results release
19 |
20 | The unveiling of preliminary results takes place immediately after the conclusion of our judging process. This release serves as an initial insight into the standing of submissions and gives participants a sense of their performance.
21 |
22 | Once the preliminary results are made public, an **Appeal Period** of precisely two days commences. This window allows participants to:
23 |
24 | * Raise concerns regarding their submissions.
25 | * Provide additional insights or clarifications.
26 | * Challenge the preliminary findings if they believe there are discrepancies.
27 |
28 | ### How to raise an appeal
29 |
30 | To initiate an appeal, navigate to your judged submission with the red notification dot, on the CodeHawks portal:
31 |
32 |
33 |
34 | Read the community judges and lead judge comments in the provided comment box:
35 |
36 |
37 |
38 | Suppose you don't believe the judge's decision is correct or have any questions about the judging results. In that case, you can add a new comment stating, **in greater detail**, why you believe a given issue is valid or invalid.
39 |
40 | If you're challenging other entries, provide concise reasoning for any discrepancies identified.
41 |
42 | {% hint style="danger" %}
43 | **Low-effort appeals risk being disregarded.**
44 | {% endhint %}
45 |
46 | ### Important Points to Consider
47 |
48 | * **Quality Over Quantity**: While we appreciate thoroughness and attention to detail, we must ensure that appeals are well-reasoned and backed by substantial evidence. Appeals that appear hasty or lack clarity will be promptly closed.
49 | * **Frequency of Appeals**: Participants are encouraged to raise valid concerns. However, excessive appeals with little to no merit can lead to a situation where even valid concerns from the participant might be disqualified. We urge participants to be discerning and thoughtful in their approach.
50 |
51 | Lead Judges of a contest will be responsible for assessing appeals during the appeals phase.
52 |
53 | For any further feedback or concerns, participants can use our [Feedback Form](https://app.deform.cc/form/992e3c6a-b817-49f5-8075-1e50fb2e2d0f/).
54 |
--------------------------------------------------------------------------------
/hawks-auditors/how-does-xp-work.md:
--------------------------------------------------------------------------------
1 | # How Does XP Work?
2 |
3 | **CodeHawks XP System**
4 |
5 | Welcome to the CodeHawks XP System documentation page. Our XP system is designed to give a better insight into the contributions and expertise of our auditors, while also serving as a more comprehensive measure than simply relying on monetary gains. Here, we detail how the system works, the advantages it presents, and what you can expect from it.
6 |
7 | ***
8 |
9 | **Why XP Over Only Gains-Based Leaderboard?**
10 |
11 | * **Holistic Measurement**: XP provides a fuller picture of an auditor's capabilities and contributions. While financial gains might indicate the financial success of submissions, XP provides an understanding of the consistent quality and relevance of an auditor's findings.
12 | * **Experience Indication**: XP is more indicative of an auditor's experience and the value they bring to the platform, rather than just their monetary success.
13 | * **Motivation for Newcomers**: New auditors have a fair chance to climb the leaderboard by focusing on the quality of their submissions, ensuring everyone has an opportunity to shine.
14 |
15 | ***
16 |
17 | **How to Earn XP**
18 |
19 | 1. **Submission-based XP**:
20 | * Earn XP for each valid submission based on its post-judging severity rating.
21 | * Default XP rewards:
22 | * Low: 2 XP
23 | * Medium: 20 XP
24 | * High: 100 XP
25 |
26 | > **Note**: XP values mentioned are current defaults and can change. The CodeHawks team will always communicate changes in advance.
27 |
28 | 2. **Team Submissions**:
29 | * If you're in a team, all members earn XP for valid submissions by the team.
30 | * There's a scaling mechanism for fairness:
31 |
32 | * Teams of ≤5 : Each member earns 100% XP
33 | * Team of 6 : Each member earns 90% XP
34 | * Team of 7 : Each member earns 80% XP
35 | * ... so on till Teams of 10+ where each member earns 50% XP
36 |
37 |
38 | 3. **First Flights**:
39 | * XP for First Flights is the same distribution by severity as a regular audit.
40 | * A contest's 'selected' finding will receive a further boost of 1.4x
41 |
42 | ***
43 |
44 | #### Difficulty Multipliers
45 |
46 | For contests in which few submissions are received, a modifier to XP rewards will be levied as follows:
47 |
48 | * **<=50** valid submissions: 3x bonus XP
49 | * **<=150** valid submissions: 2x bonus XP
50 | * **151+** valid submission: Default XP
51 |
52 | This is meant to reward those who persevere through the most difficult contests and secure the most complex protocols.
53 |
54 | ***
55 |
56 | **What Your XP Represents Now**
57 |
58 | Currently, the XP you amass symbolizes your expertise and contributions to the CodeHawks community. Although no specific leveling system exists right now, we're excited about future prospects.
59 |
60 | ***
61 |
62 | **What’s On The Horizon**
63 |
64 | With the XP system's evolution, anticipate more perks:
65 |
66 | * **Visual Recognition**: Flaunt badges or icons that spotlight your expertise.
67 | * **Community Involvement**: Be eligible for community voting and other exclusive opportunities.
68 |
69 | Stay connected for more upgrades to the XP system. We are committed to making CodeHawks a platform where every contribution, big or small, is recognized and celebrated.
70 |
--------------------------------------------------------------------------------
/hawks-auditors/how-to-create-and-submit-a-poc.md:
--------------------------------------------------------------------------------
1 | # How to Write a PoC
2 |
3 | A Proof of Concept (PoC) demonstrates a concept's feasibility. In the context of smart contract auditing, a PoC demonstrates a vulnerability or flaw in a smart contract. A well-crafted PoC can help developers understand the vulnerability and its implications, making it easier to address the issue.
4 |
5 | By following this guide and template, auditors can ensure that their PoCs are clear, concise, and effective in communicating vulnerabilities to judges.
6 |
7 | ### **Key elements of a good PoC**
8 |
9 |
10 |
11 | 1. Working test case
12 |
13 | This is the most direct way to demonstrate a vulnerability. It should be executable and should clearly show the flaw in action.
14 |
15 |
16 |
17 |
18 |
19 | 2. Line-by-line comments
20 |
21 | Each line of the test case should be accompanied by comments explaining what that specific line is meant to do. This helps understanding the flow and logic of the PoC.
