Code4rena is a smart contract security marketplace, operating with a 25-person remote team providing competitive audits for security researchers to uncover vulnerabilities. ^[1][2]

Overview

Code4rena distinguishes itself from traditional audits and bug bounties by providing broader protocol coverage and guaranteed compensation. Notable DeFi and NFT industry leaders, such as zkSync, ENS, Chainlink, and Opensea, have engaged with Code4rena for securing their protocols and expediting market entry. Offering a 48-hour audit initiation, the platform has identified over 950 high-severity vulnerabilities across 280 audits, involving an average of 70 professional auditors per contest. ^[1][3]

In the Code4rena ecosystem, Wardens conduct audits to safeguard the DeFi space, while Sponsors establish prize pools to incentivize Wardens for auditing their projects. Judges play a crucial role in assessing the significance, validity, and quality of findings, as well as rating Warden performance. The unique C4 audits stand apart from both bug bounties and traditional audit approaches. ^[3]

Roles

Wardens

Role and Responsibilities

Wardens main role is to safeguard the decentralized finance (DeFi) ecosystem by conducting thorough code audits. These audits provide individuals with diverse skill sets the opportunity to be rewarded while showcasing their contributions to a more secure DeFi environment. ^[4]

Participation Process

Any individual can apply to become a Warden and participate in Code4rena's audits. After the application process, approved Wardens can join the community on Discord and express their interest in ongoing audits. The Code4rena website serves as a hub for accessing details about open and upcoming audits, including pot size, start and end dates, and relevant information. Wardens are encouraged to familiarize themselves with the Code4rena Code of Conduct before engaging in code audits. ^[5]

Team Registration

For users wishing to register a team, the process involves registering individual Warden handles first and then creating a team. The Code4rena website allows team leaders to manage members and update payment details. All team registrations undergo review by the Code4rena team. ^[6]

Audit Timeline

Most Code4rena audits typically run for 3-7 days, commencing and concluding at 20:00 UTC. ^[7]

Submission Policy

Wardens follow a clear submission policy, ensuring the responsible and ethical disclosure of vulnerabilities. Reports can be submitted before the audit stop time, adhering to specified formats and guidelines. High, Medium, and QA reports are submitted individually or collectively, and analyses provide a holistic review of the codebase. Code4rena enforces firm audit deadlines and does not accept late submissions. In case of accidental submissions to the wrong audit, Wardens can resubmit to the correct audit and follow specific steps for withdrawal. ^[8]

Questions and Community Interaction

Code4rena encourages questions and discussions in designated channels to ensure clarity and understanding. The community actively collaborates to address queries and welcomes suggestions for policy improvements. ^[9]

Intellectual Property and Authorization

Wardens grant a Creative Commons 0 1.0 license to background intellectual property included in their findings, ensuring transparency and collaboration. Code4rena authorizes and acknowledges the good-faith efforts of Wardens, providing support and refraining from legal action related to authorized research activities. ^[10]

Sponsors

Initiating Sponsorship

Sponsors engage in Code4rena by purchasing a competitive audit, which involves creating an award pool to motivate wardens in scrutinizing their project's code. Any project seeking a Code4rena audit can submit a sponsorship request, initiating the process for collaboration. ^[11]

Audit Scoping

Upon request submission, Code4rena's team assesses the project repository, reviews responses and contracts, and recommends an appropriate audit package. The scoping phase involves technical details, such as lines of code count and test coverage percentage, to accurately evaluate the audit's scope. ^[12]

Determining Award Pools

To attract skilled wardens in a competitive market, Code4rena establishes standard award pool sizes based on audit scope. The pot size is a critical factor in attracting warden talent, and sponsors have the flexibility to enhance the award pool, garnering increased attention. ^[11]

Allocation Pools

Code4rena allocates a portion of each audit's award pool to analyses (5%) and valid gas optimizations (2.5%). Analyses provide high-level advice and review, offering valuable insights beyond specific bug reports. The gas optimization pool aims to incentivize solutions that minimize gas fees for users. ^[11]

Organization Fee

A fee, separate from the audit pool, is applied to cover organizational costs for the Code4rena DAO. This fee contributes to the efforts associated with organizing, promoting, and reporting on audits. ^[11]

Audit Scheduling and Process

The standard one-week audits adhere to a fixed schedule, starting and ending on weekdays at 20:00:00 UTC. Sponsors must make a deposit to confirm scheduling. The audit repo, including code, documentation, and notes, should be set up at least 48 business hours before the audit begins for efficient and effective code review. ^[11]