22 |
23 |
24 |
25 |
26 |
27 | 3. Clear separation of actors
28 |
29 | Clearly define and separate the roles involved in the PoC. Common roles include:
30 |
31 | * Attacker: The entity exploiting the vulnerability.
32 | * Victim: The entity affected by the exploit.
33 | * Protocol: The system or platform in which the smart contract operates.
34 |
35 |
36 |
37 |
38 |
39 | 4. Detailed exploit scenario
40 |
41 | If writing a PoC in the form of a test case is challenging or too straightforward, then a detailed step-by-step exploit scenario can be provided. This should explain:
42 |
43 | * **Initial State**: Describe the initial state of the system.
44 | * **Step 1**: Describe the first action taken by the attacker.
45 | * **Step 2**: Describe the subsequent action and so on.
46 | * **Outcome**: Describe the result of the exploit.
47 | * **Implications**: Discuss potential consequences or implications of the exploit.
48 |
49 |
50 |
51 | #### Recommendations:
52 |
53 | 1. Provide suggestions or fixes to address the vulnerability.
54 | 2. Link to the vulnerable smart contract, code, or any other relevant links or resources.
55 |
56 | ### **Proof of concept (PoC) template**
57 |
58 | ````markdown
59 | markdownCopy code## Proof of Concept for [Vulnerability Name]
60 |
61 | ### Overview:
62 | Briefly describe the vulnerability.
63 |
64 | ### Actors:
65 | - **Attacker**: Description of the attacker's role.
66 | - **Victim**: Description of the victim's role.
67 | - **Protocol**: Description of the protocol's role.
68 |
69 | ### Working Test Case (if applicable):
70 | ```solidity
71 | // Solidity code or test case demonstrating the vulnerability
72 | // Line 1: Explanation of line 1
73 | // Line 2: Explanation of line 2
74 | // ...
75 | ````
76 |
77 |
--------------------------------------------------------------------------------
/hawks-auditors/how-to-determine-a-finding-validity.md:
--------------------------------------------------------------------------------
1 | # How to Determine a Finding Validity
2 |
3 | For findings to be considered valid, they need to check all the properties listed below:
4 |
5 | * Submissions must be made during the official duration of the contest.
6 | * Valid submissions should identify legitimate vulnerabilities within the codebase.
7 | * Issues that fall under Gas/QA or Informational severity will not be eligible for rewards, even if they are accurate or correct.
8 | * Submissions should include sufficient details and proof to support the findings. For instance, while ChatGPT and AI can assist in bug finding, relying solely or primarily on AI responses often leads to poor reports. Reports suspected of this approach will likely be deemed invalid.
9 |
10 | ### Contest-specific validity guidelines
11 |
12 | There are two criteria to determine the validity of a finding within the context of a specific contest:
13 |
14 | * The official contest specification on the [CodeHawks](https://www.codehawks.com) contest's page
15 | * The code within the scope
16 |
17 | After a contest launch, Sponsors have a 48-hour [kick-off period](the-kick-off-period.md) to address any ambiguities raised by auditors in Discord regarding the contest-specific validity guidelines. Once this window has passed, the official contest specification on Cyfrin CodeHawks will be updated with answers from the Sponsor, becoming the ultimate standard for determining the validity of an issue within the contest**.**
18 |
19 | {% hint style="warning" %}
20 | Sponsors are strictly prohibited from employing the "[Moving The Goalposts](https://youtu.be/KeswYJgf5mM?feature=shared\&t=19)" logical fallacy to invalidate submissions after these 48 hours.
21 | {% endhint %}
22 |
23 | Judges and Sponsors may only invalidate a submission if it fails to meet the contest's predefined criteria.
24 |
25 | ### Vague generalities
26 |
27 | Vague generalities are always judged as invalid submissions. Examples include:
28 |
29 | * "This function may have re-entrance; add re-entrance guard."
30 | * "This hash function may have a hash collision; do the hashing differently."
31 |
32 | Suppose an auditor identifies a vulnerability in a function. In that case, they are responsible for demonstrating its impact by creating a [proof of concept](how-to-create-and-submit-a-poc.md) (PoC) exploit that can cause significant damage to the system or result in permanent grief or denial of service.
33 |
34 | However, if another auditor submits an actual exploit with a PoC that proves the vague generality to be accurate, only that auditor will be rewarded.\
35 | \
36 | Please refer to the dedicated guide for detailed instructions on what to include and how to [submit a finding](how-to-write-and-submit-a-finding.md).
37 |
38 | To determine the validity of a finding, we provide several issue categories as a guideline. Please note that final determinations will always be at the discretion of the Judge.
39 |
40 | ### Findings that may be invalid
41 |
42 | The following is a high-level list of issues which are usually not considered valid.
43 |
44 | {% hint style="info" %}
45 | The following table is a rough guide and **does not represent concrete policy**. Each issue's validity **may vary**, pending conditions and circumstances. Final determinations are at the judge/protocol's discretion.
46 | {% endhint %}
47 |
48 | | Issue | Description |
49 | | ------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- |
50 | | Gas optimizations | Users/protocols may pay extra gas due to this issue. |
51 | | **Zero address checks** | Ensure input values are not zero addresses. |
52 | | **Admin Input/call validation** | Issues related to incorrect input by admins, call order mistakes, and assumptions breaking due to admin actions. |
53 | | **Front-running initializers** | If there's no irreversible damage or fund loss & the protocol can redeploy and initialize again. |
54 | | **User experience and design improvement** | Minor inconveniences or design opinions with no clear loss of funds indication. |
55 | | **User Blacklist** | A user being blacklisted causing harm only to themselves. |
56 | | **EIP compliance with no integrations** | If no external integrations exist and no adverse effects arise due to non-compliance with an EIP. |
57 | | **Users sending ETH/native tokens** | If contracts allow users to send tokens accidentally. |
58 | | **Loss of rewards** | Losing airdrops, liquidity fees, or other rewards not in the protocol design. |
59 | | **Incorrect values in View functions** | Considered low by default, unless used in a larger function resulting in fund loss. |
60 | | **Mock contracts issues** | Any issues found in mock contracts. |
61 | | **Slippage** | Issues showing definite fund loss with a detailed explanation. |
62 | | **EIP Compliance** | Issues regarding EIP compliance with essential external integrations. |
63 | | **Out of Gas** | Issues leading to Out of Gas errors due to malicious users or specific call flows. |
64 |
65 | \
66 |
--------------------------------------------------------------------------------
/hawks-auditors/how-to-evaluate-a-finding-severity.md:
--------------------------------------------------------------------------------
1 | # How to Evaluate a Finding Severity
2 |
3 | When identifying vulnerabilities in a codebase, it's crucial to assess the potential impact and risk associated with them. Findings, or vulnerabilities, are separated into three categories:
4 |
5 | * **High**
6 | * **Medium**
7 | * **Low severity**
8 |
9 | These severities help stakeholders prioritize and address the issues appropriately. For auditors, finding higher-severity findings will increase their ranking in the contest leaderboard and [payout](payouts.md).
10 |
11 | ### How to evaluate a finding severity
12 |
13 | The severity of a finding can be categorized as **High**, **Medium**, or **Low** and is determined based on several factors:
14 |
15 | 1. **Impact on the protocol:** How severe would the potential damage be if the vulnerability were exploited
16 | 2. **Likelihood of exploitation:** How probable would an attacker exploit this vulnerability?
17 | 3. **Degree of judge/protocol subjectivity**
18 |
19 |
Impact
High
Medium
Low
High
H
H/M
M
Likelihood
Medium
H/M
M
M/L
Low
M
M/L
L
20 |
21 | {% hint style="warning" %}
22 | **Subjectivity in Classification**
23 |
24 | While the Impact vs Likelihood matrix provides a structured approach, there remains a degree of subjectivity in classifying findings. The judge's discretion is pivotal in determining a finding's category.
25 |
26 | If the protocol under audit stipulates particular criteria, then those guidelines should be the benchmark for classifying findings.
27 | {% endhint %}
28 |
29 | #### How to evaluate the impact of a finding
30 |
31 | Impact refers to the potential harm or consequence to the users or the protocol due to the vulnerability.
32 |
33 | * **High Impact**:
34 | * Funds are directly or nearly directly at risk.
35 | * There's a severe disruption of protocol functionality or availability.
36 | * **Medium Impact**:
37 | * Funds are indirectly at risk.
38 | * There's some level of disruption to the protocol's functionality or availability.
39 | * **Low Impact**:
40 | * Funds are not at risk.
41 | * However, a function might be incorrect, the state might not be handled appropriately, etc.
42 |
43 | #### How to evaluate the l**ikelihood of exploitation of a finding**
44 |
45 | Likelihood represents the probability of the impact occurring due to the vulnerability.
46 |
47 |
48 |
49 | High likelihood
50 |
51 | It's highly probable to happen. For instance, a hacker can call a function directly and extract money.
52 |
53 |
54 |
55 |
56 |
57 | Medium likelihood
58 |
59 | It might occur under specific conditions. For example, a peculiar ERC20 token is used on the platform.
60 |
61 |
62 |
63 |
64 |
65 | Low likelihood
66 |
67 | It is unlikely to occur. An example might be if a hard-to-change variable is set to a unique value on a specific block.
68 |
69 |
70 |
71 | {% hint style="info" %}
72 | **Note**\
73 | There are instances where the likelihood is deemed "computationally infeasible". For example, "An attacker could guess the user's private key".
74 |
75 | The author must demonstrate that their finding is computationally feasible in such scenarios.
76 | {% endhint %}
77 |
78 | ### Examples of High, Medium, and Low severity findings
79 |
80 | #### High Severity Findings
81 |
82 | **Properties:**
83 |
84 | * Direct impact on the funds or the main functionality of the protocol.
85 | * The attack path is straightforward.
86 | * The vulnerability is easily exploitable, leading to significant damage.
87 |
88 | **Example:**\
89 | [See Detailed High Severity Finding](https://solodit.xyz/issues/boostsetlockstatus-should-update-the-callers-rewards-first-hans-none-meta-markdown\_)
90 |
91 | For more examples of High severity findings, visit [Solodit](https://solodit.xyz/).
92 |
93 | #### Medium Severity Findings
94 |
95 | **Properties:**
96 |
97 | * Indirect impact on the funds or the protocol's functionality.
98 | * The attack path isn't straightforward and needs specific conditions to be met.
99 | * Though the vulnerability might cause harm, exploiting it is challenging.
100 |
101 | **Example:**\
102 | [See Detailed Medium Severity Finding](https://solodit.xyz/issues/the-off-chain-mechanism-must-be-ensured-to-work-in-a-correct-order-strictly-cyfrin-none-cyfrin-stake-link-markdown)
103 |
104 | For more examples of findings on medium severity, visit [Solodit](https://solodit.xyz/).
105 |
106 | #### Low Severity Findings
107 |
108 | **Properties:**
109 |
110 | * Minimal impact on the funds or the protocol's main functionality.
111 | * The vulnerability doesn't lead to tangible real-world damage.
112 | * The path to exploit is either non-existent or highly improbable.
113 |
114 | **Example:**\
115 | [See Detailed Low Severity Finding](https://solodit.xyz/issues/l-06-erc1155action-returns-false-on-supportsinterface-with-the-real-erc1155-interface-code4rena-notional-notional-contest-git)
116 |
117 | For more severe findings, visit [Solodit](https://solodit.xyz/).
118 |
119 | {% hint style="warning" %}
120 | **Non-Acceptable Severity**
121 |
122 | As of August 18th, 2023, CodeHawks no longer accepts submissions with a severity of Gas, QA, or Informational. Ensure that the vulnerabilities you are submitting directly or indirectly impact the protocol and are not merely gas optimizations, quality assurance issues, or informational insights.
123 | {% endhint %}
124 |
125 | ***
126 |
127 | For more information on how to write and submit findings, refer to the [How to write and submit a finding](how-to-write-and-submit-a-finding.md) guide.
128 |
--------------------------------------------------------------------------------
/hawks-auditors/how-to-write-and-submit-a-finding.md:
--------------------------------------------------------------------------------
1 | # How to Present Your Findings
2 |
3 | At Cyfrin CodeHawks, ensuring a streamlined and standardized process for reporting vulnerabilities is paramount. This ensures your submissions are explained clearly, facilitates fair judging, and gives you better chances to submit a valid finding and earn rewards.
4 |
5 | All finding submissions are handled directly through the CodeHawks web platform to ensure a simple and streamlined process.
6 |
7 | ### **Choosing between submitting single or multiple reports**
8 |
9 | Once you've determined the [severity of your finding](how-to-evaluate-a-finding-severity.md) and its [validity](how-to-determine-a-finding-validity.md), refer to the following report format:
10 |
11 | * **Medium or High Severity Findings**: Submit individually.