During and After the Audit

Throughout the audit, sponsors must observe a code freeze to maintain a level playing field. Sponsors are encouraged to have team members available in the C4 Discord server to address warden questions privately. After the audit, sponsors review findings, assist in identifying duplicates, and engage in a mitigation review phase to address and resolve identified issues. ^[11]

Code4rena Mitigation Reviews

Mitigation reviews involve the sponsorship team working with top-performing wardens to address and validate mitigations for high and medium-risk issues identified during the audit. This phase includes a review and judging process similar to the initial audit contest. ^[11]

Preparing for a Code4rena Audit

To maximize the value of a Code4rena audit, sponsors are advised to prepare a self-contained repository with working commands, ensure an organized repository and README, share a video walkthrough if possible, and maintain an active presence in the C4 Discord for quick access to warden questions. ^[13]

Judges

Judges play a crucial role in the Code4rena competitive audit model, responsible for determining the severity, validity, and quality of findings submitted by wardens. This impartial assessment is fundamental to the overall success of the Code4rena platform. ^[14]

Selection and Impartiality

To ensure alignment with sponsors and maintain objectivity in severity assessments, Code4rena selects impartial judges for each audit. Judges review warden findings and sponsor input independently, enabling Code4rena to fairly categorize findings for audit reports. The community grants judges final authority in determining severity, and judges receive compensation based on a percentage of the audit pool. ^[14]

Becoming a Judge

Judges, an esteemed and essential role in Code4rena, undergo a careful selection process. Typically established members of the DeFi community, judges receive endorsements based on prior judging experience. Community judges, self-selected from within the C4 community, must meet specific criteria, including Code4rena audit participation, bug discoveries, and adherence to non-technical criteria like fairness and clear communication. ^[14]

Judge Selection Process

Judge applications undergo monthly review by the C4 judge selection committee, consisting of top leaderboard wardens and past judges. The committee evaluates applications, providing a "yes" or "not yet" decision. While wardens can transition to become judges, they must forfeit awards they would have received for findings in the same audit to ensure impartiality. ^[14]

Judging an Audit

The judging process ideally concludes within 48 hours after handoff. Judges receive technical documentation on judging tools, and the review involves considerations of sponsor feedback, codebase validation, and assessments of severity and validity. The judge's role extends to discussions with sponsors and finalizing a comprehensive report. ^[14]

Judges follow specific guidelines, reviewing technical documentation and past audits for reference. Any submissions not directly related to smart contract logic are considered QA. Judges weigh sponsor feedback, but decisions remain independent. Discussions with sponsors are encouraged for clarity, and judges must provide justifications for changes to severity assessments. ^[14]

Before handing off results, judges add comments to the top scoring QA report, noting disagreements with severity or invalid items. This information contributes to the final report, and judges communicate their readiness for post-judge QA and award distribution to Code4rena Contest Administrators. Open communication within the #judges Discord channel or DMs is encouraged throughout the judging process. ^[14]

Certified Contributors

Code4rena provides a platform for community members to contribute actively, with certified contributors enjoying enhanced opportunities through identity verification and agreements. This certification opens doors to various roles and responsibilities within the Code4rena ecosystem. ^[15]

Eligible Roles

Certified contributors can engage in private or invite-only contests, assume the Scout role for scoping and pre-contest code intelligence, participate in post-contest triage and post-judging QA, offer mitigation review services, and even provide solo audit and consulting services through Code4rena. Additional opportunities under consideration include specific token awards and potential future award considerations. ^[15]

Certification Process

The certification process, executed through a third party (Provenance), prioritizes privacy. Contributors submit an application, agree to Certified Contributor Terms and Conditions, undergo identity verification, and sign a code of conduct and non-disclosure agreement. Code4 Corporation receives certification confirmation without accessing personal information, ensuring contributor privacy. ^[16]

Constraints

Certified contributors are bound by a contractual agreement, and any violations may lead to remediation pursued by the Code4rena Cayman Foundation. Allegations involving exploits trigger Provenance to provide identifying information to authorities, emphasizing the importance of adhering to the certification terms. ^[17]

+Backstage Wardens

Outstanding certified contributors meeting specific performance criteria gain "+Backstage" access to Code4rena audits, providing immediate access to findings repos, contributing to post-audit triage, and participating in post-judging QA. Criteria include certification approval, participation in at least three Code4rena audits, specific severity findings, and adherence to the Certified Contributor Terms and Conditions. ^[18]