12 | * **Low Findings (Low risk or Non-critical)**: Compile into a single report per auditor or team
13 |
14 | ### **How to adequately explain and prove your findings**
15 |
16 | The auditors are responsible for validating the findings. A detailed explanation and justification of the potential impact are crucial for a top-quality submission. The depth of the proof required correlates with the potential value of the submission.
17 |
18 | Insufficient proof is when a judge needs to invest additional time in research or coding to verify the claims made in the submission. Providing a coded [proof of concept (POC)](how-to-create-and-submit-a-poc.md) for your findings is highly recommended. This aids the judges immensely in swiftly and accurately verifying your claims.
19 |
20 | _Submissions deemed to lack sufficient evidence may risk_ [_invalidation_](../judging/disqualification-criteria.md)_._
21 |
22 | ### **How to format your report**
23 |
24 | When documenting a finding, adhere to the following structure:
25 |
26 | ```markdown
27 | ## Summary
28 |
29 | (Provide a brief overview of the vulnerability.)
30 |
31 | ## Vulnerability Details
32 |
33 | (Delve deep and elaborate on the identified issue, including where it exists in the codebase.)
34 |
35 | ## Impact
36 |
37 | (Describe the potential consequences of this vulnerability. How could it harm the protocol or users?)
38 |
39 | ## Tools Used
40 |
41 | (List any tools or software that aided in the identification of the vulnerability.)
42 |
43 | ## Recommended Mitigation
44 |
45 | (Suggest ways to resolve or mitigate the identified vulnerability.)
46 | ```
47 |
48 |
--------------------------------------------------------------------------------
/hawks-auditors/payouts.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Get transparency into how reward payouts are calculated
3 | ---
4 |
5 | # Payouts
6 |
7 | Auditor payouts consist of shares of the prize pool calculated based on the [severity](how-to-evaluate-a-finding-severity.md) and [number of findings](how-to-write-and-submit-a-finding.md) an auditor submits during a smart contract auditing competition.
8 |
9 | Here's how rewards are calculated:
10 |
11 |
12 |
13 | High / Medium Findings
14 |
15 | #### Current Payout Calculation:
16 |
17 | For competitive audits, the payouts are currently determined as:
18 |
19 | * **Medium-Risk Shares**: `1 * (0.9^(findingCount - 1)) / findingCount`
20 | * **High-Risk Shares**: `5 * (0.9^(findingCount - 1)) / findingCount`
21 |
22 | This calculation is subject to future adjustments to align with auditors' needs.
23 |
24 | #### Example:
25 |
26 | Given a **H/M Prize Pot** of **$30,000** and a **Final report** with **3 Highs** and **2 Mediums**:
27 |
28 | * **Auditor A** submitted: High A, B, Medium A
29 | * **Auditor B** submitted: High A, C, Medium A, B
30 | * **Auditor C** submitted: High A, Medium A, B, C
31 |
32 | The shares per finding would be:
33 |
34 | * **Medium A** (3 findings): `1 * (0.9^(3 - 1)) / 3 = 0.27`
35 | * **Medium B** (2 findings): `1 * (0.9^(2 - 1)) / 2 = 0.45`
36 | * **Medium C** (1 finding): `1 * (0.9^(1 - 1)) / 1 = 1`
37 | * **High A** (3 findings): `5 * (0.9^(3 - 1)) / 3 = 1.35`
38 | * **High B** (1 finding): `5 * (0.9^(1 - 1)) / 1 = 5`
39 | * **High C** (1 finding): `5 * (0.9^(1 - 1)) / 1 = 5`
40 |
41 | Total shares:
42 |
43 | * **Auditor A**: `1.35 + 5 + 0.27 = 6.62` shares
44 | * **Auditor B**: `1.35 + 5 + 0.27 + 0.45 = 7.07` shares
45 | * **Auditor C**: `1.35 + 0.27 + 0.45 + 1 = 3.07` shares
46 |
47 | The prize distribution would be:
48 |
49 | * **Auditor A**: `6.62 / 16.76 = 39.5%` of the prize pot = $11,850
50 | * **Auditor B**: `7.07 / 16.76 = 42.2%` of the prize pot = $12,660
51 | * **Auditor C**: `3.07 / 16.76 = 18.3%` of the prize pot = $5,490
52 |
53 |
54 |
55 |
56 |
57 | Low Findings
58 |
59 | For this tier, the prize pool is considerably smaller. The current calculation for low-risk shares is:
60 |
61 | * **Low-Risk Shares**: `1 * (0.9^(findingCount - 1)) / findingCount`
62 |
63 | Given the smaller prize pool and the potential volume of findings in this tier, auditors should note that judges may disqualify low-effort submissions at their discretion.
64 |
65 | ### QA / Gas / Informational
66 |
67 | As of August 18th, 2023, CodeHawks has stopped accepting findings related to gas optimizations, quality assurance issues, and informational insights.
68 |
69 |
70 |
71 | {% hint style="warning" %}
72 | Rewards are paid out in **USDC** through the **ZKsync chain**. Crediting the reward **won't be possible** without a ZKsync wallet connected to the user profile.
73 |
74 | Payouts may be within 0.0001 USDC margin of error.
75 | {% endhint %}
76 |
77 | ***
78 |
79 | ### Duplicate issues
80 |
81 | An issue is considered a duplicate if they have the same **root cause**. For example, the following two issues are duplicates:
82 |
83 | * **No zero address check results in loss of funds: high**
84 | * **Users can lose precision when it doesn't check for address(0): low.**
85 |
86 | These have the same **root cause** even though they are submitted with different severity levels and are considered duplicates.
87 |
88 | The following are not considered duplicates:
89 |
90 | * **Users can lose precision when it doesn't check for address(0): low.**
91 | * **Dividing before multiplying loses precision: low.**
92 |
93 | Since they have different root causes (checking the zero address vs dividing before multiplying), they are not considered duplicates.
94 |
--------------------------------------------------------------------------------
/hawks-auditors/quick-start.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: Cyfrin CodeHawks Quick Start Guide for Auditors
3 | ---
4 |
5 | # Quick Start
6 |
7 | Welcome to Cyfrin CodeHawks! Here's a quick and easy guide to get you started as an auditor and submit your first vulnerabilities.
8 |
9 | ### **1. Create an account on CodeHawks**
10 |
11 | First, create a new account by visiting [codehawks.cyfrin.io](https://codehawks.cyfrin.io) and clicking the "sign up" button in the top right corner:
12 |
13 |
14 |
15 | ### 2. Subscribe to your first CodeHawks competition
16 |
17 | Navigate to the competitions page and look for "Live" or "Upcoming" contests:
18 |
19 |
20 |
21 | {% hint style="success" %}
22 | **Don't want to miss any of our competition announcements?**
23 |
24 | Make sure to follow us on [Twitter](https://twitter.com/CyfrinAudits?s=20) and join our [Discord](https://discord.gg/cyfrin) server!
25 | {% endhint %}
26 |
27 | Clicking on a competition will open its details page, with important information such as:
28 |
29 | * [Prize pool](payouts.md) severity breakdowns
30 | * Start and end dates
31 | * [nSLOC](../glossary.md) and scope
32 | * Scoring
33 | * Link to the GitHub repository (if the competition is live)
34 |
35 |
36 |
37 | Every contest also comes with details that will help you understand:
38 |
39 | * The codebase
40 | * Scope
41 | * compatibilities
42 | * How to get the codebase up and running
43 |
44 | New contests are announced almost every week. When you find a contest that fits your skills, click on the subscribe button to join it:
45 |
46 |
47 |
48 | ### 3. Submit your first finding vulnerability
49 |
50 | Once you've found your first vulnerability, navigate to the competition page, and click on the submit "submit a vulnerability" button:
51 |
52 |
53 |
54 | To submit your vulnerability, you'll be asked to insert:
55 |
56 | * Title - a <250 character descriptive title of your submission
57 | * Severity - a matrix of likelihood and impact characterizing your finding. Read [how-to-evaluate-a-finding-severity.md](how-to-evaluate-a-finding-severity.md "mention")for a full explanation.
58 | * Description - a detailed description of the vulnerability found and how to reproduce it.
59 |
60 | Learn more on [how-to-write-and-submit-a-finding.md](how-to-write-and-submit-a-finding.md "mention")on the dedicated guide.
61 |
62 | ### 5. Await for the judging results
63 |
64 | **After the auditing period ends, judges will evaluate each submission carefully to determine its validity, severity, and overall quality.**
65 |
66 | **Judging is done in two steps:**
67 |
68 | * [Community Judging](../judging/how-community-judging-works.md) - a period where all [eligible community judges](../judging/community-judging-eligibility.md) can evaluate others' submissions
69 | * [Lead judging](../judging/the-judging-process.md) - a period where the lead judge confirms or not the community judges' decisions and issue the final pre-appeal judgments.
70 |
71 | Every phase will be communicated on the platform and via announcements on [Discord](https://discord.gg/cyfrin).
72 |
73 | Learn more about [the judging process](../judging/the-judging-process.md).
74 |
75 | ### 6. Appeal to the judge's results
76 |
77 | For 48 hours following judging, [appeals](appeals.md) will be accepted to contest judgments. This period will be clearly announced across all channels.
78 |
79 | \
80 | During the 48 hours, interactions will be enabled on your GitHub submissions. During this time, you may leave comments detailing your escalation for re-assessment.
81 |
82 | ### 7. Get rewarded
83 |
84 | Once the final report is released, results will be announced, and [payouts](payouts.md) will be sent to the winners.
85 |
86 | {% hint style="warning" %}
87 | Rewards are paid out in USDC through the ZKsync chain. Crediting the reward won't be possible without a ZKsync wallet connected to the user profile.
88 | {% endhint %}
89 |
90 |
--------------------------------------------------------------------------------
/hawks-auditors/the-kick-off-period.md:
--------------------------------------------------------------------------------
1 | # The Kick-Off Period
2 |
3 | The Kick-Off period is designed to introduce participants to the contest, clarify the codebase and rules, and provide a moment for any immediate questions or concerns. This 48-hour window is vital for all participants and the fairness of a competitive audit.
4 |
5 | ### Key events of the kick-off period
6 |
7 |
8 |
9 | 1. Contest Commencement Announcements
10 |
11 | An official announcement will mark the start of the Kick-Off period. This will signify the beginning of the competition and provide all necessary details about the upcoming events during the Kick-Off.
12 |
13 |
14 |
15 |
16 |
17 | 2. Kick-Off Live Stream (optional)
18 |
19 | During the Kick-Off live stream, participants will:
20 |
21 | * Be given a thorough walkthrough of the codebase. This will help in understanding the structure, functionalities, and intricacies of the code you'll be auditing.
22 | * Have the opportunity to interact with sponsors and team members. They will be available to answer questions about the competition, the codebase, or related topics.
23 |
24 | **Note**: We highly recommend attending the live stream. It's a valuable opportunity to gain insights and clear up any uncertainties before diving into the audit.
25 |
26 |
27 |
28 |
29 |
30 | 3. Clarification & Feedback Window
31 |
32 | For the entire duration of the 48-hour Kick-Off period, participants can:
33 |
34 | * Seek clarifications on the contest specifications. If there's any part of the spec you're unsure about, this is your time to get clarity.
35 | * Discuss and provide feedback on any known issues with the spec. If you spot inconsistencies, ambiguities, or potential problems, you're encouraged to bring them up.
36 |
37 | By the end of the Kick-Off period, the contest spec will be finalized based on the discussions and feedback.
38 |
39 |
40 |
41 | ### Important Notes
42 |
43 | * **Finalization of Contest Spec**: After the 48-hour Kick-Off period, no changes to the contest spec will be accepted. Make sure to voice any concerns or suggestions during this window.
44 | * **Decisions & Judgments**: All decisions related to the competition will be based on the finalized contest spec. Ensure you're familiar with the final version to align your auditing strategy accordingly.
45 |
--------------------------------------------------------------------------------
/hawks-auditors/what-is-an-auditing-competition.md:
--------------------------------------------------------------------------------
1 | # What is a Competitive Audit?
2 |
3 | A smart contract security auditing competition or contest is where security researchers, Hawks, review a smart contract or codebase to identify vulnerabilities, inefficiencies, and potential issues.
4 |
5 | Auditors then submit their findings to be rewarded based on their [validity](how-to-determine-a-finding-validity.md), quality, and [severity](how-to-evaluate-a-finding-severity.md).