Requesting +Backstage Access

Certified contributors meeting eligibility criteria can submit a request for +Backstage access through the designated process. Code4rena staff will facilitate the setup upon approval. ^[19]

Professional Conduct Guidelines

Certified contributors must adhere to a code of professional conduct, ensuring an objective, collegial, and intellectually open approach to findings. Treating all community members with respect and maintaining confidentiality until audit reports are public are integral to sustaining the +Backstage role. ^[18]

Lookouts

Lookouts play a pivotal role in Code4rena, reviewing and organizing submissions to competitions, thereby lightening the project team's workload and preparing the repository for judging. To become a Lookout, individuals can be nominated by a Judge or Lookout in good standing or nominate themselves. The role requires a minimum of three Code4rena audits, proven findings, and a commitment to fairness and effective written communication. ^[20]

Application Process

Applicants complete a comprehensive form, sharing a short bio, relevant experience, and examples of submissions. Applications are reviewed monthly, and successful candidates are notified. ^[20]

Scouts

Code4rena Scouts specialize in scoping and pre-audit intelligence, assessing factors like library dependencies, external calls, timelocks, and lines of code. Their insights contribute to optimizing parameters for an audit. Scouts review proposed code and repo before audits commence, offering feedback on scoping accuracy and repo preparedness. During the audit, Scouts monitor public code repositories, ensuring compliance with guidelines. Compensation for Scouts includes a flat fee of $500 USDC per competition. ^[21]

Selection Process

Due to the sensitive nature of the role, Scouts are currently hand-picked by the Code4rena team, reflecting the importance of precision and reliability in their contributions. ^[21]

Awards

Incentive Model and Scoring System

Code4rena employs a distinctive scoring system designed to achieve dual objectives: rewarding contestants for discovering unique bugs and safeguarding audits against Sybil attacks. This system also encourages collaboration among contestants. ^[22]

Warden Incentives

Contestants receive shares for bugs based on severity, with shares calculated for Medium and High Risk bugs. The scoring system employs a pro rata distribution model, ensuring equitable rewards. Additionally, the best submission for inclusion in the audit report receives a 30% share bonus for each unique High or Medium finding. ^[22]

Handling Duplicates and Partial Credit

Issues identifying the same functional vulnerability are considered duplicates, and shares are shared accordingly. Submissions not effectively rationalizing the top severity case may receive "partial credit," with shares divided by 2 or 4 at the judge's discretion. ^[22]

Bot Races

The initial hour of each Code4rena audit features a bot race, prioritizing high-quality automated findings. The winning bot report, shared with all wardens, designates certain findings as out of scope for awards, streamlining efforts and focusing human auditors on unique challenges. ^[23]

Analyses, QA, and Gas Optimization Reports

Wardens are encouraged to submit Analyses alongside findings, competing for a portion of the award pool. QA and Gas Optimization reports, focusing on high and medium severity findings, are graded and awarded on a curve, ensuring a high standard of quality and value. The best report in each category (Analysis, QA report, and Gas report) receives a 30% share bonus. Notably, even a B-grade report selected for inclusion is treated as A-grade for proportional reward and bonus considerations. ^[22]

Curve Logic for QA and Gas Optimization Reports

Grading QA and Gas reports involves a three-tiered system (Grade A, B, or C) with corresponding portions of the award pool. In the case of tied scores, the total awards for the corresponding slots are split among the tied reports. ^[24]

Judging Criteria

Judges play a crucial role in the awarding process, evaluating severity, validity, duplicates, and report quality. The decisions undergo a 48-hour QA process to ensure fairness and quality. ^[25]

Satisfactory/Unsatisfactory Submissions

Submissions deemed unsatisfactory are ineligible for awards. The bar for satisfactory submissions is set at a level comparable to a draft report by a professional auditor, emphasizing technical substance and effective communication. ^[25]

Judging Criteria for Analyses

Analyses are graded A, B, or C, with A-grade reports receiving a score of 2. The best Analysis is selected for inclusion in the audit report, contributing to the evolving meta of C4's severity standards. ^[25]

Fairness and Validity

Code4rena emphasizes fairness, impartiality, and consistency, with participants expected to adhere to defined roles and principles. The system undergoes continuous evolution, addressing challenges and refining processes for the benefit of all stakeholders. ^[26]

Evolution of Rules

The continued evolution of rules is guided by a rubric that outlines the subjective threshold of validity. This rubric aims to establish a standard for the quality of submissions and provide clarity for contestants, promoting a fair and mutually agreed-upon baseline. Issues and suggestions related to rule improvements are openly discussed and documented for iterative enhancements. ^[25]