6 |
7 | {% hint style="info" %}
8 | **Don't want to miss any of our competition announcements?**
9 |
10 | Make sure to follow us on [Twitter](https://twitter.com/CyfrinAudits?s=20) and join our [Discord](https://discord.gg/cyfrin) server!
11 | {% endhint %}
12 |
13 | ### **How does a Cyfrin CodeHawks auditing competition work?**
14 |
15 | Every smart contract auditing competition is comprised of seven periods:
16 |
17 |
18 |
19 | 1. Competition announcement
20 |
21 | This is the initial phase in which we announce the upcoming competition, detailing the smart contract(s) to be audited.
22 |
23 | Learn how to subscribe and submit your first vulnerability following the [quick start guide](quick-start.md).
24 |
25 |
26 |
27 |
28 |
29 | 2. Kick-off
30 |
31 | This is the official start of the competition, and it will last 48 hours. From now on, participants can access the contract repo on the contests page and begin looking for bugs, issues, and vulnerabilities. Findings can be submitted through the contest page on the web portal.
32 |
33 | During [the kick-off](what-is-an-auditing-competition.md#id-2.-kick-off) period, auditors can also raise issues with the codebase, the scope, or any other contest's details.
34 |
35 |
36 |
37 |
38 |
39 | 3. Auditing
40 |
41 | Auditors delve deep into the provided smart contract(s), using their expertise to uncover vulnerabilities, inefficiencies, and other issues and recommendations. In the next phase, these findings are submitted to judges for assessment.
42 |
43 | This period is time-bound, ensuring a level playing field.
44 |
45 | The time allotted for a competition is determined mainly by the size of the audited code base.
46 |
47 |
48 |
49 |
50 |
51 | 4. Community judging and lead judging
52 |
53 | Once the auditing period concludes, the [community judging](../judging/how-community-judging-works.md) period will start, followed by the lead judging period, during which the Cyfrin CodeHawks team or appointed [judges](../judging/the-judging-process.md) will review the submissions. This will validate the findings, rank them based on severity, and prepare for the appeals phase.
54 |
55 | The length of this period is primarily determined by the number of submissions received.
56 |
57 |
58 |
59 |
60 |
61 | 5. Appeals
62 |
63 | For **48 hours** after the initial judging, auditors can raise concerns and [appeals](appeals.md) about the decisions made during the judging phase. This window allows the community to ensure transparency and fairness.
64 |
65 |
66 |
67 |
68 |
69 | 6. Rewards
70 |
71 | After addressing escalations, the final results are announced, and rewards are distributed to auditors based on the quality and significance of their findings.
72 |
73 | [Payouts](payouts.md) are distributed within 72 hours of the escalation period's closure and are currently paid in USDC on ZKsync.
74 |
75 |
76 |
77 | ***
78 |
79 |
--------------------------------------------------------------------------------
/judging/community-judging-eligibility.md:
--------------------------------------------------------------------------------
1 | # Community Judging Eligibility
2 |
3 | A few distinct criteria will be used to determine a user's eligibility to participate in community judging for a contest.
4 |
5 | To be eligible for community judging a competition, a potential judge must:
6 |
7 | 1. **Have at least one submission in the Contest they would be judging:** This assures the community judge that they will possess the context and familiarity with the code necessary to provide an accurate and valid submission assessment.
8 | 2. **Have earned at least $200 USDC from previous CodeHawks competitions:** This will further mitigate unqualified or inexperienced judges and serve as a Sybil defense mechanism.
9 | 3. **Have a total submission to valid submission ratio greater than or equal to 0.2:** This will ensure that only auditors who share Cyfrin's commitment to industry-leading quality can judge other submissions.
10 |
11 | ### First Flights
12 |
13 | The criteria for community judging in First Flights may differ from those outlined above. Fewer restrictions may be employed to pursue learning opportunities.
14 |
--------------------------------------------------------------------------------
/judging/disqualification-criteria.md:
--------------------------------------------------------------------------------
1 | # Disqualification Criteria
2 |
3 | We uphold a high standard of integrity and quality for our competitive audits. Our goal is to ensure a fair playing field for all participants while maintaining the credibility of our competitions.
4 |
5 | Below, we define the specific criteria that may lead to the disqualification of participants from our contests:
6 |
7 |
8 |
9 | Issue validity
10 |
11 | Ensuring the authenticity and relevance of findings is crucial for the integrity of our competitions.
12 |
13 | * **Threshold for Validity**: Participants must maintain a validity rate of more than 15% for their findings. If over 85% of a participant's submissions are deemed invalid, they will face disqualification.
14 |
15 | **Examples**:
16 |
17 | * 1 valid, 6 invalids = 14.3% valid -> disqualified
18 | * 2 valid, 6 invalids = 25% valid -> qualified
19 |
20 |
21 |
22 |
23 |
24 | Timeliness of submissions
25 |
26 | Promptness is key:
27 |
28 | * Submissions must be made within the designated competition window.
29 | * Any findings submitted after the competition window closes will not be considered.
30 |
31 |
32 |
33 |
34 |
35 | ChatGPT & AI generated findings
36 |
37 | While AI tools like ChatGPT can be beneficial:
38 |
39 | * Submissions based primarily or solely on AI-generated responses often lead to subpar reports.
40 | * Participants suspected of relying excessively on AI for their submissions risk disqualification.
41 |
42 |
43 |
44 |
45 |
46 | Excessive invalid appeals
47 |
48 | During the appeals process:
49 |
50 | * Participants are encouraged to raise valid concerns.
51 | * However, an overwhelming number of invalid appeal submissions can risk the invalidation of all of a participant's appeals.
52 | * The Threshold for this is currently at the Judge's discretion
53 |
54 |
55 |
56 |
57 |
58 | Failure to adhere to the CodeHawks community guidelines
59 |
60 | Upholding our community values is paramount:
61 |
62 | * Participants must adhere to the community guidelines outlined on [CodeHawks](https://www.codehawks.com), our [Twitter](https://twitter.com/CodeHawks) page, and [Discord](https://discord.gg/cyfrin) channel.
63 | * Any breach of these guidelines may result in disqualification from the current contest and risk the participant's eligibility for future competitions.
64 |
65 | Our disqualification criteria ensure the credibility and fairness of CodeHawks' competitive audits. Adherence to these rules is essential for maintaining our platform's and community's integrity. We urge all participants to familiarize themselves with these criteria and uphold the standards set forth by CodeHawks.
66 |
67 | If you have any questions or need further clarification, feel free to contact our team or consult our community guidelines on our official platforms.
68 |
69 |
70 |
71 |
--------------------------------------------------------------------------------
/judging/how-community-judging-works.md:
--------------------------------------------------------------------------------
1 | # How Community Judging Works
2 |
3 | The judging phase will start upon the resolution of the submission period of a competitive audit. At this point, all[ eligible community judges](community-judging-eligibility.md) for a contest will receive an email advising them of the beginning of the judging phase and their [eligibility](community-judging-eligibility.md) to participate.
4 |
5 | This page teaches you how to participate in the community judging phase, evaluating others' submissions for a chance to earn [extra rewards](payouts-and-rewards.md).
6 |
7 | ### Judging Dashboard
8 |
9 | Navigate to the judging dashboard by clicking on the "judging" item on the top navbar.
10 |
11 |
12 |
13 | From here, judges can see any contests they are eligible to judge. By hovering over the eligibility information icon, judges can see the [eligibility requirements](community-judging-eligibility.md) to participate in each contest's judgment.
14 |
15 | The duration of this period will be determined by several factors including, but not limited to:
16 |
17 | * **Number of submissions**
18 | * **Number of eligible judges**
19 |
20 | ### Community Judging Submission View
21 |
22 | Clicking 'Judge' will bring one to the Community Judging submission view. The community Judge will be faced with the Community Judging view.
23 |
24 | In this view, a judge will be randomly assigned one submission at a time, with another assigned after each judgment. There is no limit to the number of submissions a community judge can complete.
25 |
26 |
27 |
28 | A community judge's role is to determine if each submission assigned is valid or invalid and categorize them as such using the radial buttons available in the top right.
29 |
30 | ### Submission Tags
31 |
32 | During the judging phase, participants might observe tags being added to their submissions. These tags serve as indicators and can denote various aspects, including:
33 |
34 | * **Valid Findings**: Recognized by tags like `finding-reentrancy-borrow-function`.
35 | * **Selected Findings**: Denoted by the `selected` tag.
36 |
37 | Following the conclusion of the community judging period, an assigned Lead Judge will assess the validity of judgments and ultimately determine the performance of community judges.
38 |
39 | ### Performance
40 |
41 | A community judge's performance is determined by comparing the accuracy of their submissions versus the Lead Judge's final verdicts.
42 |
43 | A community judge will receive +1 point if their judgment matches the Lead Judge's and -1 point if the assessments do not match. This simple system provides a grade of how accurate a community judge's assessments are and ultimately determines [rewards](payouts-and-rewards.md) for participants.
44 |
45 | **For example:**
46 |
47 | * The community Judge determines ten valid findings and five invalid
48 | * The Lead Judge's verdict matches 8 of the Community Judges' valid and 4 of the CJ's invalid judgments.
49 |
50 | The equation looks like this:
51 |
52 | **Valid Judgement Matches** - **Valid Judgement Mismatches** + **Invalid Judgement Matches** - **Invalid Judgement Mismatches**
53 |
54 | For example: 8 - 2 + 4 - 1 = 9
55 |
56 | The community judge in this example would receive 9 points for their 15 judged submissions.
57 |
58 |
--------------------------------------------------------------------------------
/judging/payouts-and-rewards.md:
--------------------------------------------------------------------------------
1 | # Payouts and Rewards
2 |
3 | {% hint style="warning" %}
4 | Rewards are paid out in USDC through the ZKsync chain. Crediting the reward won't be possible without a ZKsync wallet connected to the user profile.
5 | {% endhint %}
6 |
7 | The judging reward pool is set at 7.5**%** of the contest's total prize pool up to a cap of $15,000.
8 |
9 | Payment for the Lead Judge is calculated separately from a contest's total prize pool.
10 |
11 | Competitive Judges will be eligible for payouts based on their performance while judging a contest. The **Top 5 community judging participants by total point value** will receive equal portions of the judging pool (1.5% of the total contest prize pool).
12 |
13 | **Example:**
14 |
15 | * The contest is hosted for a $50,000 total prize pool.
16 | * 7.5% or $3,750 is allotted as a judging pool.
17 | * Community Judges are ranked by points earned during the judging period.
18 | * The top 5 Community Judges receive $750 each.
19 |
20 | **Example 2:**
21 |
22 | * The contest is hosted for a $250,000 total prize pool.
23 | * The judging pool is capped at $15,000.
24 | * Community Judges are ranked by points earned during the judging period.
25 | * The top 5 Community Judges receive $3,000 each.
26 |
27 | _**Please note: Payouts may be within 0.0001 USDC margin of error.**_
28 |
--------------------------------------------------------------------------------
/judging/the-judging-process.md:
--------------------------------------------------------------------------------
1 | # The Judging Process
2 |
3 | The judging phase is critical to Cyfrin CodeHawks' competitive audits, ensuring its contests' integrity, transparency, and fairness.
4 |
5 | Here's an in-depth look at how the judging process works.
6 |
7 | ### How does the CodeHawks judging process work?
8 |
9 | We split the judging process into two phases:
10 |
11 | 1. [**Community judging**](the-judging-process.md#community-judging)
12 | 2. **Lead judging**
13 |
14 | Both happen after the contest's closed submission window, lasting an average of \~ three weeks. Once judging begins, further submissions through the CodeHawks Audit Portal will be disabled.
15 |
16 | #### Community judging
17 |
18 | All eligible community members can join the community judging phase as judges.
19 |
20 | Community Judges will use the CodeHawks portal to submit their assessments to the Lead Judge for each contest, to earn rewards based on their performances and accuracy.
21 |
22 | Find more information on Community Judging and how it works [here](how-community-judging-works.md).
23 |
24 | You can check out more eligibility information [here](community-judging-eligibility.md)!
25 |
26 | #### Lead judging
27 |
28 | A member of the Cyfrin team or an appointed, reputable, and esteemed community member may be invited to assist in judging.
29 |
30 | While submission volume certainly plays a part, the average judging period is \~2.5 weeks.
31 |
32 |
33 |
34 | ***
35 |
36 | The judging process at CodeHawks is meticulously designed to uphold the highest standards of fairness and clarity. We're continually evolving our methods to reflect the best practices and ensure that every participant receives thorough, unbiased feedback.
37 |
38 | For further inquiries or more detailed insights into our processes, please [get in touch with our dedicated support team](https://cyfrin.io/get-an-audit).
39 |
--------------------------------------------------------------------------------
/protocol-teams-sponsors/the-auditing-process.md:
--------------------------------------------------------------------------------
1 | # The Auditing process
2 |
3 | Cyfrin CodeHawks ensures the security of the protocols and teams we assist through an innovative private and community code review process.
4 |
5 | To learn more about how competitive audit works from an auditor's perspective, check out Auditors.
6 |
7 | Ensuring the security of protocols and their users is our top priority, and making the process for developers and protocol teams as smooth as possible is our second:
8 |
9 | This page outlines your journey to securing your code base and what you'll need to ensure complete coverage of your protocol.
10 |
11 | Here's what our auditing process looks like:
12 |
13 |
14 |
15 | 1. Request an audit
16 |
17 | Request an audit by going to [codehawks.com ](https://codehawks.com)and submitting the "Request an Audit" form under “Request Audit” - you can schedule an audit with at least three days' notice.
18 |
19 | Our team will contact you within two days to arrange a screening call and assess the properties of your project and code base.
20 |
21 |
22 |
23 |
24 |
25 | 2. Screening interview and code base assessment
26 |
27 | The CodeHawks team will contact you to discuss your audit scope, expected timeline, and requirements necessary to initiate an audit. They will also provide recommendations on the [ideal auditing path to take.](broken-reference)
28 |
29 | Check out our [guidelines for more information on what is required to start an audit.](broken-reference)
30 |
31 |
32 |
33 |
34 |
35 | 3. Pricing and timelines
36 |
37 | The CodeHawks team will conduct an initial assessment of your code base and project, and provides you with a quote based on the length of time required for the audit and its complexity.
38 |
39 | You can learn more about [pricing and timelines on our guide](broken-reference).
40 |
41 |
42 |
43 |
44 |
45 | 4. Code freeze
46 |
47 | At least, 2 days before the audit starts, protocol's teams are required to send CodeHawks the final:
48 |
49 | * commit
50 | * branch
51 | * known issues
52 | * contracts.
53 |
54 | After that a **code freeze is required** to establish a standard - This means that everyone will be looking at the same code for the entire duration of the audit.
55 |
56 | **Please note that this includes your own repository as a pull request can leak alpha information to our community.**
57 |
58 | Take a look at the [Preparing for an Audit guide](broken-reference) to learn more on what you'll need to get the auditing started
59 |
60 |
61 |
62 |
63 |
64 | 5. Audit begins
65 |
66 | In case of an auditing comeptition, we ask for a member(s) of your engineering team to be available on the [CodeHawks Discord ](https://discord.gg/cyfrin)server in order to answer Auditors questions via the dedicated channel.
67 |
68 | Each member will be given a special "sponsor" role to make sure you're recognisable.
69 |
70 | In any case, our community managers will be always available to help you in the process and answer auditors' questions.
71 |
72 |
73 |
74 |
75 |
76 | 6. Judging and appeal
77 |
78 | Immediately after the audit contest ends, the judging phase commences. The duration of the judging contest varies depending on the number of issues submitted. During this phase, security experts thoroughly evaluate the submissions.\
79 | \
80 | Once the judging phase is complete, the Appeal period begins. In this stage, security experts have the opportunity to flag any issues they believe were not categorized correctly during the initial judging, seeking a second opinion.\
81 | \
82 | To know more about the [Appeal period you can refer to this guide](the-auditing-process.md#6.-judging-and-appeal).
83 |
84 |
85 |
86 |
87 |
88 | 7. Initial report
89 |
90 | A day or so after the appeal period ends, the CodeHawks team, will compile and meticulously organize a curated, de-duplicated list of all High, Medium and low-severity findings for your team. This compilation will enable your team to effectively prioritize and address these critical vulnerabilities
91 |
92 |
93 |
94 | **Note: The following steps are only present in protocols opting in for Competitive reviews or** [**Private Audits**](https://cyfrin.io)**.**
95 |
96 |
97 |
98 |
99 |
100 | 8. Mitigation phase - Fix the code
101 |
102 | First, our teams will agree on a suitable time frame to tackle these issues.
103 |
104 | Once we've set the time, your team can start implementing the necessary fixes in your code base. It's crucial to ensure that these vulnerabilities are addressed promptly and effectively to enhance the security of your systems.
105 |
106 | Additionally, you may opt for a Mitigation Review Contest, following your initial audit to verify your implementations. These are much faster than the initial audit phase!
107 |
108 | Through these steps, you'll be sure to strengthen your code and safeguard your applications against potential threats.
109 |
110 |
111 |
112 |
113 |
114 | 9. Final report
115 |
116 | Post-fix review, our team will meticulously review your code once more to compile a detailed final report, ensuring all the fixes have been implements and your code is ready to be shipped.
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 | \
125 |
126 |
127 | \
128 |
--------------------------------------------------------------------------------
/tools.md:
--------------------------------------------------------------------------------
1 | ---
2 | description: A list of suggested tools from the Cyfrin CodeHawks auditors' community
3 | ---
4 |
5 | # 🛠️ Tools
6 |
7 | ### Auditor Tools
8 |
9 | These are auditor tools that you can use to help you audit smart contracts.
10 |
11 | * [Solodit](https://solodit.xyz/) <- (Use this once you start doing competitive audits!)
12 |
13 | ### Static Analysis
14 |
15 | * [Aderyn](https://github.com/Cyfrin/aderyn)
16 | * [4naly3er](https://github.com/Picodes/4naly3er)
17 |
18 | ### Symbolic Execution / Formal Verification Tools
19 |
20 | * [Manticore](https://github.com/trailofbits/manticore)
21 | * [Mythril](https://github.com/ConsenSys/mythril)
22 | * [Halmos](https://a16zcrypto.com/posts/article/symbolic-testing-with-halmos-leveraging-existing-tests-for-formal-verification/)
23 | * [Solidity Compiler](https://docs.soliditylang.org/en/v0.8.20/smtchecker.html)
24 | * [hevm](https://github.com/ethereum/hevm)
25 | * [EthBMC](https://github.com/RUB-SysSec/EthBMC)
26 | * [KEVM](https://github.com/runtimeverification/evm-semantics)
27 | * [Certora](https://www.certora.com/)
28 |
--------------------------------------------------------------------------------
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)